SharPyShell - 用于C#网络应用程序的微小和混淆的ASP.NET webshell
作者:Sec-Labs | 发布时间:
项目地址
https://github.com/antonioCoco/SharPyShell
SharPyShell
SharPyShell 是一个小巧且混淆的 ASP.NET webshell,它执行加密通道接收的命令,在运行时将它们编译到内存中。
SharPyShell 仅支持在 .NET Framework >= 2.0 上运行的 C# Web 应用程序
atm 不支持 VB。
用法
python3 SharPyShell.py generate -p somepassword
python3 SharPyShell.py interact -u http://target.url/sharpyshell.aspx -p somepassword
要求
Python 版本 >= 3.6
和
pip3 install -r requirements.txt
描述
SharPyShell 是一个用 Python 编写的后开发框架,它能够:
- 生成混淆后的webshell(generate);
- 模拟 windows 终端作为 webshell 的交互(interact)。
该框架的主要目的是为渗透测试人员提供一系列工具,以便在对 IIS 网络服务器的利用成功后简化后利用阶段。
此工具并非旨在替代 C2 服务器的框架(即 Meterpreter、Empire、ecc..),但当您登陆到入站和出站连接非常有限的完全受限服务器时,应该使用此工具。
在此框架中,您将拥有在目标服务器的 cmd 后面键入时进行 privesc、网络发现和横向移动所需的所有工具。
此外,该框架旨在尽可能隐蔽地在内存中执行 c# 代码和 powershell 模块。
SharPyShell 中实施的混淆旨在规避文件签名和网络签名 ID。
为了规避网络签名,已经开发了一个完全加密的通道来发送命令和接收输出。
文件签名的规避是通过在负责运行时编译 c# 代码的预编译 dll 上使用反射来实现的。
技术图
使用 asciiflow.com 生成
+-------------------------------------------+ +--------------------------------------------+
| SharPyShell Client (Local) | | Target Server (Remote) |
+-------------------------------------------+ +--------------+ +--------------------------------------------+
| | | Encrypted | | |
| +--------+-----------------^-----------<----> HTTP <---->-----------+-----------------^--------+ |
| | | | | Channel | | | | |
| |4-Receive |1-Send | +--------------+ | |2-Receive |3-Send |
| | | | | | | |
| +--------v-----------------+--------+ | | +--------v-----------------+--------+ |
| | Module | | | | Webshell URL | |
| +--------+-----------------^--------+ | | +--------+-----------------^--------+ |
| | |Parse |Generate| | | | |Parse |Generate| |
| | +------v------+ +------+------+ | | | | +------v------+ +------+------+ | |
| | |Base64 Resp | |Base64 Req | | | | | |Base64 Req | |Base64 Resp | | |
| | +------+------+ +------^------+ | | | | +------+------+ +------^------+ | |
| | |Decode |Encode | | | | |Decode |Encode | |
| | +------v------+ +------+------+ | | | | +------v------+ +------+------+ | |
| | |Xor/Aes Data | |Xor/Aes Data | | | | | |Xor/Aes Data | |Xor/Aes Data | | |
| | +------+------+ +------^------+ | | | | +------+------+ +------^------+ | |
| | |Decrypt |Encrypt | | | | |Decrypt |Encrypt | |
| | +------v------+ +------+------+ | | | | +------v------+ +------+------+ | |
| | |Response | |C# Code | | | | | |C# Code | |Output | | |
| | +------+------+ +------+------+ | | | | +------+------+ +------+------+ | |
| | | ^ | | | | | ^ | |
| | v | | | | | v | | |
| | +--------+--------+ | | | | +--------+--------+ | |
| | | | | | | | | |
| +---------------- ^ ----------------+ | | +---------------- ^ ----------------+ |
| | | | | |
| |Run&Parse | | |Compile&Run |
| | | | | |
| +------ v ------+ | | +------ v ------+ |
| |Terminal | | | |csc.exe | |
| +---------------+ | | +---------------+ |
| |Modules: | | | |System.dll | |
| |#exec_cmd | | | |Compile in Mem | |
| |#exec_ps | | | |No exe output | |
| |#runas | | | | | |
| |..... | | | | | |
| | | | | | | |
| +---------------+ | | +---------------+ |
| | | |
+-------------------------------------------+ +--------------------------------------------+
模块
#download Download a file from the server
#exec_cmd Run a cmd.exe /c command on the server
#exec_ps Run a powershell.exe -nop -noni -enc 'base64command' on the server
#inject_dll_reflective Inject a reflective DLL in a new (or existing) process
#inject_dll_srdi Inject a generic DLL in a new (or existing) process
#inject_shellcode Inject shellcode in a new (or existing) process
#invoke_ps_module Run a ps1 script on the target server
#invoke_ps_module_as Run a ps1 script on the target server as a specific user
#lateral_psexec Run psexec binary to move laterally
#lateral_wmi Run builtin WMI command to move laterally
#mimikatz Run an offline version of mimikatz directly in memory
#net_portscan Run a port scan using regular sockets, based (pretty) loosely on nmap
#privesc_juicy_potato Launch InMem Juicy Potato attack trying to impersonate NT AUTHORITY\SYSTEM
#privesc_powerup Run Powerup module to assess all misconfiguration for privesc
#runas Run a cmd.exe /c command spawning a new process as a specific user
#runas_ps Run a powershell.exe -enc spawning a new process as a specific user
#upload Upload a file to the server
Windows版本测试
Windows 服务器 >= 2008 标准 x64
贡献
- @newfinal100(花哨的标志!)
- @weevely3
- @多汁土豆
- @PowerSploit
- @mimikatz
标签:工具分享, webshell绕过