Sawubona Habr!
Ngisanda kubuka inguqulo elandiwe yokusakazwa kwezinhlelo βUngazakha kanjani uhlelo lwakho lokusebenza lwewebhu ku-Flask.β Futhi nginqume ukuhlanganisa ulwazi lwami kuphrojekthi ethile. Kwaphela isikhathi eside ngingazi ukuthi ngizobhala ini futhi umqondo weza kimi: "Kungani ungenzi i-mini-backdoor ku-Flask?"
Izinketho zokuqala zokuqalisa kanye namakhono we-backdoor zavela ngokushesha ekhanda lami. Kodwa nginqume ukwenza ngokushesha uhlu lwamakhono angemuva:
- Yazi ukuthi uwavula kanjani amawebhusayithi
- Yiba nokufinyelela kumugqa womyalo
- Ukwazi ukuvula izinhlelo, izithombe, amavidiyo
Ngakho-ke, iphuzu lokuqala lilula kakhulu ukulisebenzisa usebenzisa imojula yesiphequluli. Nginqume ukusebenzisa iphuzu lesibili ngisebenzisa i-os module. Futhi eyesithathu nayo idlula imojula ye-os, kodwa ngizosebenzisa "izixhumanisi" (okuningi kulokho kamuva).
Ibhala iseva
Ngakho, *drumroll* yonke ikhodi yeseva:
from flask import Flask, request
import webbrowser
import os
import re
app = Flask(__name__)
@app.route('/mycomp', methods=['POST'])
def hell():
json_string = request.json
if json_string['command'] == 'test':
return 'The server is running and waiting for commands...'
if json_string['command'] == 'openweb':
webbrowser.open(url='https://www.'+json_string['data'], new=0)
return 'Site opening ' + json_string['data'] + '...'
if json_string['command'] == 'shell':
os.system(json_string['data'])
return 'Command execution ' + json_string['data'] + '...'
if json_string['command'] == 'link':
links = open('links.txt', 'r')
for i in range(int(json_string['data'])):
link = links.readline()
os.system(link.split('>')[0])
return 'Launch ' + link.split('>')[1]
if __name__ == '__main__':
app.run(host='0.0.0.0')
Sengiyilahle yonke ikhodi, sekuyisikhathi sokuchaza ingqikithi.
Yonke ikhodi isebenza kukhompyutha yendawo ku-port 5000. Ukuze uhlanganyele neseva, kufanele sithumele isicelo se-JSON POST.
Isakhiwo sesicelo se-JSON:
{βcommandβ: βcomecommandβ, βdataβ: βsomedataβ}Hhayi-ke, kunengqondo ukuthi 'umyalo' umyalo esifuna ukuwenza. Futhi 'idatha' yizimpikiswano zomyalo.
Ungabhala futhi uthumele izicelo ze-JSON ukuze uxhumane neseva ngokwenza (izicelo zizokusiza). Noma ungabhala iklayenti le-console.
Ukubhala iklayenti
Ikhodi:
import requests
logo = ['nn',
'****** ********',
'******* *********',
'** ** ** **',
'** ** ** ** Written on Python',
'******* ** **',
'******** ** **',
'** ** ** ** Author: ROBOTD4',
'** ** ** **',
'** ** ** **',
'******** *********',
'******* ********',
'nn']
p = ''
iport = '192.168.1.2:5000'
host = 'http://' + iport + '/mycomp'
def test():
dict = {'command': 'test', 'data': 0}
r = requests.post(host, json=dict)
if r.status_code == 200:
print (r.content.decode('utf-8'))
def start():
for i in logo:
print(i)
start()
test()
while True:
command = input('>')
if command == '':
continue
a = command.split()
if command == 'test':
dict = {'command': 'test', 'data': 0}
r = requests.post(host, json=dict)
if r.status_code == 200:
print (r.content.decode('utf-8'))
if a[0] == 'shell':
for i in range(1, len(a)):
p = p + a[i] + ' '
dict = {'command': 'shell', 'data': p}
r = requests.post(host, json=dict)
if r.status_code == 200:
print (r.content.decode('utf-8'))
p = ''
if a[0] == 'link':
if len(a) > 1:
dict = {'command': 'link', 'data': int(a[1])}
r = requests.post(host, json=dict)
if r.status_code == 200:
print (r.content.decode('utf-8'))
else:
print('ΠΠΎΠΌΠΌΠ°Π½Π΄Π° Π½Π΅ ΡΠΎΠ΄Π΅ΡΠΆΠΈΡ Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠΎΠ²!')
if a[0] == 'openweb':
if len(a) > 1:
dict = {'command': 'openweb', 'data': a[1]}
r = requests.post(host, json=dict)
if r.status_code == 200:
print (r.content.decode('utf-8'))
else:
print('ΠΠΎΠΌΠΌΠ°Π½Π΄Π° Π½Π΅ ΡΠΎΠ΄Π΅ΡΠΆΠΈΡ Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠΎΠ²!')
if a[0] == 'set':
if a[1] == 'host':
ip = a[2] + ':5000'
if command == 'quit':
break
Izincazelo:
Okokuqala, imojula yezicelo ingenisiwe (ngokusebenzelana neseva). Ngezansi kunezincazelo zemisebenzi yokuqala neyokuhlola. Bese kuba umjikelezo okwenzeka kuwo umlingo. Uyifundile ikhodi? Ngakho uyayiqonda incazelo yomlingo okwenzeka emjikelezweni. Faka umyalo - wenziwe. Igobolondo - imiyalo yomugqa womyalo (i-logic ivaliwe).
Hlola - hlola ukuthi iseva iyasebenza (i-backdoor)
Isixhumanisi - ukusetshenziswa "kwesinqamuleli"
I-Openweb - ukuvula iwebhusayithi
Yeka β phuma kuklayenti
Setha β ukusetha i-ip yekhompyutha yakho kunethiwekhi yendawo
Futhi manje okwengeziwe mayelana nesixhumanisi.
Kukhona ifayela le-link.txt eduze kweseva. Iqukethe izixhumanisi (indlela egcwele) eya kumafayela (amavidiyo, izithombe, izinhlelo).
Isakhiwo simi kanje:
ΠΏΠΎΠ»Π½ΡΠΉ_ΠΏΡΡΡ>ΠΎΠΏΠΈΡΠ°Π½ΠΈΠ΅
ΠΏΠΎΠ»Π½ΡΠΉ_ΠΏΡΡΡ>ΠΎΠΏΠΈΡΠ°Π½ΠΈΠ΅
Umphumela
Sineseva yangemuva yokulawula ikhompuyutha kunethiwekhi yendawo (ngaphakathi kwenethiwekhi ye-wi-fi). Ngobuchwepheshe, singasebenzisa iklayenti kunoma iyiphi idivayisi enotolika we-python.
PS Ngengeze umyalo obekiwe ukuze uma ikhompyutha kunethiwekhi yendawo yabelwe i-IP ehlukile, ingashintshwa ngqo kuklayenti.
Source: www.habr.com