|
|
|
|
|
|
by dibarra
5533 days ago
|
|
|
A common way is just script vulnerabilities, allowing execution of arbitrary code. I work at a popular webhosting company, and I've seen cases where apps will execute PHP code inserted as a sooofed User-Agent, POST data, and other weird places. The idea is that you send a payload that executes on the remote host, GETs your shell from some free webhost or another compromised account, and then saves it on the target machine. At that point, you're set. mod_security can help for people running Apache, and so will using maintained and up to date scripts. |
|
|
[0] "Pass Non-PHP Requests to PHP." http://wiki.nginx.org/Pitfalls