In this review, we will take a look at the best PHP web shells available to hackers and penetration testers to download and use for free on the internet.

What is a PHP Shell?

PHP Web Shells typically permit a hacker to browse the server’s filesystem and send out commands on the target server.

Moreover, webshells grant the hacker the ability to easily view files, upload files, move files, delete files, alter permissions, and edit files on the web server.

PHP shells may serve as dangerous tools in the hands of malicious attackers since they permit hackers to upload a PHP shell to a WordPress site easily.

Therefore, the functionality of PHP shells normally may include Remote Access Tool (RAT) practicality.

Web Shells aren’t merely written in PHP and ASP. Shell scripts can also be coded in other distinct languages such as Python, Perl, and Ruby to use as a backdoor for unauthorized access via uploading to a vulnerable web server.

Significantly, PHP shells may be deployed legitimately by a system administrator to perform certain actions on the web server. For instance, restarting a service, creating a new user, and reading logs on a system.

The reason why a system administrator may choose to use a PHP webshell is that of being able to carry out remote management without having to log into a web hosting control panel, using FTP, and using SSH. Thus, the convenience of being able to execute every action within a web browser is recognized as a benefit.

Webshells are backdoors that plainly run over HTTP and run via the hacker’s web browser. In contrast, a reverse shell demands a secondary program to be executed on a target’s system.

Penetration testers will understand that a security vulnerability has to first be found on a target’s Web application before the webshell can be dropped in an attack payload.

Possible infectious methods typically comprise SQL injections (SQLi) and file inclusion vulnerabilities (Remote File Inclusion – RFI -) executed against vulnerable web applications.

1. C99 Backdoor Web Shell

The C99 Backdoor Web Shell simply known as c99shell (c99shell.php) is likely the most prominent PHP backdoor ever.

C99shell is a well-known PHP backdoor shell that supplies information of files and folders when it is uploaded by a hacker and permits the attacker to carry out command execution via the shell.

The C99 backdoor PHP shell, like many web shells out there, is commonly used by black hat hackers, hacktivists, cybercriminals, and other cyber actors for malicious purposes.

Unsurprisingly, the C99 shell often assist in retrieving sensitive data which ultimately may lead to personally identifiable information being compromised by malicious actors with financial motives.

The C99 is also used for website defacements by black hat hackers and hacktivists.

Keep in mind that there are different versions of the c99 backdoor available to download on the internet.

C99 is available to download from

2. China Chopper Shell

China Chopper is another web shell that is deployed broadly by cyber actors such as Chinese and advanced persistent threat groups (APT).

China Chopper consists mostly of two components. Firstly, the web shell command-and-control (CnC) client interface known as caidao.exe. Secondly, a small text-based Web shell payload that is established on the hacked web server.

The payload can be found for numerous languages such as PHP, JSP, ASP, and ASPX.

The payload is incredibly small compared to other web shells available.

China Chopper’s small file size and it’s substantial capabilities of features renders this web shell to be ideal for IT security professionals.

China Chopper is available to download from

3. IndoXploit Shell (IDX Shell)

IndoXploit is a PHP-based backdoor that permits a professional penetration tester to bypass a server’s security easily.

The IndoXploit webshell is typically employed to compromise popular content management systems (CMS).

The IDX shell has numerous features such as the ability for mass defacements, mass submissions to Zone-H, leaping into distinct user accounts, cracking cPanel passwords, and reading files.

Thus, the IndoXploit backdoor is frequently used by hackers to deface and compromise sites.

The IndoXploit shell utilizes a dynamic 404 web page to render the shell to appear like it was removed.

A site that was infected will hold a folder labelled as “idx_config” which includes text versions of configuration files of all CMS installations the IDX backdoor can find.

The IDX shell obtains the contents of configuration files for popular content management systems such as WordPress and Joomla.

Furthermore, this backdoor saves them as text files (.txt) in a folder it produces called “idx_config“. connected

While such text files can appear harmless, they hold private information that an adversary may employ to access CMS-associated databases linked to a victim’s hosting account.

IndoXploit can be downloaded from

4. WSO Web Shell (Web Shell By Orb)

Like many other shells out there, WSO is deployed via a web browser. Since WSO’s interface is user-friendly, any adversary can use it easily.

WSO has features found in many web shells out there such as database administration, PHP code execution, and brute-force capability against FTP/Database servers.

WSO can be easily used to execute malicious PHP code on target sites. Hence, the WSO Web Shell is frequently used by hackers of all levels.

The WSO shell is exceptionally popular that hackers have created tools that aid its execution and utilization. For instance, it is possible to create a personalized version of the shell that meets your penetration testing needs.

No wonder the WSO backdoor is considered one of the most popular shells on the internet.

WSO is available to download from

5. B374k PHP Shell

B374K is a PHP-based web shell (b374k.php) with various features such as command execution, script execution, file manager, and a task manager.

Using B374K gets the job done since the features included are what you would expect from a standard PHP-based backdoor.

B374K is available to download from

6. r57 Shell

The r57 web shell is another famous PHP backdoor that many hackers use to compromise servers.

The r57 backdoor has many of the features found in the shells we have mentioned in this article, including the ability to connect to a SQL server and bypassing the security of numerous servers.

The r57 webshell has existed for a long time and continues to be endorsed by hackers worldwide.

r57 is available to download from

7. Weevely Shell

Weevely is another PHP backdoor that imitates a telnet connection. Weevely is included with Kali Linux.

Significantly, Weevley is a penetration testing tool designed for post exploitation in web applications.

Weevely has over 30 modules that assist in post-exploitation for various pentesting activities such as maintaining access, network lateral movement, and privilege escalation.

Using Weevely in Kali Linux is simple. Open a new terminal to create a web shell by typing in the following command:

weevely generate sunnyhoi /root/Desktop/weevely.php

Weevely is available to download from If you are using Kali Linux, then you already have Weevely preinstalled.

What To Do If You Find A Web Shell (Backdoor Malware) On Your Server

If you find a web shell on your server, it should serve as a clear indicator that your website has been compromised by an adversary.

In that case, checking the server logs will be important especially when the hacker has never acquired root access at any time. All requests to a PHP shell will be considered and logged as a regular web request.

Since many shells employ GET URL variables in its features, investigators may reproduce an adversary’s digital footprint by forensically examining the access log files found on web servers.

Hiring a professional third-party security service to clean your site and remove PHP web shell backdoors is often a good idea since the techniques that smart attackers deploy to hide their webshells is frequently evolving.

It takes an experienced individual or company to detect such malicious actions and fix them accordingly without unintentionally breaking the servers affected.

Keeping the software updated and patched on servers will mitigate security vulnerabilities found in web applications.

Related Posts