行业赛数据安全之可疑日志分析
题目描述
某公司的数据安全工程师对近期信息系统的部分日志进行分析时,发现公司生产区内网的某终端主机可能被黑客远程控制,且黑客从该终端主机上获取了公司员工的关键个人信息。现请你协助该数据安全工程师开展日志分析,从中找到被控制的内网终端主机ip和被泄露的关键个人信息中“luodexin”的身份证号码。
1.请找到被控制的内网终端机器的ip地址。使用32位小写md5进行加密处理,提交格式为flag{md5(xxxx)}。例如经分析后得到的结果为 abc123,通过计算 md5('abc123')=e99a18c428cb38d5f260853678922e03,则提交的答案为 flag{e99a18c428cb38d5f260853678922e03}。
日志示例
10.112.16.10 - - [17/Nov/2023:03:44:21 +0000] "GET / HTTP/1.1" 200 900 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
10.112.16.160 - - [17/Nov/2023:03:44:24 +0000] "GET /?username=guest&password=123456 HTTP/1.1" 200 874 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
10.112.16.160 - - [17/Nov/2023:03:44:26 +0000] "GET /?username=guest&password=123 HTTP/1.1" 200 874 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
10.112.16.160 - - [17/Nov/2023:03:44:27 +0000] "GET /?username=guest&password=admin HTTP/1.1" 200 874 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
10.112.16.123 - - [17/Nov/2023:03:44:32 +0000] "GET /?username=lisi&password=admin HTTP/1.1" 200 875 "-" "Mozilla/5.0 (iPod; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5"
10.112.16.123 - - [17/Nov/2023:03:44:33 +0000] "GET /?username=lisi&password=admin123 HTTP/1.1" 200 875 "-" "Mozilla/5.0 (iPod; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5"
10.112.16.123 - - [17/Nov/2023:03:44:33 +0000] "GET /?username=lisi&password=123 HTTP/1.1" 200 875 "-" "Mozilla/5.0 (iPod; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5"
10.112.16.123 - - [17/Nov/2023:03:44:34 +0000] "GET /?username=lisi&password=12345 HTTP/1.1" 200 875 "-" "Mozilla/5.0 (iPod; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5"
10.112.16.123 - - [17/Nov/2023:03:44:42 +0000] "GET /?username=liaosu&password=admin888 HTTP/1.1" 200 875 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.123 - - [17/Nov/2023:03:44:44 +0000] "GET /?username=liaosu&password=admin HTTP/1.1" 200 875 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.123 - - [17/Nov/2023:03:44:56 +0000] "GET /?username=chuyulong&password=123 HTTP/1.1" 200 875 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser)"
10.112.16.123 - - [17/Nov/2023:03:44:57 +0000] "GET /?username=chuyulong&password=123456 HTTP/1.1" 200 875 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser)"
10.112.16.123 - - [17/Nov/2023:03:44:57 +0000] "GET /?username=chuyulong&password=12345 HTTP/1.1" 200 875 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser)"
10.112.16.28 - - [17/Nov/2023:03:45:10 +0000] "GET /?username=zhangsan&password=123 HTTP/1.1" 200 875 "-" "Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/20.0.019; Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/525 (KHTML, like Gecko) BrowserNG/7.1.18124"
10.112.16.28 - - [17/Nov/2023:03:45:11 +0000] "GET /?username=zhangsan&password=admin123 HTTP/1.1" 200 875 "-" "Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/20.0.019; Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/525 (KHTML, like Gecko) BrowserNG/7.1.18124"
10.112.16.102 - - [17/Nov/2023:03:45:15 +0000] "GET /?username=liumangxin&password=123 HTTP/1.1" 200 875 "-" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/534.1+ (KHTML, like Gecko) Version/6.0.0.337 Mobile Safari/534.1+"
10.112.16.102 - - [17/Nov/2023:03:45:16 +0000] "GET /?username=liumangxin&password=123123 HTTP/1.1" 200 875 "-" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/534.1+ (KHTML, like Gecko) Version/6.0.0.337 Mobile Safari/534.1+"
10.112.16.101 - - [17/Nov/2023:03:45:31 +0000] "-" 408 0 "-" "-"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),1,1))%3E79%23&password=1 HTTP/1.1" 200 862 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),1,1))%3E103%23&password=1 HTTP/1.1" 200 862 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),1,1))%3E115%23&password=1 HTTP/1.1" 200 875 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),1,1))%3E109%23&password=1 HTTP/1.1" 200 862 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),1,1))%3E112%23&password=1 HTTP/1.1" 200 875 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),1,1))%3E111%23&password=1 HTTP/1.1" 200 862 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),2,1))%3E79%23&password=1 HTTP/1.1" 200 862 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),2,1))%3E103%23&password=1 HTTP/1.1" 200 875 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),2,1))%3E91%23&password=1 HTTP/1.1" 200 862 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),2,1))%3E97%23&password=1 HTTP/1.1" 200 862 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),2,1))%3E100%23&password=1 HTTP/1.1" 200 862 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),2,1))%3E102%23&password=1 HTTP/1.1" 200 875 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),2,1))%3E101%23&password=1 HTTP/1.1" 200 875 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),3,1))%3E79%23&password=1 HTTP/1.1" 200 862 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),3,1))%3E103%23&password=1 HTTP/1.1" 200 862 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
10.112.16.207 - - [17/Nov/2023:03:45:42 +0000] "GET /?username=1'%20or%20ascii(substr((database()),3,1))%3E115%23&password=1 HTTP/1.1" 200 875 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
知识点
日志分析,攻击ip溯源分析
WP
很明显看到10.112.16.207这个ip存在大量的盲注攻击,所以被控制的内网机器ip为10.112.16.207。计算其md5值可以得到flag:flag{dd84f61edcaac4ebe57644b540536299}
博主真是太厉害了!!!
不错不错,我喜欢看
叼茂SEO.bfbikes.com
不错不错,我喜欢看 https://www.ea55.com/
想想你的文章写的特别好www.jiwenlaw.com
文章的确不错啊https://www.cscnn.com/
哈哈哈,写的太好了https://www.lawjida.com/
文章的叙述风格独特,用词精准,让人回味无穷。
这篇文章如同一幅色彩斑斓的画卷,每一笔都充满了独特的创意。
对趋势的预判具有战略参考价值。
?哲理类评语?
文章紧扣主题,观点鲜明,展现出深刻的思考维度。