Security

What is Web Shell?

Definition

A malicious script placed on a compromised web server that allows an attacker to execute operating system commands remotely by sending HTTP requests.

A web shell is a script file that an attacker uploads or writes onto a compromised web server, typically written in languages such as PHP, ASP, Python, or Perl. It acts as a backdoor, accepting commands through HTTP GET or POST parameters and executing them on the server's underlying operating system. The output of those commands is then returned in the HTTP response body, often rendered in a simple HTML interface within the attacker's browser. This gives the attacker interactive, remote command-line access without requiring SSH, FTP, or any separate remote-access service.

Once installed, a web shell can be used for a wide range of malicious activities: reading and exfiltrating files (including database credentials and configuration files), uploading additional malware (such as ransomware or keyloggers), pivoting to internal network hosts, and maintaining persistent access even if the original vulnerability is patched. Many web shells are obfuscated to evade signature-based antivirus or web application firewall (WAF) detection. Some, like China Chopper or WSO (Web Shell by oRb), have become well-known families used by advanced persistent threat (APT) groups.

Web shells are a post-exploitation tool. Their presence indicates that a previous vulnerability (such as a file upload flaw, SQL injection, remote file inclusion, or stolen administrative credentials) was already exploited. Detection relies on a combination of file integrity monitoring, behavioral analysis of unusual HTTP requests (especially long POST payloads or cmd parameters), monitoring for unexpected child processes from web server workers, and regular scanning of web-accessible directories. Effective defense requires patching the root vulnerability, changing all secrets, and removing the shell file, which often involves forensic analysis to ensure no additional backdoors remain.

Key facts

  • Provides command execution via the web server's HTTP interface, bypassing network firewall restrictions.
  • Typically written in server-side interpreted languages like PHP, ASP.NET, Python, or Perl.
  • Many variants include password-protected login pages to prevent other attackers or security tools from using them.
  • Commonly detected by monitoring for cmd, exec, or eval in HTTP request parameters and for unexpected processes spawned by the web server.
  • The 2019 SolarWinds Orion attack used a custom web shell named 'Sunburst' for remote access.

How it works in practice

A PHP web shell file named shell.php is uploaded to /uploads/ on a server running Apache. The attacker sends a GET request to /uploads/shell.php?cmd=ls%20-la%20/etc/passwd. The script executes the command ls -la /etc/passwd on the server and prints the result back in the HTTP response. The attacker then uses repeated such requests to enumerate users, copy the database config file, and exfiltrate it via a second script.

Related terms

Backdoor Reverse Shell Remote Code Execution (RCE) File Upload Vulnerability Web Application Firewall (WAF) Post-exploitation

References

More in Security

2FA

Two-factor authentication (2FA) is a security method that requires a user to present two distinct types of evidence to verify their identity, typically a password and a time-based one-time code from an authenticator app or hardware key.

Bot Management

Bot management detects automated web traffic and distinguishes it from human users, using behavioral fingerprinting and other signals to block malicious bots while allowing benign ones.

Credential Stuffing

Credential stuffing is a cyberattack in which automated tools use username-password pairs leaked from one site to try logging into other sites, exploiting password reuse.

DDoS

A DDoS (Distributed Denial of Service) attack overwhelms a target server, service, or network with massive traffic from many compromised computers, making it unavailable to legitimate users.

DDoS Scrubbing

DDoS scrubbing diverts attack traffic to a specialized filtering facility that removes malicious packets and forwards only legitimate traffic to the target network.

Firewall

A network security device or software that monitors and controls incoming and outgoing traffic based on predetermined security rules, acting as a barrier between trusted and untrusted networks.

IDS

An Intrusion Detection System (IDS) monitors network traffic or host activity for signs of malicious behavior or policy violations and generates alerts for security personnel.

IPS

An Intrusion Prevention System (IPS) is a network security device that monitors traffic inline and actively blocks malicious packets before they reach their target.

OAuth 2.0

OAuth 2.0 is an authorization framework that allows a user to grant a third-party application limited access to their resources on another service without revealing their password.

OpenID Connect

OpenID Connect (OIDC) is an identity authentication layer built on OAuth 2.0 that provides a signed ID token containing verified user identity claims.

Who Is Online

In total there are 95 users online: 0 registered, 89 guests and 6 bots.

Bots: AhrefsBot Bingbot Facebook Other Bot Other Spider SemrushBot

Users active in the past 15 minutes. Total registered members: 340