In working on a vulnerable box, I found a field in a database table where one can insert php code. Based on this exploit:
I tried to use this code to make a php webshell:
It fails (results in the white screen of death). However, if I change the single quotes around cmd to double quotes, it works, as here:
Every source I looked at for code for a webshell had single quotes around cmd, no matter which variation it was, and none of them mentioned the possibility of it needing double quotes. Here’s an example of a page that outlines how to do it:
Does anyone know why it only works with the double quotes?
Why do all of the other examples I found show single quotes with no mention of the possibility of needing double quotes?