Skip to content

Commit fb3606b

Browse files
author
zhaochengyu
committed
可定制header及proxy
1 parent edd5e0b commit fb3606b

File tree

3 files changed

+96
-32
lines changed

3 files changed

+96
-32
lines changed

config.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616

1717
# 错误码
1818
ERROR_CODE = "error_code"
19-
DEFAULT_SOCKET_TIMEOUT = 0.5
19+
DEFAULT_SOCKET_TIMEOUT = 0.2
2020

2121
# url路由
2222
URL_SET_CONFIG = "/set_config/"

readme.md

+9
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,15 @@ root@kali:~# ./stinger_client -w http://example.com:8080:8080/proxy.jsp -l 127.0
122122
* 生成payload,上传到主机运行后即可上线
123123
* 横向移动到其他主机时可以将payload指向192.168.3.11:60020即可实现出网上线
124124

125+
## 定制Header及proxy
126+
* 如果webshell需要配置Cookie或者Authorization,可通过--header参数配置请求头
127+
128+
```--header "Authorization: XXXXXX,Cookie: XXXXX"```
129+
130+
* 如果webshell需要通过代理访问,可通过--proxy设置代理
131+
132+
```--proxy "socks5:127.0.0.1:1081"```
133+
125134

126135
# 相关工具
127136
[https://github.com/nccgroup/ABPTTS](https://github.com/nccgroup/ABPTTS)

stinger_client.py

+86-31
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ def __init__(self):
3737
"Accept-Language": "zh-CN,zh;q=0.8",
3838
'Accept-Encoding': 'gzip',
3939
}
40+
self.proxy = None
4041
self.CACHE_CONNS = {}
4142
self.MIRROR_CHCHE_CONNS = {}
4243
# {
@@ -65,8 +66,32 @@ def __init__(self):
6566
self.die_client_address = []
6667
self.mirror_die_client_address = []
6768
self.session = requests.session()
69+
self.session.verify = False
6870
threading.Thread.__init__(self)
6971

72+
def custom_header(self, inputstr):
73+
try:
74+
str_headers = inputstr.split(",")
75+
for str_header in str_headers:
76+
header_type = str_header.split(":")[0].strip()
77+
header_value = str_header.split(":")[1].strip()
78+
self.headers[header_type] = header_value
79+
except Exception as E:
80+
self.logger.exception(E)
81+
return False
82+
self.logger.info("------------ Custom http request header ------------")
83+
self.logger.info(self.headers)
84+
self.logger.info("\n")
85+
return True
86+
87+
def custom_proxy(self, proxy):
88+
self.proxy = {'http': proxy, 'https': proxy}
89+
self.session.proxies = self.proxy
90+
self.logger.info("------------ Custom http request proxy ------------")
91+
self.logger.info(self.proxy)
92+
self.logger.info("\n")
93+
return True
94+
7095
def _post_data(self, url, data={}):
7196
payload = {
7297
"Remoteserver": self.REMOTE_SERVER,
@@ -99,7 +124,6 @@ def run(self):
99124
while True:
100125
self._sync_data()
101126

102-
103127
def _sync_data(self):
104128
has_data = False
105129
# 清除无效的client
@@ -286,13 +310,17 @@ def _sync_data(self):
286310

287311
def setc_webshell(self, WEBSHELL):
288312
try:
289-
r = requests.get(WEBSHELL, verify=False, timeout=3, headers=self.headers, )
313+
r = requests.get(WEBSHELL, verify=False, timeout=3, headers=self.headers, proxies=self.proxy)
290314
if b"UTF-8" in r.content:
291315
self.WEBSHELL = WEBSHELL
292316
return True
293317
else:
294318
return False
319+
except requests.exceptions.ProxyError as proxyError:
320+
self.logger.error("Connet to proxy failed : {}".format(self.proxy))
321+
return False
295322
except Exception as E:
323+
self.logger.exception(E)
296324
return False
297325

298326
def setc_remoteserver(self, REMOTE_SERVER=None):
@@ -497,7 +525,7 @@ def run(self):
497525
self._port))
498526
return False
499527

500-
self.logger.info("Socks4a ready to accept")
528+
self.logger.warning("Socks4a ready to accept")
501529
while True:
502530
try:
503531
conn, addr = s.accept()
@@ -550,22 +578,36 @@ def _process_request(self, data, client_conn, addr):
550578
parser.add_argument('-w', '--webshell', metavar='http://192.168.3.10:8080/proxy.jsp',
551579
help="webshell url",
552580
required=True)
581+
582+
parser.add_argument('--header', metavar='Authorization: XXX,Cookie: XXX',
583+
help="custom http request header",
584+
default=None)
585+
586+
parser.add_argument('--proxy', metavar='socks5://127.0.0.1:1080',
587+
help="Connect webshell through proxy",
588+
default=None)
589+
553590
parser.add_argument('-l', '--locallistenaddress', metavar='127.0.0.1/0.0.0.0',
554591
help="local listen address for socks4",
555-
default='127.0.0.1',
556-
required=True)
557-
parser.add_argument('-p', '--port',
558-
default=60000,
592+
default='127.0.0.1')
593+
parser.add_argument('-p', '--locallistenport',
594+
default=10800,
559595
metavar='N',
560596
type=int,
561597
help="local listen port for socks4",
562598
)
563599

564-
parser.add_argument('-st', '--sockettimeout', default=0.05,
600+
parser.add_argument('-st', '--sockettimeout', default=0.2,
565601
metavar="N",
566602
type=float,
567603
help="socket timeout value",
568604
)
605+
parser.add_argument('-ti', '--targetipaddress', metavar='127.0.0.1',
606+
help="reverse proxy target ipaddress",
607+
required=False)
608+
parser.add_argument('-tp', '--targetport', metavar='60020',
609+
help="reverse proxy target port",
610+
required=False)
569611
parser.add_argument('-c', '--cleansockst', default=False,
570612
nargs='?',
571613
metavar="true",
@@ -578,16 +620,10 @@ def _process_request(self, data, client_conn, addr):
578620
type=bool,
579621
help="clean server exist socket(this will kill other client connect)",
580622
)
581-
parser.add_argument('-ti', '--targetipaddress', metavar='127.0.0.1',
582-
help="reverse proxy target ipaddress",
583-
required=False)
584-
parser.add_argument('-tp', '--targetport', metavar='60020',
585-
help="reverse proxy target port",
586-
required=False)
587623
args = parser.parse_args()
588624
WEBSHELL = args.webshell
589625
LISTEN_ADDR = args.locallistenaddress
590-
LISTEN_PORT = args.port
626+
LISTEN_PORT = args.locallistenport
591627

592628
CLEAN_SOCKET = args.cleansockst
593629
if CLEAN_SOCKET is not False:
@@ -596,6 +632,18 @@ def _process_request(self, data, client_conn, addr):
596632
CLEAN_SOCKET = False
597633

598634
globalClientCenter = ClientCenter()
635+
header = args.header
636+
if header is not None:
637+
flag = globalClientCenter.custom_header(header)
638+
if flag is not True:
639+
sys.exit(1)
640+
641+
642+
proxy = args.proxy
643+
if proxy is not None:
644+
flag = globalClientCenter.custom_proxy(proxy)
645+
if flag is not True:
646+
sys.exit(1)
599647

600648
SINGLE_MODE = args.singlemode
601649
if SINGLE_MODE is not False:
@@ -605,73 +653,80 @@ def _process_request(self, data, client_conn, addr):
605653
else:
606654
SINGLE_MODE = False
607655

608-
globalClientCenter.logger.info("Local listen checking ...")
656+
globalClientCenter.logger.info("------------------- Local check -------------------")
609657
flag = globalClientCenter.setc_localaddr(LISTEN_ADDR, LISTEN_PORT)
610658
if flag:
611-
globalClientCenter.logger.info("Local listen check pass")
612-
globalClientCenter.logger.info("Socks4a on {}:{}".format(LISTEN_ADDR, LISTEN_PORT))
659+
globalClientCenter.logger.info("Local listen check : pass")
613660
else:
614661
globalClientCenter.logger.error(
615662
"Local listen check failed, please check if {}:{} is available".format(LISTEN_ADDR, LISTEN_PORT))
616663
globalClientCenter.logger.error(WEBSHELL)
617-
globalClientCenter.logger.info("WEBSHELL checking ...")
664+
sys.exit(1)
665+
618666
webshell_alive = globalClientCenter.setc_webshell(WEBSHELL)
619667
if webshell_alive:
620-
globalClientCenter.logger.info("WEBSHELL check pass")
668+
globalClientCenter.logger.info("WEBSHELL check : pass")
621669
globalClientCenter.logger.info("WEBSHELL: {}".format(WEBSHELL))
622670
else:
623671
globalClientCenter.logger.error("WEBSHELL check failed!")
624672
globalClientCenter.logger.error(WEBSHELL)
625673
sys.exit(1)
626-
globalClientCenter.logger.info("REMOTE_SERVER checking ...")
674+
627675
result = globalClientCenter.setc_remoteserver()
628676
if result is None:
629677
globalClientCenter.logger.error("Read REMOTE_SERVER failed,please check whether server is running")
630678
sys.exit(1)
631679
else:
632680
MIRROR_LISTEN = "127.0.0.1:60020"
633-
globalClientCenter.logger.info("REMOTE_SERVER check pass")
634-
globalClientCenter.logger.info("------------------- Sever Config -------------------")
681+
globalClientCenter.logger.info("REMOTE_SERVER check : pass")
682+
globalClientCenter.logger.info("\n")
683+
globalClientCenter.logger.info("------------------- Get Sever Config -------------------")
635684
for key in result:
636685
globalClientCenter.logger.info("{} : {}".format(key, result.get(key)))
637686
if key == "MIRROR_LISTEN":
638687
MIRROR_LISTEN = result.get(key)
688+
globalClientCenter.logger.info("\n")
689+
690+
globalClientCenter.logger.info("------------------- Set Sever Config -------------------")
691+
# 是否清理已有连接
639692
if CLEAN_SOCKET:
640693
flag = globalClientCenter.send_cmd("CLEAN_SOCKET")
641694
globalClientCenter.logger.info("CLEAN_SOCKET cmd : {}".format(flag))
642695

696+
# server建立内网tcp连接的超时时间,超时时间越长速度越慢
643697
sockettimeout = args.sockettimeout
644698
if sockettimeout != DEFAULT_SOCKET_TIMEOUT:
645699
flag = globalClientCenter.sets_config("SOCKET_TIMEOUT", sockettimeout)
646700
globalClientCenter.logger.info("Set server SOCKET_TIMEOUT => {}".format(flag))
647-
648701
globalClientCenter.SOCKET_TIMEOUT = sockettimeout
702+
globalClientCenter.logger.info("\n")
649703

704+
# 映射到本地的地址
650705
TARGET_IP = args.targetipaddress
651706
if TARGET_IP is None:
652707
globalClientCenter.TARGET_IP = MIRROR_LISTEN.split(":")[0]
653708
else:
654709
globalClientCenter.TARGET_IP = TARGET_IP
655710

711+
# 映射到本地的端口
656712
TARGET_PORT = args.targetport
657713
if TARGET_PORT is None:
658714
globalClientCenter.TARGET_PORT = int(MIRROR_LISTEN.split(":")[1])
659715
else:
660716
globalClientCenter.TARGET_PORT = int(TARGET_PORT)
661-
globalClientCenter.logger.info(
662-
"TARGET_ADDRESS : {}:{}".format(globalClientCenter.TARGET_IP, globalClientCenter.TARGET_PORT))
663-
664717

665-
666-
globalClientCenter.logger.info("------------------- RAT Config -------------------")
718+
globalClientCenter.logger.info("------------------! RAT Config !------------------")
719+
globalClientCenter.logger.info("Socks4a on {}:{}".format(LISTEN_ADDR, LISTEN_PORT))
667720
globalClientCenter.logger.info(
668-
"Handler/LISTEN should listen on {}:{}".format(globalClientCenter.TARGET_IP, globalClientCenter.TARGET_PORT))
721+
"Handler/LISTENER should listen on {}:{}".format(globalClientCenter.TARGET_IP, globalClientCenter.TARGET_PORT))
669722
globalClientCenter.logger.info(
670723
"Payload should connect to {}".format(MIRROR_LISTEN))
724+
globalClientCenter.logger.info("------------------! RAT Config !------------------\n")
725+
671726
# 启动服务
672727
globalClientCenter.setDaemon(True)
673728

674-
t2 = Socks4aProxy(host=args.locallistenaddress, port=args.port, timeout=sockettimeout, bufsize=BUFSIZE)
729+
t2 = Socks4aProxy(host=args.locallistenaddress, port=args.locallistenport, timeout=sockettimeout, bufsize=BUFSIZE)
675730
t2.setDaemon(True)
676731

677732
globalClientCenter.start()

0 commit comments

Comments
 (0)