/ OSCP

PHP Reverse Shell

Obtain a reverse shell with PHP

In my blog post about Netcat, I've briefly mentioned that you may need to use a PHP script to spawn a reverse shell.

What is a reverse shell script?

A reverse shell script is a script that will bind a shell to a TCP port of your choice. By setting up a listener to that TCP port on your attacking machine, you will be able to bind the listener to that TCP port and give you a reverse shell, allowing you to execute arbitrary commands.

When would I use such script?

A PHP Reverse shell script is particularly interesting if you discover a website (e.g. a wordpress website) or web application. After gaining access to the website, web application or server - allowing you to upload files - your next move is try to get a shell on the system. Next steps would include privilege escalation and remuneration.

I'll show some examples on how to easily get a shell with a PHP reverse shell script.

Example 1: Web application

Let's get back to the DVWA we used in the SQL Injection blog post. Download the ISO file and boot the ISO via virtualbox. In the screenshot below, we see that the IP address of our Damn Vulnerable Web Application is 192.168.0.137

In the screenshot below, we see that the IP address of our Damn Vulnerable Web Application is 192.168.0.137. On your attacking machine, open the browser and surf to the ip adress and log in with admin / admin. Don't forget to set your security setting to low via the DVWA Security tab.

Prepare the PHP reverse shell script

First, download the script on your attacking machine from Pentestmonkey. I extracted the file on my Desktop. Next, open the file and edit the file. You need to match the IP address in the script to your attacking machine, mine is 192.168.0.241. You also need to choose a port, I randomly chose port 4444.

Prepare the PHP reverse shell script

In the DVWA, go to the upload tab in the left column. and click Browse..
Now navigate to the php script you've just edited and click Upload. You will see a red text indicating a success upload.

Setup a netcat listener

Before executing the php script, we need to make sure we set up a listener where the script can connect to.

Open your terminal and type:

nc -lvp 4444 
  • netcat (run Netcat)
  • -nlvp 4444 (Numeric-only IP addresses, Listen Verbosely on Port 4444)
Execute the script to spawn the shell

Now we have netcat listening, it's time to execute the script. Go back to your DVWA upload page where we saw that the script was uploaded to /hackable/uploads/php-reverse-shell.php. Just add this part to the URL of the web application in your browser to execute the script:

http://192.168.0.237/hackable/uploads/php-reverse-shell.php

Once you load that page, you will see that Netcat connects to a reverse shell:

Next, you want to upgrade to an interactive shell by using the following command:

python -c 'import pty;pty.spawn("/bin/bash")'
  • Python -c: execute python
  • import pty: import the library for pseudo terminal utilities
  • spawn ("/bin/bash") Fork a proces of /bin/bash

More info on this command