Rapid7’s 2026 Global Cybersecurity Summit is now available on-demand.Watch sessions.
Rapid7

module

PHP Exec, PHP Command Shell, Find Sock

Disclosed
N/A
Created
May 29, 2025

Description

Execute a PHP payload as an OS command from a Posix-compatible shell.

Spawn a shell on the established connection to
the webserver. Unfortunately, this payload
can leave conspicuous evil-looking entries in the
apache error logs, so it is probably a good idea
to use a bind or reverse shell unless firewalls
prevent them from working. The issue this
payload takes advantage of (CLOEXEC flag not set
on sockets) appears to have been patched on the
Ubuntu version of Apache and may not work on
other Debian-based distributions. Only tested on
Apache but it might work on other web servers
that leak file descriptors to child processes.

Authors

Spencer McIntyre
msutovsky-r7
egypt [email protected]

Platform

Unix

Architectures

cmd

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


msf > use payload/cmd/unix/php/shell_findsock
msf payload(shell_findsock) > show actions
...actions...
msf payload(shell_findsock) > set ACTION < action-name >
msf payload(shell_findsock) > show options
...show and set options...
msf payload(shell_findsock) > run

Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.