近期收到了电子工业出版社赠送的一本黑客书籍《python黑帽子》,看了一下翻译,令人吃惊,竟然是资深知乎网友,安全大神林修乐(
@Gh0u1L5
,腾讯玄武实验室安全研究员)。接下来的时光里,准备做一下里面的实验,跟进大神的成长步伐。书中一共24个实验,今天复现第一个实验(取代netcat),我的测试环境是mbp电脑+kali虚拟机+conda开发环境。
netcat 一直是老师们口中的瑞士军刀,小巧灵活,却是牛逼plus,文件传输、反弹shell无所不能。
conda create -n py3hack python=3.6
conda activate py3hack
conda deactivate1、测试命令控制:在服务端先启动脚本
然后在客户端连上服务端,ctrl + D就获得了一个shell
也可以直接使用nc来获得相同的结果
2、测试命令执行:先在服务端启动脚本
在客户端启动脚本,就能得到命令执行的结果
也可以直接使用nc来获得相同的结果
3、测试文件上传:在服务端先执行
接着在客户端执行,并输入文件内容(字符串123)
最后在服务端查看,我们的文件内容(字符串123)传输ok ~
针对二进制文件,我们可以这样传输,在客户端输入< 二进制文件名
再去服务端见证奇迹
参考代码
# -*- coding: utf-8 -*-
# @Time : 2022/5/31 7:27 PM
# @Author : ailx10
# @File : netcat.py
import argparse
import socket
import shlex
import subprocess
import sys
import textwrap
import threading
def execute(cmd):
cmd = cmd.strip()
if not cmd:
return
output = subprocess.check_output(shlex.split(cmd),stderr=subprocess.STDOUT)
return output.decode()
class Netcat:
def __init__(self,args,buffer=None):
self.args = args
self.buffer = buffer
self.socket = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
self.socket.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
def run(self):
if self.args.listen:
self.listen()
else:
self.send()
def send(self):
self.socket.connect((self.args.target,self.args.port))
if self.buffer:
self.socket.send(self.buffer)
try:
while True:
recv_len = 1
response = ''
while recv_len:
data = self.socket.recv(4096)
recv_len = len(data)
response += data.decode()
if recv_len < 4096:
break
if response:
print(response)
buffer = input('>')
buffer += '\n'
self.socket.send(buffer.encode())
except KeyboardInterrupt:
print('User terminated')
self.socket.close()
sys.exit()
def listen(self):
self.socket.bind((self.args.target,self.args.port))
self.socket.listen(5)
while True:
client_socket,_ = self.socket.accept()
client_thread = threading.Thread(target=self.handle,args=(client_socket,))
client_thread.start()
def handle(self,client_socket):
if self.args.execute:
output = execute(self.args.execute)
client_socket.send(output.encode())
elif self.args.upload:
file_buffer = b''
while True:
data = client_socket.recv(4096)
print(data.decode)
if data:
file_buffer += data
else:
break
with open(self.args.upload,'wb') as f:
f.write(file_buffer)
message = f'Saved file {self.args.upload}'
client_socket.send(message.encode())
elif self.args.command:
cmd_buffer = b''
while True:
try:
client_socket.send(b'ailx10:#>')
while '\n' not in cmd_buffer.decode():
cmd_buffer += client_socket.recv(64)
response = execute(cmd_buffer.decode())
if response:
client_socket.send(response.encode())
cmd_buffer = b''
except Exception as e:
print(f'server killed {e}')
self.socket.close()
sys.exit()
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="simple netcat tool",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=textwrap.dedent("""Example:
netcat.py -t 192.168.0.108 -p 5555 -l -c # command shell
netcat.py -t 192.168.0.108 -p 5555 -l -u=mytest.txt # upload file
netcat.py -t 192.168.0.108 -p 5555 -l -e=\"cat /etc/passwd\" # execute command
echo 'ABC' | ./netcat.py -t 192.168.0.108 -p 135 # echo text to server port 135
netcat.py -t 192.168.0.108 -p 5555 # connect to server
"""))
parser.add_argument('-c','--command',action='store_true',help='command shell')
parser.add_argument('-e','--execute',help='execute specified command')
parser.add_argument('-l','--listen',action='store_true',help='listen')
parser.add_argument('-p','--port',type=int,default=5555,help='specified port')
parser.add_argument('-t','--target',default='192.168.0.108',help='specified ip')
parser.add_argument('-u','--upload',help='upload file')
args = parser.parse_args()
if args.listen:
buffer = ''
else:
buffer = sys.stdin.read()
nc = Netcat(args,buffer.encode())
nc.run()
本文暂时没有评论,来添加一个吧(●'◡'●)