# 题目 1
日志是 nginx 的日志,我用 logparser 进行检索的
请提交攻击者攻击成功的第一时间,格式:flag {YY:MM:DD hh:mm:ss}
C:\Users\Administrator\Desktop\LogParser>LogParser.exe -i:NCSA -q:ON "SELECT DateTime,Request FROM access.log WHERE StatusCode=200 AND Request LIKE '%welcome%' | |
[29/Apr/2023:14:45:23 +0000] GET /manage/welcome.php HTTP/1.1 |
flag: flag{2023:04:29 22:45:23}
# 题目 2
请提交攻击者的浏览器版本 flag {Firgfox/2200}
C:\Users\Administrator\Desktop\LogParser>LogParser.exe -i:NCSA -q:ON "SELECT User-Agent FROM access.log WHERE StatusCode=200 AND Request LIKE '%welcome%' | |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0 |
flag: flag{Firefox/110.0}
# 题目 3
请提交攻击者目录扫描所使用的工具名称
C:\Users\Administrator\Desktop\LogParser>LogParser.exe -i:NCSA -q:ON "SELECT DISTINCT User-Agent from access.log" | |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 | |
Fuzz Faster U Fool v1.5.0- | |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0 | |
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36 | |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0 | |
Opera/9.80 (Windows NT 6.1; U; zh-cn) Presto/2.7.62 Version/11.01 | |
Mozilla/4.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0) | |
Mozilla/5.0 (Windows; U; Windows NT 6.1; cs-CZ) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27 | |
Mozilla/5.0 (Windows NT 6.2; rv:22.0) Gecko/20130405 Firefox/23.0 | |
Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3 | |
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36 | |
Mozilla/5.0 (Windows; U; Windows NT 6.1; ko-KR) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27 | |
Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14 | |
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27 | |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0 | |
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0 | |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:113.0esr) Gecko/20110101 Firefox/113.0esr/wb7yEfvqZUO0-40 |
flag: flag{Fuzz Faster U Fool}
# 题目 4
找到攻击者写入的恶意后门文件,提交文件名(完整路径)
flag: flag{C:\phpstudy_pro\WWW\.x.php}
# 题目 5
找到攻击者隐藏在正常 web 应用代码中的恶意代码,提交该文件名(完整路径)
通过看最近修改日期的方式找到的
flag: flag{C:\phpstudy_pro\WWW\usr\themes\default\post.php}
# 题目 6
请指出可疑进程采用的自动启动的方式,启动的脚本的名字 flag {1.exe}
有个进程叫 360?
直接转到进程程序的目录,发现启动的 bat 脚本
本地策略组自启动
flag: flag{x.bat}
