What is a web shell?

A web shell is a malicious script that allows an attacker to remotely access the target system via a command line. However, the web shell is not suitable for the first stage of the attack. The web shell is only used when the web application/server is already compromised.

Thus, once an attacker gains access to a web application/server, be it through SQL injection, remote file inclusion, social engineering attack, or other attack methods, they download a suitable wrapper to ensure long-term access.

A web shell is a special type of shell that uses the browser to interact with the shell. As long as the web shell remains undetected on the server, an attacker can always connect to the system. Besides web shells, there are other types of shells.

Webshell is used to target individual servers, which are the weak point of the entire infrastructure in many companies - especially without ongoing support from an IT security expert.

To understand how Webshell works, you need a little basic knowledge. Web applications are developed in so-called scripting languages such as Python or PHP. Vulnerabilities in these applications could allow arbitrary code execution.

If cybercriminals discover a corresponding vulnerability, they can exploit it and try to take over the entire server. This works by installing what is called a web shell on the web server.

A web shell is a virtual command line. This allows you to access files within the application and execute system commands. In short: all the permissions that the web server has, the web shell also has.

And it is this fact that makes attacks extremely dangerous. This can be seen, for example, in the case of an Exchange security vulnerability that is classified as critical.

Difficult to detect

Just a few years ago, web shells were simple HTML forms. They sent commands to the web server, which executed them. Today it looks different.

Web shells have evolved into modular kits that typically consist of two components: a control unit on the hacker's computer and a coded part on the server. The control commands are complexly encrypted, so the control itself is disguised.

There are even kits in which all malicious code is recoded and downloaded after each successfully executed command. This is where IDS and WAF reach their limits.

However, other versions can be quickly identified because they differ from the rest of the code in the programming language. As always, this form of attack is a game of cat and mouse. The more cybercriminals' techniques evolve, the better the corresponding security software becomes.


Bind Shell: A listener is launched on the target host and the attacker connects to it to launch a remote shell. The problems with the Bind Shell are that anyone can connect to it, and there is a possibility that the target host has a firewall in front of it that does not allow the connection.

Reverse-Shell: In Reverse-Shell, a listener runs on the attacker's machine and the target host connects back to the attacker. This fixes the problems mentioned with the Bind Shell. On the other hand, the target host must have the attacker's IP address, otherwise the connection cannot be established.

Double Reverse-Shell: This is a reverse shell that separates the standard input and output channels. Thus, the attacker creates two connections on the same port.

Encrypted Shell: Unlike the other shells presented, the Encrypted Shell is the only one in which the communication remains hidden. And therefore it is impossible to understand what the attacker is planning. Encryption works with Bind Shell or Reverse-Shell using SSL/TLS.

Meterpreter: This is a payload specifically designed for the Metasploit Framework that provides many useful features such as migration to another process on the target system. Meterpreter places great importance on not being recognized. Therefore, apart from the stager, nothing is written to the hard disk; the shell lives only in the main memory. Additionally, existing processes are compromised rather than new ones created, which can often prevent alarms from being triggered.

The web shell, like the Bind Shell, is accessible to third parties unless it is protected from this by authentication in the form of a password, a special HTTP header, or other parameters.


Technologically, the web shell must be suitable for the desired host. The type of web server and associated technologies should be determined during the exploration phase.

Web shells written in PHP are very popular and therefore often used because PHP itself is widely used and also because common content management systems are also written in PHP.

Further limitations are related to the size of the shell, as it is sometimes impossible to load a web shell with full functionality. That is, you should use the minimal shell and reboot the more extensive shell in the next step.

Web shells: always well disguised.

The underlying threat, hidden in an existing code file or in your own code file, is often not even detected. To minimize the dangers associated with this, there are some measures that site and service operators should take (or perform) regularly:

Transfer of rights. What should apply to web servers also applies to other mission-critical applications. The risk of attack can be minimized by fine-grained permission allocation and separation of read and write assignments.

Web Application Firewalls (WAP). They analyze HTTP calls and only allow it if it conforms to the protocol standard. If this is not the case, the firewall blocks access and thus prevents undetected injection of malicious code. Here too, proper firewall management is the basis for long-term security.

Installing a software revision. This tool is able to identify files that have been modified.

Regular user behavior analysis (UEBA).

Patch management. All components, from the server to the scripting language, must always be up to date. As soon as security holes become known, developers provide appropriate updates as quickly as possible. Tip: Leave patch management in the experienced hands of our Mainton experts.

Implementation of an intrusion detection system. Detection is based on pattern recognition, identifies relevant gaps and immediately raises an alarm if they are misused for attacks.


The web shell is a very useful tool in the post-exploitation phase, allowing you to maintain constant access to the host without having to re-apply the exploit each time. To prevent access by third parties, it is recommended to use one of the described authentication methods.

Do you have questions or need relevant support? Just contact our experts at Mainton. We guarantee that your company will be maximally protected from all possible attacks.

Mainton Company - custom software development and testing, SEO and online advertising since 2004.