Learning Exercise

Web Shell PHP

Web shells exist for almost every web programming language you can think of. We chose to focus on PHP because it is the most widely-used programming language on the web.

PHP web shells do nothing more than use in-built PHP functions to execute commands. The following are some of the most common functions used to execute shell commands in PHP.


The system() function accepts the command as a parameter and it outputs the result.

The following example on a Microsoft Windows machine will run the dir command to return a directory listing of the directory in which the PHP file is executing in.

// Return the directory listing in which the file run (Windows)

--> Volume in drive C has no label.
Volume Serial Number is A08E-9C63

Directory of C:\webserver\www\demo

04/27/2016 10:21 PM <DIR> .
04/27/2016 10:21 PM <DIR> ..
04/27/2016 10:19 PM 22 shell.php
1 File(s) 22 bytes
2 Dir(s) 31,977,467,904 bytes free

Similarly, executing the ls command on a Linux machine achieves a similar result.

// Return the directory listing in which the file run (Linux)
system("ls -la");

--> total 12
drwxrwxr-x 2 secuser secuser 4096 Apr 27 20:43 .
drwxr-xr-x 6 secuser secuser 4096 Apr 27 20:40 ..
-rw-rw-r-- 1 secuser secuser 26 Apr 27 20:41 shell.php

Other commands have the same effect.