Web shell attacks are a common technique used by attackers to maintain control of compromised web servers. While many vulnerabilities focus on initial access, web shells are typically used after the breach to establish persistent control.
For developers and system administrators, understanding how web shells work is essential for detecting and preventing long-term server compromise.
In this article, we'll cover:
What a web shell is
How web shell attacks work
Common web shell examples
How attackers use compromised servers
How to defend against web shell attacks
What Is a Web Shell?
A web shell is a malicious script uploaded to a web server that allows attackers to control the server remotely through a web browser. :contentReference[oaicite:0]{index=0}
Once installed, it acts like a backdoor that lets attackers execute commands, manipulate files, and interact with the system as if they had shell access. :contentReference[oaicite:1]{index=1}
Typical characteristics:
Uploaded to the web server
Accessible through a URL
Executes system commands
Provides remote control capabilities
Web shells are usually written in languages supported by the server, such as:
PHP
ASP / ASP.NET
JSP
Python
Perl
Because they are just small scripts, they can be difficult to detect.
A Simple Example of a Web Shell
A minimal PHP web shell might look like this:
<?php
system($_GET['cmd']);
?>
Once uploaded to the server:
http://example.com/shell.php?cmd=whoami
The server executes the command and returns the output.
This allows attackers to run arbitrary commands remotely.
How Web Shell Attacks Work
A web shell attack typically follows several stages.
1. Find vulnerability
2. Upload web shell
3. Execute commands
4. Maintain persistence
Step 1 — Initial Exploitation
Attackers first exploit a vulnerability such as:
file upload vulnerability
remote file inclusion
SQL injection
weak admin credentials
These vulnerabilities allow attackers to place files on the server.
Step 2 — Upload the Web Shell
Once a vulnerability is found, the attacker uploads a malicious script to the web directory.
Example locations:
/uploads/shell.php
/images/cmd.php
/tmp/backdoor.php
The file may be disguised as something harmless:
image.php
error.php
config_backup.php
Step 3 — Remote Command Execution
The attacker then accesses the shell using a browser.
Example:
shell.php?cmd=ls
shell.php?cmd=cat /etc/passwd
shell.php?cmd=whoami
The web shell executes system commands and returns the output.
This effectively turns the web server into a remote command interface.
What Attackers Do After Installing a Web Shell
Once a web shell is installed, attackers can perform many malicious actions.
Common activities include:
stealing database credentials
downloading sensitive files
uploading malware
creating new admin accounts
running network scans
In many incidents, web shells are used to maintain persistent access to compromised systems.
They may also allow attackers to:
launch DDoS attacks
host phishing pages
spread malware
pivot into internal networks
Because commands are executed through normal HTTP requests, this activity can blend into regular web traffic.
Common Web Shell Families
Many well-known web shells exist in the wild.
Examples include:
China Chopper
WSO Web Shell
C99 Shell
R57 Shell
Godzilla Web Shell
Some of these tools provide full graphical interfaces in the browser, allowing attackers to manage files and run commands easily.
Why Web Shells Are Hard to Detect
Web shells are often difficult to identify for several reasons.
Small script files
Hidden inside legitimate directories
Obfuscated code
Use of normal HTTP traffic
Attackers may also:
rename the file frequently
encode payloads
hide commands in POST requests
Because of this, compromised servers can remain infected for long periods.
How to Prevent Web Shell Attacks
Preventing web shells requires multiple layers of defense.
1. Patch Vulnerabilities
Most web shells are installed after exploiting known vulnerabilities.
Best practices:
update CMS systems
patch web frameworks
upgrade server software
remove unused plugins
2. Secure File Uploads
File upload functionality is a common attack vector.
Important protections:
restrict file types
rename uploaded files
store uploads outside web root
scan uploaded files
Never allow executable scripts to be uploaded.
3. Monitor Server Files
File integrity monitoring can detect suspicious changes.
Look for:
new PHP files in upload folders
unexpected file modifications
unknown scripts in web directories
Regular audits can reveal hidden backdoors.
4. Analyze Access Logs
Web shell commands often appear in logs.
Example suspicious requests:
shell.php?cmd=
cmd.php?exec=
system.php?run=
Monitoring unusual request patterns can help identify active shells.
5. Use a Web Application Firewall
Many web shell attacks start with automated exploitation attempts.
A Web Application Firewall (WAF) can help detect and block:
file upload exploits
command injection
malicious payloads
scanner traffic
This reduces the chance of attackers successfully uploading a web shell in the first place.
Projects like SafeLine WAF can analyze incoming traffic, detect exploitation attempts, and block malicious requests before they reach the application.
Final Thoughts
Web shells are one of the most common persistence techniques used in web server compromises.
Once installed, they give attackers powerful capabilities:
remote command execution
file management
data theft
long-term server access
The most effective defense strategy is defense in depth:
secure coding
patch management
file monitoring
access log analysis
WAF protection
Understanding how web shell attacks work is the first step toward building more secure web infrastructure.
Top comments (0)