闽盾杯溯源取证
任务四
任务四 第一题
要找出总共有多少个ip
# 形如
2023-04-21 0:29:45 , ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.104.166 ,sport=50357, type=NULL da=192.168.80.1, dport=80, msg= /
"," 截断cat FwLog.txt | cut -d "," -f 1
2023-04-22 8:05:03
2023-04-22 8:05:04
2023-04-22 8:05:04
2023-04-22 8:05:06
2023-04-22 8:05:06
# 取出了第一部分cat FwLog.txt | cut -d "," -f 2
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.138
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.138
# 取出了第二部分
# csdn -> kali -> cut命令排序
cat FwLog.txt | cut -d "," -f 2 | sort
ver=0.3.0 rule_name=pf70 mod=pf sa=192.168.1.166
ver=0.3.0 rule_name=pf70 mod=pf sa=192.168.1.166
ver=0.3.0 rule_name=pf70 mod=pf sa=192.168.1.166
ver=0.3.0 rule_name=pf70 mod=pf sa=192.168.1.166
ver=0.3.0 rule_name=pf70 mod=pf sa=192.168.1.166
ver=0.3.0 rule_name=pf70 mod=pf sa=192.168.1.166
ver=0.3.0 rule_name=pf70 mod=pf sa=192.168.1.166 去除相同的
cat FwLog.txt | cut -d "," -f 2 | sort | uniq
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.101.5
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.138
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.18
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.213
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.22
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.23
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.39
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.43
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.54
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.76
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.104.166
ver=0.3.0 rule_name=pf70 mod=pf sa=192.168.1.166 使用 -c 选项进行统计
cat FwLog.txt | cut -d "," -f 2 | sort | uniq -c
202 ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.22
62 ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.23
90 ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.39
146 ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.43
148 ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.54
660 ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56
96 ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.76
1542 ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.104.166
7050 ver=0.3.0 rule_name=pf70 mod=pf sa=192.168.1.166 抓取
cat FwLog.txt | cut -d "," -f 2 | sort | uniq | grep "sa"
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.22
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.23
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.39
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.43
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.54
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.76
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.104.166
ver=0.3.0 rule_name=pf70 mod=pf sa=192.168.1.166计数
cat FwLog.txt | cut -d "," -f 2 | sort | uniq | grep "sa" | wc -l
└─# cat FwLog.txt | cut -d "," -f 2 | sort | uniq | grep "sa" | wc -l
39
flag:39任务四 第二题
对服务器进行大量扫描
dport=80 msg=/datho.php
dport=80 msg=/dating2.php
dport=80 msg=/davida.php
dport=80 msg=/davina.php
dport=80 msg=/daxiaoren.php
# 2023-04-21 6:49:04 , ver=0.3.0 rule_name=pf70 mod=pf sa=192.168.1.166 , sport=57195, type=NULL da=192.168.80.1 , dport=80 msg=/ddtt.php
flag:192.168.1.166抓取看看扫描 "sa=192.168.1.166"
cat FwLog.txt | grep "sa=192.168.1.166"
cat FwLog.txt | grep "sa=192.168.1.166" | cut -d "," -f 5dport=80 msg=/dy_shop_LoadShopPic1.php
dport=80 msg=/dynobjctrl.php
dport=80 msg=/dz6.php
dport=80 msg=/E_shop.php
dport=80 msg=/eAdmin.php
dport=80 msg=/eamon.php
dport=80 msg=/early.php
dport=80 msg=/easter.php
dport=80 msg=/eat_order_all.php
dport=80 msg=/eat_online.php cat FwLog.txt | grep "sa=192.168.1.166" | cut -d "," -f 5 | wc -l┌──(root㉿kali)-[~/SY_project/MDB_3]
└─# cat FwLog.txt | grep "sa=192.168.1.166" | cut -d "," -f 5 | wc -l
7050
# 扫描了7050次任务四 第三题
找出暴力破解的方式登陆服务器
# 找出关键点
loginFailed=1&error=user_password_incorrect抓取
cat FwLog.txt | grep "loginFailed=1&error=user_password_incorrect"
2023-04-22 7:40:37 , ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56 ,sport=58442, type=NULL da=192.168.80.1, dport=80, msg= /webfire/portal/sp/login.php?loginFailed=1&error=user_password_incorrect
2023-04-22 7:40:40 , ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56 ,sport=58442, type=NULL da=192.168.80.1, dport=80, msg= /webfire/portal/sp/login.php?loginFailed=1&error=user_password_incorrect
2023-04-22 7:40:42 , ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56 ,sport=58442, type=NULL da=192.168.80.1, dport=80, msg= /webfire/portal/sp/login.php?loginFailed=1&error=user_password_incorrect
2023-04-22 7:40:58 , ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56 ,sport=58442, type=NULL da=192.168.80.1, dport=80, msg= /webfire/portal/sp/login.php?loginFailed=1&error=user_password_incorrect
2023-04-22 7:45:52 , ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56 ,sport=58527, type=NULL da=192.168.80.1, dport=80, msg= /webfire/portal/sp/login.php?loginFailed=1&error=user_password_incorrectcut 截断 ,取出2,6段
cat FwLog.txt | grep "loginFailed=1&error=user_password_incorrect" | cut -d "," -f 2,6
ver=0.3.0 rule_name=pf70 mod=pf sa=192.168.1.166
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.101.200 , msg= /webfire/portal/sp/login.php?loginFailed=1&error=user_password_incorrect
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.101.200 , msg= /webfire/portal/sp/login.php?loginFailed=1&error=user_password_incorrect
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.101.156 , msg= /webfire/portal/sp/login.php?loginFailed=1&error=user_password_incorrect
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.101.156 , msg= /webfire/portal/sp/login.php?loginFailed=1&error=user_password_incorrect
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.101.156 , msg= /webfire/portal/sp/login.php?loginFailed=1&error=user_password_incorrect
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56 , msg= /webfire/portal/sp/login.php?loginFailed=1&error=user_password_incorrect
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56 , msg= /webfire/portal/sp/login.php?loginFailed=1&error=user_password_incorrect
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56 , msg= /webfire/portal/sp/login.php?loginFailed=1&error=user_password_incorrect
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56 , msg= /webfire/portal/sp/login.php?loginFailed=1&error=user_password_incorrect
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56 , msg= /webfire/portal/sp/login.php?loginFailed=1&error=user_password_incorrect取第2段
cat FwLog.txt | grep "loginFailed=1&error=user_password_incorrect" | cut -d "," -f 2
cat FwLog.txt | grep "loginFailed=1&error=user_password_incorrect" | cut -d "," -f 2 | cut -d "=" -f 5
# 取出第二段
# cat FwLog.txt | grep "loginFailed=1&error=user_password_incorrect" | cut -d "," -f 2
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.101.200
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.101.200
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.101.156
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.101.156
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.101.156
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56
ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.102.56# 等号分割取出第五部分
# cat FwLog.txt | grep "loginFailed=1&error=user_password_incorrect" | cut -d "," -f 2 | cut -d "=" -f 5
172.20.104.166
172.20.104.166
172.20.101.111
192.168.1.166
172.20.101.200
172.20.101.200
172.20.101.156
172.20.101.156
172.20.101.156
172.20.102.56
172.20.102.56
172.20.102.56
172.20.102.56
172.20.102.56
172.20.104.166
172.20.104.166
172.20.101.111
192.168.1.166
172.20.101.200
172.20.101.200
172.20.101.156
172.20.101.156
172.20.101.156
172.20.102.56
172.20.102.56
172.20.102.56
172.20.102.56
172.20.102.56计数
cat FwLog.txt | grep "loginFailed=1&error=user_password_incorrect" | cut -d "," -f 2 | cut -d "=" -f 5 | wc -l
└─# cat FwLog.txt | grep "loginFailed=1&error=user_password_incorrect" | cut -d "," -f 2 | cut -d "=" -f 5 | wc -l
28from re import *
from pwn import *
pattern = '\d+\.\d+\.\d+\.\d+'
list = {}
with open(r'123.txt',encoding='utf-8') as f:
for i in f.readlines():
ip = search(pattern,i).group(0)
if ip in list:
list[ip] += 1
else:
list[ip] = 1
print(list)
# {'172.20.104.166': 4, '172.20.101.111': 2, '192.168.1.166': 2, '172.20.101.200': 4, '172.20.101.156': 6, '172.20.102.56': 10}
flag:10_6_4_4_2_2任务四 第四题
找出ssrf的ip,搜索http即可 得到 192.168.80.1
抓取://
cat FwLog.txt | grep "http://"└─# cat FwLog.txt | grep "http://"
2023-04-22 7:57:38 , ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.101.243 ,sport=59393, type=NULL da=192.168.80.1, dport=80, msg= /transpage.php?query=http://192.168.80.100/s?wd=ip&source=url&ie=utf8&from=auto&to=zh&render=1
2023-04-22 7:57:38 , ver=0.3.0 rule_name=pf70 mod=pf sa=172.20.101.243 ,sport=59393, type=NULL da=192.168.80.1, dport=80, msg= //transpage.php?query=http://192.168.80.100/s?=EditView&return_module=Employees&return_action=DetailViewflag:192.168.80.100
