I used the php/meterpreter/reverse tcp and setup my lhost and my lport. Next, I copied the payload and placed it all in <?php payload here ?>.
I setup a server with a page containing the vulnerable php payload and setup a exploit/multi/handler with the same lhost/lport and with the payload: php/meterpreter/reverse tcp.
On the victim computer, ran wget url to payload but there was no shell obtained! Why so? No firewall, attacker is on kali, victim on metasploitable2.