Assume a scenario that we got a PHP RCE bug. The target server firewall filters all inbound connection to all port except port 80 (HTTP). And we want to get an interactive shell. This is where PHP reverse shell may help us. It works by creating an outbound connection to an attackers controlled server.

PHP-reverse-shell

Lets use this PHP reverse shell script from pentestmonkey.net.

How to do :

  1. Attacker set host and port for reverse connection. Then upload PHP script to victims server php-reverse-shell-0php-reverse-shell-1
  2. Attacker listen for connectionphp-reverse-shell-2
  3. Attacker access url of the uploaded PHP scriptphp-reverse-shell-3
  4. Victim (the PHP script) connects to attackers server
  5. Attacker has fully controllable victims shellphp-reverse-shell-4

 

By using the script, I have update my exploit for orangescrum, so that now it can be used to make a reverse shell.