Web Shells — Persistent Website Backdoors
A web shell is a script uploaded to a web server that gives an attacker permanent remote access to the server.
How Web Shells Get Uploaded
- 🔴 Unrestricted file upload vulnerability
- 🔴 SQL injection → write file to disk
- 🔴 Remote code execution (RCE) vulnerability
- 🔴 Compromised admin credentials
Types of Web Shells
Simple PHP Shell
<?php echo shell_exec($_GET['cmd']); ?>
// Access: http://target/shell.php?cmd=whoami
Advanced Web Shell (C99/B374K)
- File manager (upload/download/edit files)
- Database manager (read/modify databases)
- Command execution
- Network tools (port scan, reverse shell)
- Self-destruct capability
What Attackers Do with Web Shells
- 💰 Steal customer data and credit cards
- 💰 Inject cryptocurrency miners
- 💰 Use server for phishing campaigns
- 💰 Redirect traffic to malware
- 💰 Pivot to internal network
Detection
# Find recently modified PHP files
find /var/www -name "*.php" -mtime -7
# Search for suspicious functions
grep -r "system\|exec\|passthru\|shell_exec" /var/www/
# Check with antimalware
clamscan -r /var/www/
Prevention
- Validate and restrict file uploads
- Use WAF (Web Application Firewall)
- File integrity monitoring
- Principle of least privilege
🔥 Learn web security at ONLY4YOU →