2023XZBW-服务器部分

46.[填空题] 服务器镜像1中mysql是否存在于开机启动项中?答题格式: 是/

systemctl is-enabled mysqld

[root@localhost ~]# systemctl status mysqld
● mysqld.service - LSB: start and stop MySQL
   Loaded: loaded (/etc/rc.d/init.d/mysqld; bad; vendor preset: disabled)
   Active: active (running) since 六 2023-11-25 14:49:52 CST; 2min 37s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1123 ExecStart=/etc/rc.d/init.d/mysqld start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/mysqld.service
           ├─1160 /bin/sh /www/server/mysql/bin/mysqld_safe --datadir=/www/server/data --pid-file=/www/server/data/lo...
           └─2119 /www/server/mysql/bin/mysqld --basedir=/www/server/mysql --datadir=/www/server/data --plugin-dir=/w...

11月 25 14:49:49 localhost.localdomain systemd[1]: Starting LSB: start and stop MySQL...
11月 25 14:49:52 localhost.localdomain mysqld[1123]: Starting MySQL... SUCCESS!
11月 25 14:49:52 localhost.localdomain systemd[1]: Started LSB: start and stop MySQL.

47.[填空题] 服务器镜像1中宝塔面板的绑定端口为?[答题格式: 123] (1.5分)

[root@localhost ~]# bt 14
===============================================
正在执行(14)...
===============================================
curl: (28) Resolving timed out after 10525 milliseconds
==================================================================
BT-Panel default info!
==================================================================
外网面板地址: http://:8887/81d211bf
内网面板地址: http://192.168.1.136:8887/81d211bf
*以下仅为初始默认账户密码，若无法登录请执行bt命令重置账户/密码登录
username: 32zkmllh
password: b3a006c0
If you cannot access the panel,
release the following panel port [8887] in the security group
若无法访问面板，请检查防火墙/安全组是否有放行面板[8887]端口
==================================================================

8887

48.[填空题] 服务器镜像1中网站“京东金融”在Nginx配置中的域名为?[答题格式: abc(1.5分)

49.填空 分析服务器镜像1中网站”京东金融”源码后台登录密码加密逻辑，如果管理员用户名为test明文密码为abc123456，则经过加密后得到的密文为? 答题格式: abc1231 1.5分

接下来对网站进行重构

发现后台路径，直接就能进去了

连接数据库看一眼

（打开数据库，描述都没有，肯定不是生产环境的案件，手动狗头）

那只能手动找加密逻辑了

先打开mysql日志，说不定有意外收获

mysql -uroot -p

show variables like 'general_log';
show variables like 'general_log_file';

set global general_log = ON;
set global general_log_file='/tmp/general.log';

tail -f /tmp/general.log

admin/123登录一下

[root@localhost ~]# tail -f /tmp/general.log
		   14 Query	SELECT * FROM `order` WHERE ( `status` = 1 )
		   14 Query	SHOW COLUMNS FROM `admin`
		   14 Query	SELECT * FROM `admin` WHERE ( `username` = 'admin' ) AND ( `password` = '600c8dcd3988efbf5cf53b401436ef0f' ) LIMIT 1
		   14 Quit	
231126 20:46:35	   15 Connect	root@localhost on jiedai
		   15 Query	SET NAMES 'utf8'
		   15 Query	SET sql_mode=''
		   15 Query	SHOW COLUMNS FROM `order`
		   15 Query	SELECT * FROM `order` WHERE ( `status` = 1 )
		   15 Quit	

都不用找加密函数，直接就爆出来了

用test/abc123456

37 Query	SELECT * FROM `admin` WHERE ( `username` = 'test' ) AND ( `password` = '01cf1ab6a622d19427e8a95a21454ee7' ) LIMIT 1

01cf1ab6a622d19427e8a95a21454ee7

50.[填空题] 服务器镜像1中网站“京东金融”管理员admin的后台明文密码为?答题格式: abc123

[root@localhost ~]# grep -oP 'password=\K[^&"]+' /www/wwwlogs/jiedai.com.log | sort | uniq
111111
112321321
123
123456
334712
33521231
3929812
453215
4532151
82612321
8989741531
abc123
abc123456
dgm070229
ptp6033499

一个个试，ptp6033499

51.[填空题] 服务器镜像1中网站“京东金融”后台首页记录的base版本为?[答题格式: 123(1.5分)

123的哈希替换进去

ip不对，估计跟admin表里面的allow有关

我换了一条自己的ip进去还是不对，干脆就找一下加密函数

搜报错

[root@localhost jiedai]# find ./ -type f -iname '*.php' |xargs grep 'IP exception' 2>/dev/null

做到这里我很异或啊，然后fuzz了一下登录函数，我想应该admin是肯定带有的

find ./ -type f -iname '*.php' |xargs grep 'admin' 2>/dev/null

结果再整理一下，./App/Lib/Action/Admin/这个目录很可疑

[root@localhost jiedai]# find ./ -type f -iname '*.php' |xargs grep 'admin' 2>/dev/null | grep './App/Lib/Action/Admin'
./App/Lib/Action/Admin/AdminAction.class.php:        $Admin = D("admin");
./App/Lib/Action/Admin/AdminAction.class.php:        $Admin = D("admin");
./App/Lib/Action/Admin/AdminAction.class.php:        $Admin = D("admin");
./App/Lib/Action/Admin/AdminAction.class.php:        $Admin = D("admin");
./App/Lib/Action/Admin/CommonAction.class.php:		if(!session('admin_user') ){
./App/Lib/Action/Admin/CommonAction.class.php:			session('admin_user',null);
./App/Lib/Action/Admin/CommonAction.class.php:			session('admin_user',$name);
./App/Lib/Action/Admin/CommonAction.class.php:		return session('admin_user');
./App/Lib/Action/Admin/CommonAction.class.php:		return md5( C('cfg_adminkey').md5($pass).$str );
./App/Lib/Action/Admin/MainAction.class.php:        $Admin_login = D("admin_login");
[root@localhost jiedai]# find ./ -type f -iname '*.php' |xargs grep 'login' 2>/dev/null | grep './App/Lib/Action/Admin'
./App/Lib/Action/Admin/AdminAction.class.php:        $username = $this->getlogin();
./App/Lib/Action/Admin/AdminAction.class.php:            $this->setlogin('');
./App/Lib/Action/Admin/AdminAction.class.php:            $this->error('非法操作!',U(GROUP_NAME.'/Index/login'));
./App/Lib/Action/Admin/CommonAction.class.php:		if(MODULE_NAME != "Index" && !$this->islogin()){
./App/Lib/Action/Admin/CommonAction.class.php:			$this->redirect(GROUP_NAME.'/Index/login');
./App/Lib/Action/Admin/CommonAction.class.php:	protected function islogin(){
./App/Lib/Action/Admin/CommonAction.class.php:	protected function setlogin($name = ''){
./App/Lib/Action/Admin/CommonAction.class.php:	protected function getlogin(){
./App/Lib/Action/Admin/MainAction.class.php:        $Admin_login = D("admin_login");
./App/Lib/Action/Admin/MainAction.class.php:        $loginData = $Admin_login->order('logintime Desc')->where(array('username' => $this->getlogin() ))->limit(4)->select();
./App/Lib/Action/Admin/MainAction.class.php:        $this->loginData = $loginData;
./App/Lib/Action/Admin/IndexAction.class.php:		if(!$this->islogin()){
./App/Lib/Action/Admin/IndexAction.class.php:			$this->redirect(GROUP_NAME.'/Index/login');
./App/Lib/Action/Admin/IndexAction.class.php:	public function login(){
./App/Lib/Action/Admin/IndexAction.class.php:		$this->setlogin('');
./App/Lib/Action/Admin/IndexAction.class.php:		$this->redirect(U(GROUP_NAME.'/Index/login'));

就看这几个关键的php文件

<?php
class IndexAction extends CommonAction {
	
	public function index(){
		if(!$this->islogin()){
			$this->redirect(GROUP_NAME.'/Index/login');
		}else{
			$this->redirect(GROUP_NAME.'/Main/index');
		}
	}
	
	public function login(){
	eval(base64_decode("CSR0aGlzLT50aXRsZT0ibG9naW4gc3lzdGVtIjsKCQlpZihJU19QT1NUKXsKCQkJJF92YWxpZGF0ZSA9IGFycmF5KAoJCQkJYXJyYXkoJ3VzZXJuYW1lJywncmVxdWlyZScsJ3VzZXJuYW1lIGlzIG51bGwhJyksCgkJCQlhcnJheSgncGFzc3dvcmQnLCdyZXF1aXJlJywncGFzc3dvcmQgaXMgbnVsbCEnKSwKCQkJKTsKCQkJJEFkbWluID0gRCgiYWRtaW4iKTsKCQkJJEFkbWluLT4gc2V0UHJvcGVydHkoIl92YWxpZGF0ZSIsJHZhbGlkYXRlKTsKCQkJJHJlc3VsdCA9ICRBZG1pbi0+Y3JlYXRlKCk7CgkJCWlmKCEkcmVzdWx0KXsKCQkJCSR0aGlzLT5lcnJvcigkQWRtaW4tPmdldEVycm9yKCkpOwoJCQl9CgkJCSR1c2VybmFtZSA9IEkoJ3VzZXJuYW1lJywnJywndHJpbScpOwoJCQkkcGFzc3dvcmQgPSBJKCdwYXNzd29yZCcsJycsJ3RyaW0nKTsKCQkJJHBhc3N3b3JkID0gJHRoaXMtPmdldHBhc3MoJHBhc3N3b3JkLCR1c2VybmFtZSk7CiAgICAgICAgICAgICR0bXAgPSAkQWRtaW4tPndoZXJlKGFycmF5KCd1c2VybmFtZScgPT4gJHVzZXJuYW1lLCdwYXNzd29yZCcgPT4gJHBhc3N3b3JkKSkKCQkJCQkJIC0+ZmluZCgpOwkJCSAKCQkJaWYoJHRtcCl7CgkJCSAgICAKCQkJICAgIGlmKCR0bXBbJ2FsbG93J10hPT0kX1NFUlZFUlsnUkVNT1RFX0FERFInXSl7CgkJCSAgICAgICAgJHRoaXMtPmVycm9yKCdMb2dpbiBJUCBleGNlcHRpb24hJyk7CgkJCSAgICB9CgkJCQlpZigkdG1wWydzdGF0dXMnXSl7CgkJCQkJLy/QtMjrtcfCvLzHwrwKCQkJCQkkQWRtaW5fbG9naW4gPSBEKCJhZG1pbl9sb2dpbiIpOwoJCQkJCSRBZG1pbl9sb2dpbi0+YWRkKGFycmF5KAoJCQkJCQkndXNlcm5hbWUnICA9PiAkdXNlcm5hbWUsCgkJCQkJCSdsb2dpbnRpbWUnID0+IHRpbWUoKSwKCQkJCQkJJ2xvZ2luaXAnCT0+IGdldF9jbGllbnRfaXAoKQoJCQkJCSkpOwoJCQkJCS8vuPzQwtfuvfy1x8K8yrG85AoJCQkJCSR0aGlzLT5zZXRsb2dpbigkdXNlcm5hbWUpOwoJCQkJCSRBZG1pbi0+d2hlcmUoYXJyYXkoJ3VzZXJuYW1lJyA9PiAkdXNlcm5hbWUpKQoJCQkJCQkgIC0+c2F2ZShhcnJheSgnbGFzdGxvZ2luJyA9PiB0aW1lKCkgKSk7CgkJCQkJJHRoaXMtPnN1Y2Nlc3MoJ0xvZ2luIHN1Y2Nlc3NmdWwhJyxVKEdST1VQX05BTUUuJy9NYWluL2luZGV4JykpOwoJCQkJfWVsc2V7CgkJCQkJJHRoaXMtPmVycm9yKCd5b3UgZG9udCBoYXZlIHBlcm1pc3Npb24hJyk7CgkJCQl9CgkJCX1lbHNlewoJCQkJJHRoaXMtPmVycm9yKCdJbmNvcnJlY3QgdXNlcm5hbWUgb3IgcGFzc3dvcmQhIScpOwoJCQl9CgkJCWV4aXQ7CgkJfQoJCSR0aGlzLT5kaXNwbGF5KCk7CgkJ"));
	}

	public function logout(){
		$this->title="注销登录";
		$this->setlogin('');
		$this->redirect(U(GROUP_NAME.'/Index/login'));
	}

	
}

$this->title="login system";
	if(IS_POST){
		$_validate = array(
			array('username','require','username is null!'),
			array('password','require','password is null!'),
		);
		$Admin = D("admin");
		$Admin-> setProperty("_validate",$validate);
		$result = $Admin->create();
		if(!$result){
			$this->error($Admin->getError());
		}
		$username = I('username','','trim');
		$password = I('password','','trim');
		$password = $this->getpass($password,$username);
           $tmp = $Admin->where(array('username' => $username,'password' => $password))
					 ->find();			 
		if($tmp){
		    
		    if($tmp['allow']!==$_SERVER['REMOTE_ADDR']){
		        $this->error('Login IP exception!');
		    }
			if($tmp['status']){
				//дɫµȂ¼¼Ȃ¼
				$Admin_login = D("admin_login");
				$Admin_login->add(array(
					'username'  => $username,
					'logintime' => time(),
					'loginip'	=> get_client_ip()
				));
				//¸󘮽⽊±¼
				$this->setlogin($username);
				$Admin->where(array('username' => $username))
					  ->save(array('lastlogin' => time() ));
				$this->success('Login successful!',U(GROUP_NAME.'/Main/index'));
			}else{
				$this->error('you dont have permission!');
			}
		}else{
			$this->error('Incorrect username or password!!');
		}
		exit;
	}
	$this->display();

把这个IP判断的删除

if($tmp['allow']!==$_SERVER['REMOTE_ADDR']){
    $this->error('Login IP exception!');
}

3.1.3

52.[空题] 服务器镜像1中网站“京东金融”用户“17773716944”的身份证为?答题格式: 230121199001011111

怕审核不通过，我身份证打码了

53.[填空题] 服务器镜像2的磁盘阵列的块顺序为?答题格式: 右同步

火眼秒了

RStudio

这两种导出来都是一样的

54.[填空题] 结合服务器镜像1和像2，网站“渣打集团”使用的数据库类型是?答题格式: abc

mysql

55.[填空题]结合服务器镜像1和镜像2，网站”渣打集团”前台存在校验域名跳转机制，可正常访问的域名为?答题格式: WWw.baidu.com

www.zhada.com

访问一下，跳转baidu

[root@localhost xyz.com]# grep -rn "location.href" | grep "baidu.com"
index.php:14:		echo "location.href='http://www.baidu.com'";

<?php
// +----------------------------------------------------------------------
// | ThinkPHP [ WE CAN DO IT JUST THINK ]
// +----------------------------------------------------------------------
// | Copyright (c) 2006-2016 http://thinkphp.cn All rights reserved.
// +----------------------------------------------------------------------
// | Licensed ( http://www.apache.org/licenses/LICENSE-2.0 )
// +----------------------------------------------------------------------
// | Author: liu21st <[email protected]>
// +----------------------------------------------------------------------
$hostname=$_SERVER['HTTP_HOST'];
	if($hostname!="www.zhada.com"){
		echo "<script type='text/javascript'>";
		echo "location.href='http://www.baidu.com'";
		echo "</script>";	
	}

// [ 应用入口文件 ]
header("Content-type: text/html; charset=utf-8"); 
//开启session
session_start();
// 定义应用目录
define('APP_PATH', __DIR__ . '/application/');
// 加载框架引导文件
require __DIR__ . '/thinkphp/start.php';

以前跳转空白页都是这种思路

数据库没连接上，查一下配置文件

<?php
// +----------------------------------------------------------------------
// | ThinkPHP [ WE CAN DO IT JUST THINK ]
// +----------------------------------------------------------------------
// | Copyright (c) 2006~2016 http://thinkphp.cn All rights reserved.
// +----------------------------------------------------------------------
// | Licensed ( http://www.apache.org/licenses/LICENSE-2.0 )
// +----------------------------------------------------------------------
// | Author: liu21st <[email protected]>
// +----------------------------------------------------------------------

return [
    // 数据库类型
    'type'            => 'mysql',
    // 服务器地址
    'hostname'        => '10.118.21.69',
    // 数据库名
    'database'        => 'xyz.cn',
    // 用户名
    'username'        => 'user1',
    // 密码
    'password'        => 'Aa123456',
    // 端口
    'hostport'        => '3306',
    // 连接dsn
    'dsn'             => '',
    // 数据库连接参数
    'params'          => [],
    // 数据库编码默认采用utf8
    'charset'         => 'utf8',
    // 数据库表前缀
    'prefix'          => 'wp_',
    // 数据库调试模式
    'debug'           => true,
    // 数据库部署方式:0 集中式(单一服务器),1 分布式(主从服务器)
    'deploy'          => 0,
    // 数据库读写是否分离 主从式有效
    'rw_separate'     => false,
    // 读写分离后 主服务器数量
    'master_num'      => 1,
    // 指定从服务器序号
    'slave_no'        => '',
    // 是否严格检查字段是否存在
    'fields_strict'   => true,
    // 数据集返回类型
    'resultset_type'  => 'array',
    // 自动写入时间戳字段
    'auto_timestamp'  => false,
    // 时间字段取出后的默认时间格式
    'datetime_format' => 'Y-m-d H:i:s',
    // 是否需要进行SQL性能分析
    'sql_explain'     => false,
    // Builder类
    'builder'         => '',
    // Query类
    'query'           => '\\think\\db\\Query',
];

然后我摸了一眼服务器2

[root@localhost ~]# mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.44 MySQL Community Server (GPL)

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
4 rows in set (0.00 sec)

mysql> exit
Bye
[root@localhost ~]# docker ps
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
CONTAINER ID  IMAGE  COMMAND  CREATED  STATUS  PORTS  NAMES

发现了podman（跟docker差不多）

[root@localhost ~]# podman ps -a
CONTAINER ID  IMAGE                        COMMAND  CREATED      STATUS                  PORTS                   NAMES
ec89c7a0a325  docker.io/library/mysql:5.6  mysqld   3 weeks ago  Exited (0) 3 weeks ago  0.0.0.0:3306->3306/tcp  mysql

[root@localhost ~]# podman inspect ec | grep -i "password"
                "MYSQL_ROOT_PASSWORD=tgl3306",

为什么会在这里找密码呢，因为Mysql在写Dockerfile的时候你可以设置密码，sql文件这些东西，这些都是可以inspect到的

但是登录失败了，，，，还是老老实实去绕密

修改/etc/mysql/mysql.conf.d/mysqld.cnf，mysqld下面一行填加：skip-grant-tables

重启podman

[root@localhost ~]# podman restart ec
ec89c7a0a325c4f5b780a8014685206a48870700b62376aa4870b69f01e69657
[root@localhost ~]# podman exec -it ec mysql -uroot -p123
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.6.51-log MySQL Community Server (GPL)

Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| xyz.cn             |
+--------------------+
4 rows in set (0.00 sec)

mysql> 

有目标数据库了，服务器1连接一下

看日志，找后台

最基本的绕密，懒得写了

56. [填空题) 结合服务镜像1和像2,网站“渣打团”数据库wp userinfo”表中“ustatus”字为“1”表示?[答题格式: 正常/冻结)(1.5分)

57.[填空题] 结合服务器镜像1和镜像2，网站“渣打集团”后台中配置的USDT充值地址为?答题格式: ABcd123

58.[填空题]结合服务像1和像2，网站“渣打集团”后台页面客户列表中记录的用户编号为2829的身份为? 答题格式:技能大赛](1.5分)

59.[填空题] 结合服务器镜像1和像2，网站“渣打集团”用户“陈浩”在平台中“买涨”的总委托金额为?(答题格式: 123](2分)

60.[填空题]结合服务器镜像1和像2，网站“渣打集团”嫌疑人删除用户“叶烽”的时间为?[2009/09/09 20:20:20] (2分)

env LANG=C.UTF-8 bash#不然docker内部乱码
ls /var/lib/mysql/
mysqlbinlog --base64-output=decode-rows -v /var/lib/mysql/mysql-bin.000001 > 1.txt
vi 1.txt