If you don’t understand what a shell is, click here.
A webshell is usually a web page that allows the user Operating System control, usually via a command line.
Many webshells also provide a graphical interface for ease of use.
You should only use a webshell when more conventional access, like SSH or the almost obsolete Telnet, is not available.
Some may work better than others, some may not work at all depending on the security measures employed by the target.
Watch out for webshells that are backdoored. While webshells are usually considered backdoors themselves, many of them will “phone home”, letting someone (whoever put the backdoor in place, usually the developer) know that they have been executed. That person may then use the backdoor themself for nefarious purposes. So make sure you look at the code before using a webshell, or look at HTTP traffic generated upon execution of the file. The latter will not necessarily show the existence of the backdoor in your shell. The files listed below are from reputable sources only, so you may trust them.
- Laudanum at github: A collection of webshells in different languages.
- Antak PowerShell Aspx: Simple and works very well.
- WeBaCoo: Perl script for generating php backdoors, also allows to connect to a backdoor from your terminal for terminal-like access.
- Weevely: Powerful python script for generating backdoors, connecting to them, and running different modules to help with many tasks.