A web shell is a malicious script placed on a web server (PHP, ASPX, JSP, and others) that lets an attacker run commands on the server through a normal web request. It is a backdoor that survives reboots, runs with the web server’s privileges, and reaches the server through ordinary HTTP/HTTPS, so it often passes through firewalls. Attackers plant web shells via file upload flaws, LFI, or other web vulnerabilities. It maps to MITRE T1505.003.
What a web shell is
A web shell is a script that lives in a website’s served files and executes commands sent to it over the web. A request like shell.php?cmd=whoami runs whoami on the server and returns the output in the page.
It is a backdoor that uses the web server itself as the execution engine, so it runs with the server’s privileges, persists as a file on disk, and is reachable through the same ports the site already exposes.
The technique and payload
The attacker gets a script into the web root and calls it:
- A minimal PHP shell:
<?php system($_GET["c"]); ?>saved asinfo.php, thenhttps://site/info.php?c=id. - Planted via a file upload vulnerability, LFI log poisoning, or a compromised CMS plugin.
- Real-world web shells add authentication, file management, and obfuscation to evade detection.
From there the attacker runs commands, pivots, and escalates. Documented for defensive context.
How to defend
- Fix the entry points: validate file uploads, patch web apps and plugins, and prevent LFI.
- Make the web root read-only and store uploads outside it, so a script cannot be written or executed there.
- File integrity monitoring on web directories to catch new or changed scripts.
- Detect anomalies: scripts in upload folders, web processes spawning shells, odd outbound traffic.
- Run the web server with least privilege to limit a shell’s reach.