For Apache environments, drop a .htaccess file inside the upload directory:

Note: This process should only be performed in controlled lab environments, such as Hack The Box, TryHackMe, or authorized corporate network assessments. Step 1: Prepare the Listener

: Save uploaded files in a separate directory and explicitly disable PHP execution within it using an .htaccess configuration:

Because PHP is installed on a vast number of web servers, making it a common vector for remote code execution (RCE) vulnerabilities.

Use the vulnerability on the target application to upload the shell.php file (e.g., via a profile picture upload or plugin installer). Step 3: Trigger the Shell Access the uploaded file via the browser:

Then simply browse to http://target.com/shell.php .

A PHP script containing a set of instructions—usually using functions like shell_exec() —is uploaded to the target web server. Execution:

If you have a way to execute command-line PHP but can't upload a full file, you can use a one-liner:

The server connects out to your machine. Since most firewalls allow outgoing traffic, the connection is established, granting you control. Prerequisites: Setting Up Your Listener