Pa Habr!
Posachedwa ndidawona mtundu wotsitsidwa wamapulogalamu "Momwe mungapangire pulogalamu yanu yapaintaneti mu Flask." Ndipo ndinaganiza zophatikizira chidziwitso changa mu ntchito ina. Kwa nthawi yayitali sindinadziwe choti ndilembe ndipo lingaliro linabwera kwa ine: "Bwanji osapanga mini-backdoor mu Flask?"
Zosankha zoyamba za kukhazikitsa ndi kuthekera kwa backdoor nthawi yomweyo zidawonekera m'mutu mwanga. Koma ndidaganiza zopanga mndandanda wazinthu zakumbuyo:
- Dziwani momwe mungatsegule mawebusayiti
- Khalani ndi mzere wolamula
- Kutha kutsegula mapulogalamu, zithunzi, makanema
Chifukwa chake, mfundo yoyamba ndiyosavuta kukhazikitsa pogwiritsa ntchito gawo lawebusayiti. Ndinaganiza zokhazikitsa mfundo yachiwiri pogwiritsa ntchito module ya os. Ndipo chachitatu ndikudutsanso gawo la os, koma ndigwiritsa ntchito "maulalo" (zambiri pambuyo pake).
Kulemba seva
Chifukwa chake, *drumroll* ma code onse a seva:
from flask import Flask, request
import webbrowser
import os
import re
app = Flask(__name__)
@app.route('/mycomp', methods=['POST'])
def hell():
json_string = request.json
if json_string['command'] == 'test':
return 'The server is running and waiting for commands...'
if json_string['command'] == 'openweb':
webbrowser.open(url='https://www.'+json_string['data'], new=0)
return 'Site opening ' + json_string['data'] + '...'
if json_string['command'] == 'shell':
os.system(json_string['data'])
return 'Command execution ' + json_string['data'] + '...'
if json_string['command'] == 'link':
links = open('links.txt', 'r')
for i in range(int(json_string['data'])):
link = links.readline()
os.system(link.split('>')[0])
return 'Launch ' + link.split('>')[1]
if __name__ == '__main__':
app.run(host='0.0.0.0')
Ndataya kale ma code onse, ndi nthawi yoti ndifotokoze tanthauzo lake.
Ma code onse amayendera pakompyuta yakomweko padoko 5000. Kuti tigwirizane ndi seva, tiyenera kutumiza pempho la JSON POST.
Mapangidwe a pempho la JSON:
{βcommandβ: βcomecommandβ, βdataβ: βsomedataβ}Chabwino, ndizomveka kuti 'command' ndi lamulo lomwe tikufuna kuchita. Ndipo 'deta' ndi mfundo zamalamulo.
Mutha kulemba ndi kutumiza zopempha za JSON kuti mulumikizane ndi seva pamanja (zopempha zidzakuthandizani). Kapena mutha kulemba kasitomala wa console.
Kulemba kasitomala
Code:
import requests
logo = ['nn',
'****** ********',
'******* *********',
'** ** ** **',
'** ** ** ** Written on Python',
'******* ** **',
'******** ** **',
'** ** ** ** Author: ROBOTD4',
'** ** ** **',
'** ** ** **',
'******** *********',
'******* ********',
'nn']
p = ''
iport = '192.168.1.2:5000'
host = 'http://' + iport + '/mycomp'
def test():
dict = {'command': 'test', 'data': 0}
r = requests.post(host, json=dict)
if r.status_code == 200:
print (r.content.decode('utf-8'))
def start():
for i in logo:
print(i)
start()
test()
while True:
command = input('>')
if command == '':
continue
a = command.split()
if command == 'test':
dict = {'command': 'test', 'data': 0}
r = requests.post(host, json=dict)
if r.status_code == 200:
print (r.content.decode('utf-8'))
if a[0] == 'shell':
for i in range(1, len(a)):
p = p + a[i] + ' '
dict = {'command': 'shell', 'data': p}
r = requests.post(host, json=dict)
if r.status_code == 200:
print (r.content.decode('utf-8'))
p = ''
if a[0] == 'link':
if len(a) > 1:
dict = {'command': 'link', 'data': int(a[1])}
r = requests.post(host, json=dict)
if r.status_code == 200:
print (r.content.decode('utf-8'))
else:
print('ΠΠΎΠΌΠΌΠ°Π½Π΄Π° Π½Π΅ ΡΠΎΠ΄Π΅ΡΠΆΠΈΡ Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠΎΠ²!')
if a[0] == 'openweb':
if len(a) > 1:
dict = {'command': 'openweb', 'data': a[1]}
r = requests.post(host, json=dict)
if r.status_code == 200:
print (r.content.decode('utf-8'))
else:
print('ΠΠΎΠΌΠΌΠ°Π½Π΄Π° Π½Π΅ ΡΠΎΠ΄Π΅ΡΠΆΠΈΡ Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠΎΠ²!')
if a[0] == 'set':
if a[1] == 'host':
ip = a[2] + ':5000'
if command == 'quit':
break
Zofotokozera:
Choyamba, gawo lofunsira limatumizidwa kunja (polumikizana ndi seva). Pansipa pali mafotokozedwe oyambira ndi ntchito zoyeserera. Ndiyeno kuzungulira kumene matsenga zimachitika. Kodi mwawerengako kodi? Kotero inu mukumvetsa tanthauzo la matsenga omwe amachitika mu kuzungulira. Lowetsani lamulo - likuchitidwa. Chipolopolo - chimalamula pamzere wolamula (lingaliroli ndi lotsika).
Yesani - onani ngati seva ikugwira ntchito (kumbuyo)
Link - kugwiritsa ntchito "chidule"
Openweb - kutsegula tsamba
Siyani - tulukani kasitomala
Khazikitsani - kukhazikitsa IP ya kompyuta yanu pa netiweki yakomweko
Ndipo tsopano zambiri za ulalo.
Pali fayilo ya link.txt pafupi ndi seva. Ili ndi maulalo (njira yonse) yamafayilo (mavidiyo, zithunzi, mapulogalamu).
Mapangidwe ake ndi awa:
ΠΏΠΎΠ»Π½ΡΠΉ_ΠΏΡΡΡ>ΠΎΠΏΠΈΡΠ°Π½ΠΈΠ΅
ΠΏΠΎΠ»Π½ΡΠΉ_ΠΏΡΡΡ>ΠΎΠΏΠΈΡΠ°Π½ΠΈΠ΅
Zotsatira
Tili ndi seva yakumbuyo yowongolera makompyuta pamaneti am'deralo (mkati mwa netiweki ya Wi-Fi). Mwaukadaulo, titha kuyendetsa kasitomala kuchokera ku chipangizo chilichonse chomwe chili ndi womasulira wa python.
PS Ndinawonjezera lamulo lokhazikitsidwa kuti ngati kompyuta pa intaneti yapafupi ipatsidwa IP yosiyana, ikhoza kusinthidwa mwachindunji mwa kasitomala.
Source: www.habr.com