feat(tat):support ExecuteCloudVMCommand for tencent

404tk · 404tk · commit 03b9f0e1d0a0 · 2023-09-07T17:28:40.000+08:00
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ Cloud Penetration Testing Toolkit
 |          Providers          |                   Payload                   |                          Supported                           |
 | :-------------------------: | :-----------------------------------------: | :----------------------------------------------------------: |
 |        Alibaba Cloud        | cloudlist<br/>backdoor-user<br/>bucket-dump<br/>event-dump<br/>exec-command | ECS (Elastic Compute Service)<br/>OSS (Object Storage Service)<br/>RAM (Resource Access Management)<br/>RDS (Relational Database Service)<br/>SMS (Short Message Service)<br/>AliDNS |
-|        Tencent Cloud        |         cloudlist<br/>backdoor-user         | CVM (Cloud Virtual Machine)<br/>Lighthouse<br/>COS (Cloud Object Storage)<br/>CAM (Cloud Access Management)<br/>CDB (Cloud DataBase)<br/>DNSPod |
+|        Tencent Cloud        |         cloudlist<br/>backdoor-user<br/>exec-command         | CVM (Cloud Virtual Machine)<br/>Lighthouse<br/>COS (Cloud Object Storage)<br/>CAM (Cloud Access Management)<br/>CDB (Cloud DataBase)<br/>DNSPod |
 |        Huawei Cloud         |         cloudlist<br/>backdoor-user         | ECS (Elastic Cloud Server)<br/>OBS (Object Storage Service)<br/>IAM (Identity and Access Management)<br/>RDS (Relational Database Service) |
 |       Microsoft Azure       |                  cloudlist                  |              Virtual Machines<br/>Blob Storage               |
 |  AWS (Amazon web services)  | cloudlist<br/>backdoor-user<br/>bucket-dump | EC2 (Elastic Compute Cloud)<br/>S3 (Simple Storage Service)<br/>IAM (Identity and Access Management) |
diff --git a/go.mod b/go.mod
@@ -17,14 +17,15 @@ require (
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/billing v1.0.628
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cam v1.0.557
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cdb v1.0.678
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.694
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.743
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cvm v1.0.557
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.694
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/lighthouse v1.0.557
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/mariadb v1.0.678
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/postgres v1.0.678
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/sqlserver v1.0.678
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/sts v1.0.557
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tat v1.0.743
 	github.com/tencentyun/cos-go-sdk-v5 v0.7.40
 	github.com/tidwall/gjson v1.14.4
 	golang.org/x/oauth2 v0.7.0
diff --git a/pkg/providers/tencent/cvm/instances.go b/pkg/providers/tencent/cvm/instances.go
@@ -3,8 +3,10 @@ package cvm
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	"github.com/404tk/cloudtoolkit/pkg/schema"
+	"github.com/404tk/cloudtoolkit/utils"
 	"github.com/404tk/cloudtoolkit/utils/logger"
 	"github.com/404tk/cloudtoolkit/utils/processbar"
 	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
@@ -17,14 +19,24 @@ type Driver struct {
 	Region     string
 }
 
+func (d *Driver) NewClient() (*cvm.Client, error) {
+	cpf := profile.NewClientProfile()
+	region := d.Region
+	if region == "all" || region == "" {
+		region = "ap-guangzhou"
+	}
+	return cvm.NewClient(d.Credential, region, cpf)
+}
+
+var linuxSet = []string{"CentOS", "Ubuntu", "Debian", "OpenSUSE", "SUSE", "CoreOS", "FreeBSD", "Kylin", "UnionTech", "TencentOS", "Other Linux"}
+
 // GetResource returns all the resources in the store for a provider.
 func (d *Driver) GetResource(ctx context.Context) ([]schema.Host, error) {
 	list := schema.NewResources().Hosts
 	logger.Info("Start enumerating CVM ...")
-	cpf := profile.NewClientProfile()
 	var regions []string
 	if d.Region == "all" {
-		client, _ := cvm.NewClient(d.Credential, "ap-guangzhou", cpf)
+		client, _ := d.NewClient()
 		req := cvm.NewDescribeRegionsRequest()
 		resp, err := client.DescribeRegions(req)
 		if err != nil {
@@ -40,7 +52,8 @@ func (d *Driver) GetResource(ctx context.Context) ([]schema.Host, error) {
 	flag := false
 	prevLength := 0
 	for _, r := range regions {
-		client, _ := cvm.NewClient(d.Credential, r, cpf)
+		d.Region = r
+		client, _ := d.NewClient()
 		request := cvm.NewDescribeInstancesRequest()
 		response, err := client.DescribeInstances(request)
 		if err != nil {
@@ -58,11 +71,18 @@ func (d *Driver) GetResource(ctx context.Context) ([]schema.Host, error) {
 			}
 			host := schema.Host{
 				HostName:    *instance.InstanceName,
+				ID:          *instance.InstanceId,
 				PublicIPv4:  ipv4,
 				PrivateIpv4: privateIPv4,
 				Public:      ipv4 != "",
 				Region:      r,
 			}
+			os_name := strings.Split(*instance.OsName, " ")[0]
+			if utils.IsContain(linuxSet, os_name) {
+				host.OSType = "LINUX_UNIX"
+			} else {
+				host.OSType = "WINDOWS"
+			}
 			list = append(list, host)
 		}
 		select {
diff --git a/pkg/providers/tencent/lighthouse/instances.go b/pkg/providers/tencent/lighthouse/instances.go
@@ -17,6 +17,15 @@ type Driver struct {
 	Region     string
 }
 
+func (d *Driver) NewClient() (*lighthouse.Client, error) {
+	cpf := profile.NewClientProfile()
+	region := d.Region
+	if region == "all" || region == "" {
+		region = "ap-guangzhou"
+	}
+	return lighthouse.NewClient(d.Credential, region, cpf)
+}
+
 // GetResource returns all the resources in the store for a provider.
 func (d *Driver) GetResource(ctx context.Context) ([]schema.Host, error) {
 	list := schema.NewResources().Hosts
@@ -26,10 +35,9 @@ func (d *Driver) GetResource(ctx context.Context) ([]schema.Host, error) {
 	default:
 		logger.Info("Start enumerating Lighthouse ...")
 	}
-	cpf := profile.NewClientProfile()
 	var regions []string
 	if d.Region == "all" {
-		client, _ := lighthouse.NewClient(d.Credential, "ap-guangzhou", cpf)
+		client, _ := d.NewClient()
 		req := lighthouse.NewDescribeRegionsRequest()
 		resp, err := client.DescribeRegions(req)
 		if err != nil {
@@ -46,7 +54,8 @@ func (d *Driver) GetResource(ctx context.Context) ([]schema.Host, error) {
 	flag := false
 	prevLength := 0
 	for _, r := range regions {
-		client, _ := lighthouse.NewClient(d.Credential, r, cpf)
+		d.Region = r
+		client, _ := d.NewClient()
 		request := lighthouse.NewDescribeInstancesRequest()
 		response, err := client.DescribeInstances(request)
 		if err != nil {
@@ -64,8 +73,10 @@ func (d *Driver) GetResource(ctx context.Context) ([]schema.Host, error) {
 			}
 			_host := schema.Host{
 				HostName:    *instance.InstanceName,
+				ID:          *instance.InstanceId,
 				PublicIPv4:  ipv4,
 				PrivateIpv4: privateIPv4,
+				OSType:      *instance.PlatformType, // LINUX_UNIX or WINDOWS
 				Public:      ipv4 != "",
 				Region:      r,
 			}
diff --git a/pkg/providers/tencent/tat/exec.go b/pkg/providers/tencent/tat/exec.go
@@ -0,0 +1,72 @@
+package tat
+
+import (
+	"encoding/base64"
+
+	"github.com/404tk/cloudtoolkit/pkg/schema"
+	"github.com/404tk/cloudtoolkit/utils/logger"
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
+	tat "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tat/v20201028"
+)
+
+type Driver struct {
+	Credential *common.Credential
+	Region     string
+}
+
+var CacheHostList []schema.Host
+
+func (d *Driver) RunCommand(instanceId, ostype, cmd string) string {
+	cpf := profile.NewClientProfile()
+	client, _ := tat.NewClient(d.Credential, d.Region, cpf)
+	request := tat.NewRunCommandRequest()
+	switch ostype {
+	case "LINUX_UNIX":
+		request.CommandType = common.StringPtr("SHELL")
+	case "WINDOWS":
+		request.CommandType = common.StringPtr("POWERSHELL")
+	default:
+		logger.Error("Unknown ostype", ostype)
+		return ""
+	}
+	request.Content = common.StringPtr(base64.StdEncoding.EncodeToString([]byte(cmd)))
+	request.InstanceIds = common.StringPtrs([]string{instanceId})
+	response, err := client.RunCommand(request)
+	if err != nil {
+		logger.Error(err)
+		return ""
+	}
+	invid := *response.Response.InvocationId
+	return describeInvocations(client, invid)
+}
+
+func describeInvocations(client *tat.Client, invid string) string {
+	request := tat.NewDescribeInvocationsRequest()
+	request.InvocationIds = common.StringPtrs([]string{invid})
+	response, err := client.DescribeInvocations(request)
+	if err != nil {
+		logger.Error(err)
+		return ""
+	}
+	taskId := *response.Response.InvocationSet[0].InvocationTaskBasicInfoSet[0].InvocationTaskId
+	return describeInvocationTasks(client, taskId)
+}
+
+func describeInvocationTasks(client *tat.Client, taskId string) string {
+	request := tat.NewDescribeInvocationTasksRequest()
+	request.InvocationTaskIds = common.StringPtrs([]string{taskId})
+	request.HideOutput = common.BoolPtr(false)
+	response, err := client.DescribeInvocationTasks(request)
+	if err != nil {
+		logger.Error(err)
+		return ""
+	}
+	output := *response.Response.InvocationTaskSet[0].TaskResult.Output
+	raw, err := base64.StdEncoding.DecodeString(output)
+	if err != nil {
+		logger.Error(output, err)
+		return ""
+	}
+	return string(raw)
+}
diff --git a/pkg/providers/tencent/tencent.go b/pkg/providers/tencent/tencent.go
@@ -2,6 +2,7 @@ package tencent
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/404tk/cloudtoolkit/pkg/providers/tencent/billing"
 	"github.com/404tk/cloudtoolkit/pkg/providers/tencent/cam"
@@ -10,6 +11,7 @@ import (
 	"github.com/404tk/cloudtoolkit/pkg/providers/tencent/cvm"
 	"github.com/404tk/cloudtoolkit/pkg/providers/tencent/dns"
 	"github.com/404tk/cloudtoolkit/pkg/providers/tencent/lighthouse"
+	"github.com/404tk/cloudtoolkit/pkg/providers/tencent/tat"
 	"github.com/404tk/cloudtoolkit/pkg/schema"
 	"github.com/404tk/cloudtoolkit/utils"
 	"github.com/404tk/cloudtoolkit/utils/cache"
@@ -87,6 +89,7 @@ func (p *Provider) Resources(ctx context.Context) (schema.Resources, error) {
 			light := &lighthouse.Driver{Credential: p.credential, Region: p.region}
 			lights, err = light.GetResource(ctx)
 			list.Hosts = append(list.Hosts, lights...)
+			tat.CacheHostList = list.Hosts
 		case "domain":
 			dnsprovider := &dns.Driver{Credential: p.credential}
 			list.Domains, err = dnsprovider.GetDomains(ctx)
@@ -142,4 +145,22 @@ func (p *Provider) BucketDump(ctx context.Context, action, bucketname string) {
 
 func (p *Provider) EventDump(action, sourceIp string) {}
 
-func (p *Provider) ExecuteCloudVMCommand(instanceId, cmd string) {}
+func (p *Provider) ExecuteCloudVMCommand(instanceId, cmd string) {
+	var region, ostype string
+	for _, host := range tat.CacheHostList {
+		if host.ID == instanceId {
+			region = host.Region
+			ostype = host.OSType
+			break
+		}
+	}
+	if region == "" {
+		logger.Error("Run cloudlist first")
+		return
+	}
+	d := tat.Driver{Credential: p.credential, Region: region}
+	output := d.RunCommand(instanceId, ostype, cmd)
+	if output != "" {
+		fmt.Println(output)
+	}
+}
diff --git a/utils/utils.go b/utils/utils.go
@@ -27,6 +27,15 @@ func Md5Encode(s string) string {
 	return fmt.Sprintf("%x", has)
 }
 
+func IsContain(items []string, item string) bool {
+	for _, eachItem := range items {
+		if eachItem == item {
+			return true
+		}
+	}
+	return false
+}
+
 func HttpGet(url string) ([]byte, error) {
 	resp, err := http.Get(url)
 	if err != nil {
