Web Shell PHP
Web shells exist for almost every web programming language you can think of. We chose to focus on PHP because it is the most widely-used programming language on the web.
PHP web shells do nothing more than use in-built PHP functions to execute commands. The following are some of the most common functions used to execute shell commands in PHP.
system() function accepts the command as a parameter and it outputs the result.
The following example on a Microsoft Windows machine will run the
dir command to return a directory listing of the directory in which the PHP file is executing in.
<?php // Return the directory listing in which the file run (Windows) system("dir"); ?> --> Volume in drive C has no label. Volume Serial Number is A08E-9C63 Directory of C:\webserver\www\demo 04/27/2016 10:21 PM <DIR> . 04/27/2016 10:21 PM <DIR> .. 04/27/2016 10:19 PM 22 shell.php 1 File(s) 22 bytes 2 Dir(s) 31,977,467,904 bytes free
Similarly, executing the
ls command on a Linux machine achieves a similar result.
<?php // Return the directory listing in which the file run (Linux) system("ls -la"); ?> --> total 12 drwxrwxr-x 2 secuser secuser 4096 Apr 27 20:43 . drwxr-xr-x 6 secuser secuser 4096 Apr 27 20:40 .. -rw-rw-r-- 1 secuser secuser 26 Apr 27 20:41 shell.php
Other commands have the same effect.