A web shell is a script that has been loaded onto a web server that enables an attacker to send remote commands to that server. Using web shells, you can exfiltrate sensitive data stored on the server, send command and control (C&C) signals to the server as part of a botnet, install malware that branches out to other hosts on the network, and more. The act of loading the shell can be accomplished through many of the web attack vectors you've seen thus far, including XSS, SQL injection, RFI and LFI, and more.

What you can actually do with a web shell will depend on how it's programmed, but in general, they can enable you to effectively control the execution of the web app and even the underlying server backend. For example, the open source web shell b374k comes with the following functionality:

  • A file manager with all of the standard features.
  • A bind or reverse shell.
  • Execution of scripts in multiple languages, like Python and Ruby.
  • A simple packet crafter.
  • An SQL schema explorer.
  • A process/task manager.
  • A mail client.
  • And more.

All of this functionality is available through several PHP and JavaScript modules that you can load onto the web server and run.