Question about PHP shell commands

CombatWombat · December 22, 2022, 4:23pm

Hello,

I was looking for a PHP shell command and found two different variations of a similar command set, but I’m not entirely sure what the difference is. The top one is from a github site, and GTFOBins has the bottom one. The top one ended up working for what I needed, but I’m curious about exactly how they are different since it seems like GTFOBins only uses the export and getenv commands.

Github:
CMD=“/bin/sh”
sudo php -r “system(‘$CMD’);”

GTFOBins:
export CMD=“/bin/sh”
php -r ‘system(getenv(“CMD”));’

Thanks

Onibi · December 22, 2022, 10:02pm

Maybe I am wrong, but for me it’s exactly the same, it’s just the way you call it. In the both scenario it does the same, it’s just how the variables are defined. You can name CMD variables as you want. In the first case it just defined CMD as a local session variable, and for the second one it creates an environment variable, so I guess it use getenv to call it.

And you could decide to not create a variable and put it straight in it.

Sudo php -r "system('/bin/bash');"