awd competition notes

The main question types are WEB and PWN, with most languages being PHP, and a small amount of Java and Python. WEB mainly involves security vulnerabilities in some CMS and frameworks, such as injection, upload, and deserialization, relying more on known vulnerabilities.

Competition Process#

Generally, the competition separates the hardening phase and the attack phase, first unifying the hardening and then proceeding with the attack.

After the competition starts, the account is displayed.

The bugku platform, such as team1 with the password fe85d7dec6e3757f391e013efdd67c0c, and the port is 2222. The server is generally a Linux system, and login tools can use xSHELL, finalSHELL, etc.

The Token is mainly used as a script identity credential for automated submission verification. The virtual IP is the target machine's access URL. Other contestants' addresses are 192-168-x-250.pvp1923.bugku.cn, where x can be any number from 1 to 255.

Site Source Code Backup#

Source code backup can be done using Winscp or FileZilla, but the download may be relatively slow.

A faster method is to directly use tar to package.

The tar backup method is as follows:

cd /var/www/html
tar -zcvf ~/html.tar.gz *

Database Backup#

Sometimes there are flags in the database, so it is necessary to back up the database to avoid losing it.

First, find the configuration file and check the account password.

cd /var/www/html
find .|xargs grep "password"

Backup:

$ cd /var/lib/mysql #(Enter the MySQL library directory, adjust the directory according to your MySQL installation)
$ mysqldump -u root -p Test > Test.sql # Just enter the password.
$ mysqldump -u root -p --all-databases > ~/backup.sql  # Backup all databases
$ mysqldump -u root -p --all-databases --skip-lock-tables > ~/backup.sql  # Skip locked database tables

Database Password Modification#

Generally, the database password must be modified.

$ mysql -u root -p
show databases;
use mysql
set password for root@localhost = password('123');

Traffic Monitoring#

Traffic monitoring script. After someone attacks you, record the access information, URL, and use it to attack others.

<?php
$ip = $_SERVER["REMOTE_ADDR"];      // Record the visitor's IP
$filename = $_SERVER['PHP_SELF'];       // The filename the visitor wants to access
$parameter = $_SERVER["QUERY_STRING"];      // The parameters the visitor wants to request
$method = $_SERVER['REQUEST_METHOD'];       // Request method
$uri = $_SERVER['REQUEST_URI'];             // Request URI
$time = date('Y-m-d H:i:s',time());     // Access time
$post = file_get_contents("php://input",'r');       // Receive POST data
$others = '...other information you want...';
$logadd = 'Visit Time：'.$time.' '.'Visit IP：'.$ip."\r\n".'RequestURI：'.$uri.' '.$parameter.'RequestMethod：'.$method."\r\n";
// log record
$fh = fopen("/tmp/log.txt", "a+");
fwrite($fh, $logadd);
fwrite($fh, print_r($_COOKIE, true)."\r\n");
fwrite($fh, $post."\r\n");
fwrite($fh, $others."\r\n");
fclose($fh);
?>

This type of script is generally placed at the entry file of the CMS.

File Monitoring#

# -*- coding: utf-8 -*-#
# awd file monitoring script
import os
import json
import time
import hashlib


def ListDir(path):  # Get all files in the website

    for file in os.listdir(path):
        file_path = os.path.join(path, file)
        if os.path.isdir(file_path):
            if initialization['ok'] == 'false':
                dir_list.append(file_path)
            else:
                dir_list_tmp.append(file_path)
            ListDir(file_path)
        else:
            if initialization['ok'] == 'false':
                file_list.append(file_path)
            else:
                file_list_tmp.append(file_path)


def GetHash():  # Get hash, establish index
    for bak in file_list:
        with open(bak, 'rb') as f:
            md5obj = hashlib.md5()
            md5obj.update(f.read())
        hash = md5obj.hexdigest()
        bak_dict[bak] = hash
    if os.path.exists('/tmp/awd_web_hash.txt') == False:
        os.system('mkdir /tmp/awd_web_bak/')
        os.system('\\cp -a {0}* /tmp/awd_web_bak/'.format(web_dir))
        with open('/tmp/awd_web_hash.txt', 'w') as f:  # Record web file hash
            f.write(str(json.dumps(bak_dict)))
        for i in file_list:  # Record web file list
            with open('/tmp/awd_web_list.txt', 'a') as f:
                f.write(i + '\n')
        for i in dir_list:  # Record web directory list
            with open('/tmp/awd_web_dir.txt', 'a') as f:
                f.write(i + '\n')


def FileMonitor():  # File monitoring
    # Extract current web directory status
    initialization['ok'] = 'true'
    for file in os.listdir(web_dir):
        file_path = os.path.join(web_dir, file)
        if os.path.isdir(file_path):
            dir_list_tmp.append(file_path)
            ListDir(file_path)
        else:
            file_list_tmp.append(file_path)
    for file in file_list_tmp:
        with open(file, 'rb') as f:
            md5obj = hashlib.md5()
            md5obj.update(f.read())
        hash = md5obj.hexdigest()
        bak_dict_tmp[file] = hash
    with open('/tmp/awd_web_hash.txt', 'r') as f:  # Read the backup file hash
        real_bak_dict = json.loads(f.read())
    with open('/tmp/awd_web_list.txt', 'r') as f:  # Read the backup file list
        real_file_list = f.read().split('\n')[0:-1]
    with open('/tmp/awd_web_dir.txt', 'r') as f:  # Read the backup directory list
        real_dir_list = f.read().split('\n')[0:-1]

    for dir in real_dir_list:  # Restore web directory
        try:
            os.makedirs(dir)
            print("[del-recover]dir:{}".format(dir))
        except:
            pass

    for file in file_list_tmp:
        try:
            if real_bak_dict[file] != bak_dict_tmp[file]:  # Detect modified files, auto-recover
                os.system('\\cp {0} {1}'.format(file.replace(web_dir, '/tmp/awd_web_bak/'), file))
                print("[modify-recover]file:{}".format(file))
        except:  # Detect new files, auto-delete
            os.system('rm -rf {0}'.format(file))
            print("[delete]webshell:{0}".format(file))

    for real_file in real_file_list:  # Detect deleted files, auto-recover
        if real_file not in file_list_tmp:
            os.system('\\cp {0} {1}'.format(real_file.replace(web_dir, '/tmp/awd_web_bak/'), real_file))
            print("[del-recover]file:{0}".format(real_file))
    file_list_tmp[:] = []
    dir_list_tmp[:] = []


os.system("rm -rf /tmp/awd_web_hash.txt /tmp/awd_web_list.txt /tmp/awd_web_dir.txt /tmp/awd_web_bak/")
web_dir = "/var/www/"  # web directory, note to add a slash at the end
file_list = []
dir_list = []
bak_dict = {}
file_list_tmp = []
dir_list_tmp = []
bak_dict_tmp = {}
initialization = {'ok': 'false'}
ListDir(web_dir)
GetHash()
while True:
    print(time.ctime()+"   Safe")
    FileMonitor()
    time.sleep(1)  # Monitoring interval, modify as needed

Host Detection#

You can use nmap or httpscan (on your own host).

Local python scan:

import requests
for i in range(1, 255):
    try:
        url = 'http://192-168-1-{}.pvp2012.bugku.cn/'.format(i)
        response = requests.get(url,headers={'Connection':'close'})
        print(response)
        if response.status_code == 200:
            print(url)
        else:
            pass
    except requests.exceptions.RequestException as e:
        print(f"{url} is down. Error")

# http://192-168-1-100.pvp2012.bugku.cn/

Scan Vulnerabilities#

Download the CMS source code vulnerabilities from D 盾，or search for vulnerabilities online based on CMS information.

Install WAF#

If we want to add custom WAF scripts to the web directory files, we can actually solve it with one command, taking PHP as an example:

find /var/www/html -type f -path "*.php" | xargs sed -i "s/<?php/<?php require_once('\/tmp\/waf.php');/g"

find /var/www/html -type f -path "*.php" | xargs sed -i "s/<?php/<?php require_once('waf.php');/g"

Backdoor Removal#

Use commands to check for suspicious files:

find /var/www/html -name *.php -mmin -20 # Check files modified in the last 20 minutes
find ./ -name '*.php' | xargs wc -l | sort -u # Find files with the shortest line count
grep -r --include=*.php  '[^a-z]eval($_POST'  /var/www/html    # Check for PHP files containing keywords
find /var/www/html -type f -name "*.php" | xargs grep "eval(" |more

Fork Bomb#

:(){ :|:& };:

Input this into bash, recursively creating child processes, resulting in exhausting server resources, making the server unable to provide normal services.