流量分析&日志查看

一·流量分析

buuctf wireshark

从题目出发,既然是上传登录信息,就直接过滤post请求,即搜索 http.request.method==POST,因为上传用户登录信息使用的一定是http里的post方法

模式过滤

http.request.method == "GET"

http.request.method == "POST"

http.request.uri == "/img/logo-edu.gif"

http contains "GET"

http contains "HTTP/1."

// GET包

http.request.method == "GET" && http contains "Host: "

http.request.method == "GET" && http contains "User-Agent: "

// POST包

http.request.method == "POST" && http contains "Host: "

http.request.method == "POST" && http contains "User-Agent: "

// 响应包

http contains "HTTP/1.1 200 OK" && http contains "Content-Type: "

http contains "HTTP/1.0 200 OK" && http contains "Content-Type: "

一定包含如下

Content-Type:

(注意大小写,wireshark是要识别大小写的)

将这个post包导出

在最后一行即可得到密码 ,将其包装为flag,此题结束。

数据包中的线索

打开流量包,根据题目的提示筛选出http包

由开头"9j",可知为jpg图片

"9j"经base64解码后结果为"\xff \xd8 \xff",该三字节为jpg文件的开头三字节,所以可推断出以下文件为jpg文件

将下面的base64编码进行解码,得到一张图片

得到flag,此题结束

流量分析的基本规则:

压缩包流量

flag放在压缩包中。zip、7z、rar、tar.gz里

解法:

1.直接找到流量数据:右键->显示分组字节->去掉标志位(菜刀是前三位)->左下角有个解码为->解码为压缩包

2.导出压缩包:右键->显示分组字节->左下角有个显示为->改为原始数据->save as->1.zip

3.直接导出压缩包:右键->导出分子字节流->1.zip

4.在追踪流中导出压缩包:右键追踪流->左下角选择返回包->显示原始数据->save as->1.zip

蓝牙协议

1.直接查找flag

2.统计->协议分级->找到OBEX协议(蓝牙中的传输文件协议)->直接搜索obex->找到传输的文件->导出分组字节流

PIN码在分组详情中搜索。

键盘流量脚本

# -*- coding: cp936 -*-
import os
os.system("tshark -r test.pcapng -T fields -e usb.capdata > usbdata.txt")
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}


nums = []
keys = open('usbdata.txt')
for line in keys:
    #print(line)
    if len(line)!=17: #首先过滤掉鼠标等其他设备的USB流量
         continue
    nums.append(line[0:2]+line[4:6]) #取一、三字节
    #print(nums)
keys.close()
output = ""
for n in nums:
    if n[2:4] == "00" :
        continue

    if n[2:4] in normalKeys:
        if n[0:2]=="02": #表示按下了shift
            output += shiftKeys [n[2:4]]
        else :
            output += normalKeys [n[2:4]]
    else:
        output += '[unknown]'
print('output :' + output)

ssl流量

导入密钥

编辑->首选项->Protocols->TLS->导入log文件

查找http流量

导出分组字节

二·日志分析

web日志分析

1.sql注入

报错注入(常见报错注入函数)

floor()

extractvalue()

updatexml0

geometrycollection()

multipoint()

polygon()

multipolygon()

linestring()

multilinestring()

exp()

关键词:union、order by、floor()等

2.数据库类型判断

■ACCESS

and (select count(*)from sysobjects)>0返回异常 and(select count(*)from msysobjects)>0返回异常

■SQLSERVER

and (select count(*)from sysobjects)>0返回正常 and (select count (*) from msysobjects)>0返回异常 and left(version0,1)=5%23参数5也可能是4

■MYSQL

id=2 and version()>0返回正常 id=2 and length(user0)>0返回正常

id=2 CHAR(97, 110,100,32,49,61,49)返回正常 Oracle

and length (select user from dual)>0返回正常

二。访问频率

系统日志分析

例题:

[闽盾杯 2021]日志分析

首先打开文件搜索password字段

我们可以看到这是一个sqlmap的日志。其一次取出password一位,判断其ascii码值的大小关系,判断正确返回的长度为678,错误返回长度675,这样我们就可以根据每一位的返回结果判断具体的ascii值。

先将其整理为正常语句

然后对678进行查找,标记出正确判断

之后对数字进行统计,并分别得出每一位的ascii编码

以此类推,最终结果为:110,103,106,102,100,115,85,98,100,75

得到flag

NSSCTF{ngjfdsUbdK}

此题结束

[陇剑杯 2021]简单日志分析(问1)

由提示可知,要分析黑客的攻击参数。

首先我们要先排除404的请求,因为404表示请求不存在

将404标记后我们可以发现有三行没有被标记,于是我们将这3行单独拿出来

这样我们就可以得到黑客的攻击参数为user,

打包flag

NSSCTF{user}

此题结束

相关推荐
Clockwiseee1 小时前
RCE常见姿势
安全·web安全·网络安全
网络安全(king)4 小时前
网络安全攻防学习平台 - 基础关
网络·学习·web安全
Hacker_Nightrain5 小时前
网络安全与加密
安全·web安全
网安墨雨7 小时前
浅谈TARA在汽车网络安全中的关键角色
网络·web安全·汽车
网安-轩逸7 小时前
汽车网络安全渗透测试
安全·web安全·汽车
学习溢出8 小时前
【网络安全】John the Ripper 散列密码,PDF密码
安全·网络安全·pdf·哈希算法
黑客Jack8 小时前
什么是网络安全审计?
网络·安全·web安全
hking1119 小时前
upload-labs关卡记录5
web安全·php
为几何欢9 小时前
【hackmymv】emma靶机wp
安全·网络安全·渗透·hackmyvm·hmv
网络安全queen9 小时前
【D03】SNMP、NETBIOS和SSH
运维·网络·web安全·ssh