Well I can't work together but I can surely give you some ideas that I have. First off, antivirii are dumb, chaning few streams (with all those IDEs, refactoring is an easy task) and adding/removing some data is enough to bypass most of the AVs I've seen.
Secondly, you know that you should use POST instead of GET so why not research on it? Its just like changing exec($_GET['cmd']); to exec($_POST['cmd']); (again refactoring can be employed here as well). Of course, you have to work on giving easier interface to process POST forms.
Moreover, most of the shells are likely to have the suspicious function calls such as eval(), system(), etc. These can be used to detect the presence of PHP based shells so there exist few methods to bypass such detections.
One idea is to use the php://input, which you can execute using the include() function. The data can be passed as POST data (check
http://php.net/manual/en/wrappers.php.php ). From the PHP manual, php://input is a read-only stream that allows you to read raw data from the request body.
In the case of POST requests, it is preferable to use php://input instead of $HTTP_RAW_POST_DATA as it does not depend on special php.ini directives. Hence you could exploit this feature to create undetectable web shells.
The other possibility is to pass both functions to be executed and argument to the function as the POST data and create the function call on the fly.
Yet other possibility is to hex edit some unsuspicious binary/image/mp3/etc file and insert the PHP backdoor in there. Your PHP script could then read the particular bytes from the binary file on the fly and execute them.
Just my ideas. If you didn't understand any, I am happy to write examples as well
