近期收到了电子工业出版社赠送的一本黑客书籍《python黑帽子》,看了一下翻译,令人吃惊,竟然是资深知乎网友,安全大神林修乐(
@Gh0u1L5
,腾讯玄武实验室安全研究员)。接下来的时光里,准备做一下里面的实验,跟进大神的成长步伐。书中一共24个实验,今天复现第一个实验(取代netcat),我的测试环境是mbp电脑+kali虚拟机+conda开发环境。
netcat 一直是老师们口中的瑞士军刀,小巧灵活,却是牛逼plus,文件传输、反弹shell无所不能。
conda create -n py3hack python=3.6conda activate py3hackconda deactivate
1、测试命令控制:在服务端先启动脚本
然后在客户端连上服务端,ctrl + D就获得了一个shell
也可以直接使用nc来获得相同的结果
2、测试命令执行:先在服务端启动脚本
在客户端启动脚本,就能得到命令执行的结果
也可以直接使用nc来获得相同的结果
3、测试文件上传:在服务端先执行
接着在客户端执行,并输入文件内容(字符串123)
最后在服务端查看,我们的文件内容(字符串123)传输ok ~
针对二进制文件,我们可以这样传输,在客户端输入< 二进制文件名
再去服务端见证奇迹
参考代码
# -*- coding: utf-8 -*-# @Time : 2022/5/31 7:27 PM# @Author : ailx10# @File : netcat.pyimport argparseimport socketimport shleximport subprocessimport sysimport textwrapimport threadingdef execute(cmd): cmd = cmd.strip if not cmd: return output = subprocess.check_output(shlex.split(cmd),stderr=subprocess.STDOUT) return output.decodeclass Netcat: def __init__(self,args,buffer=None): self.args = args self.buffer = buffer self.socket = socket.socket(socket.AF_INET,socket.SOCK_STREAM) self.socket.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1) def run(self): if self.args.listen: self.listen else: self.send def send(self): self.socket.connect((self.args.target,self.args.port)) if self.buffer: self.socket.send(self.buffer) try: while True: recv_len = 1 response = '' while recv_len: data = self.socket.recv(4096) recv_len = len(data) response += data.decode if recv_len < 4096: break if response: print(response) buffer = input('>') buffer += ' ' self.socket.send(buffer.encode) except KeyboardInterrupt: print('User terminated') self.socket.close sys.exit def listen(self): self.socket.bind((self.args.target,self.args.port)) self.socket.listen(5) while True: client_socket,_ = self.socket.accept client_thread = threading.Thread(target=self.handle,args=(client_socket,)) client_thread.start def handle(self,client_socket): if self.args.execute: output = execute(self.args.execute) client_socket.send(output.encode) elif self.args.upload: file_buffer = b'' while True: data = client_socket.recv(4096) print(data.decode) if data: file_buffer += data else: break with open(self.args.upload,'wb') as f: f.write(file_buffer) message = f'Saved file {self.args.upload}' client_socket.send(message.encode) elif self.args.command: cmd_buffer = b'' while True: try: client_socket.send(b'ailx10:#>') while ' ' not in cmd_buffer.decode: cmd_buffer += client_socket.recv(64) response = execute(cmd_buffer.decode) if response: client_socket.send(response.encode) cmd_buffer = b'' except Exception as e: print(f'server killed {e}') self.socket.close sys.exitif __name__ == "__main__": parser = argparse.ArgumentParser(description="simple netcat tool", formatter_class=argparse.RawDescriptionHelpFormatter, epilog=textwrap.dedent("""Example: netcat.py -t 192.168.0.108 -p 5555 -l -c # command shell netcat.py -t 192.168.0.108 -p 5555 -l -u=mytest.txt # upload file netcat.py -t 192.168.0.108 -p 5555 -l -e="cat /etc/passwd" # execute command echo 'ABC' | ./netcat.py -t 192.168.0.108 -p 135 # echo text to server port 135 netcat.py -t 192.168.0.108 -p 5555 # connect to server """)) parser.add_argument('-c','--command',action='store_true',help='command shell') parser.add_argument('-e','--execute',help='execute specified command') parser.add_argument('-l','--listen',action='store_true',help='listen') parser.add_argument('-p','--port',type=int,default=5555,help='specified port') parser.add_argument('-t','--target',default='192.168.0.108',help='specified ip') parser.add_argument('-u','--upload',help='upload file') args = parser.parse_args if args.listen: buffer = '' else: buffer = sys.stdin.read nc = Netcat(args,buffer.encode) nc.run
