Never Ending Security

It starts all here

What are web shells – Tutorial

Web Shells

Web shells are small programs or scripts that can be uploaded to a vulnerable server and then opened from the browser to provide a web based interface to run system commands. They are basically backdoors that run from the browser. For a given web server, the web shell script must be in the same language that the web server supports or is running (php, asp, jsp etc). So if its a php web server, then you need a php web shell.

Web shells run purely over the web, therefore there is no socket communication like in case of reverse shells, where the webserver has to connect to a program like netcat on the hacker’s machine. Therefore web shells are quick to setup and use. However the downside is that they do not have the interactive style of a terminal. Web shells provide a quick gui interface to do common tasks like

1) Travel across directories 2) View files 3) Edit files 4) Download files 5) Delete files 6) Edit files 7) Upload files 8) Execute MySql queries / commands 9) Bypass mod_security 10) Permissions to directory/folders 11) Execute shell commands

Web shells are commonly used in vulnerabilities like arbitrary file upload and remote file inclusion. If a webserver is suffering any such vulnerability, all that a hacker would do, is upload such a webshell, and open it from the browser with the correct path, and get the interface to run arbitrary commands on the system. However like reverse shells, web shells run with the privilege of the interpreter engine. If its a php web shell, then it would run with the same user and privileges, with which php is running.

Web shells in backtrack

Backtrack includes some webshells for php, asp, jsp, aspx, perl, and cfm. They can be found in the directory


Kali Linux has them in the following directory


Check out the directory to get the webshell of your choice. Although it has usefull web shells, but does not contain the best malicious web shells/backdoors used by hackers.

Here is the code of a very simple php webshell.

        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        echo "</pre>";

The web shell can be run from the browser with a url like this

The get parameter cmd contains the command to run on the system. The script would run the command and echo back the output. GET parameters are not the only way to send commands. Commands can be send through POST, COOKIE and even HTTP headers. Here is one that sends commands through an http header accept-language.

<?php passthru(getenv("HTTP_ACCEPT_LANGUAGE")); echo '<br> by q1w2e3r4'; ?>

Such a technique might be little stealthy on the server.

Backdoor like these have limitations. Web servers are often configured to disable php functions like system/exec that are used to run system command. In that case the web shell would fail to run the command.
But hackers are always on the run to get around limitations.

Other web shells

There is a web shell called c99 that is much more featureful and very popular web shell for php. It has plenty for features like

1. File browsing/upload/delete 2. Execute commands 3. View system details 4. View running processes 5. Run php code etc.

It looks like this


On the welcome page, on top it shows the system information, followed by links to utilities and file browsing quick links. Next section is a file browser and other tools.

The target server might be running firewalls/antivirus programs that can detect such legacy web shells. The detection is based on the md5 hash of the file. Then you might have to either modify the file to an extent that it goes undetected, or write your own webshell. Again, writing a web shell should not be too difficult, especially in a language like php, if you know it well.

There are many other such popular shells. Here is a collection of over 100 most popular web shells used so far by hackers all around. It contains the c99 shell too.

Download and enjoy!!

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s