免责声明
由于传播、利用WK安全所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负
责,WK安全及作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除
并致歉。谢谢!由于微信公众号推送机制改变了,快来星标不再迷路,谢谢大家!
学习杂记!我是刚学的小菜鸡 ,大佬们勿喷!!!
基于python开发的实用webshell检测脚本,该脚本基于监控"操作者"一些行为,对上传的文件进行检测,借助于百度webshell查杀(也可以换成其他平台)进行实时文件查杀。
先借助chatgpt找寻点思路
import requests#定义要检测的文件列表
shell_list = ['webshell.php', 'test.php', 'cmd.php', 'wso.php']#定义要检测的路径
path_list = ['/', '/wp-admin/', '/admin/', '/login/']#定义要检测的URL前缀
url_prefix = 'http://localhost'#循环遍历检测
for path in path_list:
for shell in shell_list:
#构造URL
url = url_prefix + path + shell
#发起GET请求
r = requests.get(url)
#判断是否存在WebShell
if r.status_code == 200 and 'WebShell' in r.text:
print('[!] WebShell found:', url)
、
按照chatgpt给出的示例,主要就是对上传的文件做了个简单的webshell关键字检测,在这个基础上,我们增加对文件上传操作的监控并调用百度webshell Api进行实时查杀操作。
对于文件夹内文件莫过于增、删、改、查,而webshell来自于恶意攻击者上传的文件,所以我们对于增需要做严格的检测限制。这里我们使用python中的一个库watchdog来实现文件的实时监控,有关这个库的具体可自行百度。
还是先来借助"万能"的chatgpt来给出个Demo参考参考,看下图
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandlerclass MyHandler(FileSystemEventHandler):
def on_created(self, event):
print(f"文件 {event.src_path} 被创建!")if __name__ == "__main__":
event_handler = MyHandler()
observer = Observer()
observer.schedule(event_handler, path=".", recursive=True)
observer.start()
try:
while True:
pass
except KeyboardInterrupt:
observer.stop()
observer.join()
参考gpt师傅的Demo,开始自己手撸
先安装watchdog库,导入库,需要四个函数增删改查,继续请教chat师傅,请求个Demo出来!
import time
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandlerclass FileEventHandler(FileSystemEventHandler):
def on_created(self, event):
print("File created: ", event.src_path)def on_modified(self, event):
print("File modified: ", event.src_path)def on_deleted(self, event):
print("File deleted: ", event.src_path)def on_moved(self, event):
print("File moved from ", event.src_path, " to ", event.dest_path)if __name__ == "__main__":
observer = Observer()
event_handler = FileEventHandler()
observer.schedule(event_handler, path='.', recursive=True)
observer.start()
try:
while True:
time.sleep(1)
except KeyboardInterrupt:
observer.stop()
observer.join()
ok啦,基本思路和模板已经到位
先编写upload_check_file函数,调用百度webshell Api,然后对文件进行检测,判断是否为webshell,查看百度webshell Api给出的返回json结果,进行内容的提取,然后进行信息返回。
百度webshell地址:https://scanner.baidu.com/#/pages/intro
对于上传文件,使用api更改web.zip即可实现
编写一个文件监控类,内部实现四个函数增删改查的编写。
class FileEventHandler(FileSystemEventHandler):
def __init__(self):
FileSystemEventHandler.__init__(self)def on_moved(self, event):
if event.is_directory:
pass
#print("directory moved from {0} to {1}".format(event.src_path, event.dest_path))
else:
pass
#print("file moved from {0} to {1}".format(event.src_path, event.dest_path))def on_created(self, event):
if event.is_directory:
print("directory created:{0}".format(event.src_path))
else:
print("file created:{0}".format(event.src_path))
upload_check_file(event.src_path)def on_deleted(self, event):
if event.is_directory:
print("directory deleted:{0}".format(event.src_path))
else:
print("file deleted:{0}".format(event.src_path))def on_modified(self, event):
if event.is_directory:
pass
#print("directory modified:{0}".format(event.src_path))
else:
pass
#print("file modified:{0}".format(event.src_path))
最后主函数进行调用,采用sys
if __name__ == "__main__":
addr = sys.argv[1]
observer = Observer()
event_handler = FileEventHandler()
observer.schedule(event_handler, r"%s"%addr, True)
observer.start()
try:
while True:
time.sleep(1)
except KeyboardInterrupt:
observer.stop()
observer.join()
完整演示代码如下:
import json,requestsfrom watchdog.observers import Observer
from watchdog.events import *
import time,sys,os# watchdag模块进行文件夹的监控,例如文件移动,修改上传,删除等动作,类似于phpstudy里面的 网页挂马
def upload_check_file(filename):
api = 'curl https://scanner.baidu.com/enqueue -F [email protected]%s'%filename
try:
contents = os.popen(api).read()
s = json.loads(contents)
urls = s['url']
time.sleep(2)
result = requests.get(url=urls).json()
results = result[0]['data'][0]['descr']
if 'None' in results:
print(filename+'不是webshell')
else:
print(filename+'是webshell')
print(results)
os.unlink(filename)
print('此文件已被删除!')
except Exception as e:
passclass FileEventHandler(FileSystemEventHandler):
def __init__(self):
FileSystemEventHandler.__init__(self)def on_moved(self, event):
if event.is_directory:
pass
#print("directory moved from {0} to {1}".format(event.src_path, event.dest_path))
else:
pass
#print("file moved from {0} to {1}".format(event.src_path, event.dest_path))def on_created(self, event):
if event.is_directory:
print("directory created:{0}".format(event.src_path))
else:
print("file created:{0}".format(event.src_path))
upload_check_file(event.src_path)def on_deleted(self, event):
if event.is_directory:
print("directory deleted:{0}".format(event.src_path))
else:
print("file deleted:{0}".format(event.src_path))def on_modified(self, event):
if event.is_directory:
pass
#print("directory modified:{0}".format(event.src_path))
else:
pass
#print("file modified:{0}".format(event.src_path))if __name__ == "__main__":
addr = sys.argv[1]
observer = Observer()
event_handler = FileEventHandler()
observer.schedule(event_handler, r"%s"%addr, True)
observer.start()
try:
while True:
time.sleep(1)
except KeyboardInterrupt:
observer.stop()
observer.join()
演示效果(脚本较菜,自行娱乐,借助于gpt师傅还可以写出更强大,功能更完善的脚本)
第二个参数是需要你监控的文件夹地址
最后,希望大家也可以灵活运用起来gpt师傅!
★
欢 迎 加 入 星 球 !
代码审计+免杀+渗透学习资源+各种资料文档+各种工具+付费会员
进成员内部群
星球的最近主题和星球内部工具一些展示
加入安全交流群
关 注 有 礼
还在等什么?赶紧点击下方名片关注学习吧!
推荐阅读
如有侵权请联系:admin#unsafe.sh