Web-Shells - An Overview


An Overview

Ralph Meier
by Ralph Meier
on January 07, 2021
time to read: 7 minutes


This is how to use Web-Shell

  • Shells are malicious scripts for remote access via command line
  • Attackers interact with their web shells via the browser
  • The web shell must fit the target host in terms of size and technology
  • To avoid third-party access, web shells should have authentication

Already as a small boy I was fascinated by shells of all kinds. I could spend hours on the beach looking for the most beautiful shell. I never would have thought that this would also grab me again later as an adult, even if in a slightly different way. But now I sit here and look for the right shell for my current target.

A command shell is a malicious script that allows an attacker to remotely access the target system as a command line. However, a shell is not suitable for the first attack step, but is only used if a web application/server has already been compromised. So once the attacker has access to the web application/server, be it through an SQL injection, remote file inclusion, social engineering attack or other attack techniques, he uploads a suitable shell to gain long-term access. A web shell is a special type of shell that uses the browser to interact with the shell. As long as a web shell remains undetected on the server, the attacker can always connect to the system. Besides web shells, there are other types of shells.

Overview of Different Shells

Überblick Web-Shells

A web shell, like a bind shell, is accessible to third parties, unless it is protected by authentication in the form of a password, a special HTTP header or other parameters.

How to find a suitable Web-Shell?

Technologically, the web shell must fit on the desired host. The type of web server and the appropriate technologies must be determined in the reconaissance phase. PHP web shells are very popular and accordingly frequently used because PHP itself is widely spread and because the common content management systems are also written in PHP. Further limitations exist in the size of the shell, as it is sometimes not possible to upload a web shell with full functionality. In this case you should rather use a minimal shell and in a next step upload a more extensive shell.

Some Examples

First practical experience

To gain first practical experience with shells, we recommend the Metasploit Framework. Rapid7 also offers a suitable environment to improve your skills in this area: The Metasploitable VM is available for download.

Other recent Pentesting Frameworks

The Metasploit framework has been around for several years, and the manufacturers of anti-virus software have reacted accordingly. They detect attacks with Metasploit very often. Here are some other current frameworks that are worth knowing:


A web shell is a very useful tool in the post exploitation phase to maintain permanent access to a host without having to apply an exploit each time. To prevent access by third parties, it is recommended to use one of the described authentication methods.

About the Author

Ralph Meier

Ralph Meier completed an apprenticeship as an application developer, with a focus on web development with Java, at a major Swiss bank and then completed a Bachelor of Science in Computer Science UAS Zurich at the ZHAW School of Engineering. His primary task is doing security-related analysis of web applications and services.


You want to test the security of your firewall?

Our experts will get in contact with you!

Online Tracking

Online Tracking

Ralph Meier

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here