I've been learning more and more about web security recently and today I came across the concept of a web shell.
eval function or the Function constructor.
That way an attacker could send a denial of service attack, for example, or inject... a web shell.
Ok, that was a long winded way of starting my explanation of what a web shell is.
A web shell is a bit of code that enables a shell like interface but through a web browser. It needs to be written in the language supported by the server that it wants to connect to. Once this code is running on the server, an attacker can run unix commands through any browser. Let's say our web shell runs on
localhost:8000 then we can run an
ls command like this
localhost:8000/?cmd=ls and the server will return to us a list of all the files it has.
Web shells are often used for reconnaissance, so for hackers to understand how the system is built and how they can later attack it.