Monday, May 30, 2011

Deface a Website with a Shell

Defacing a Website Using Shells


In this little guide I'll be teaching you how to deface a website using a shell, but before we begin, let's talk about the basics...

Shells are basic methods we can use to upload to a website, then deface the website once uploaded. A shell is a file (often PHP) and gives us extra permissions to the website once uploaded.
Credit to xedlgubaid for definition

Now even though I may not have come up with that definition myself, that is spot on, at least for the purposes of this tutorial.

In this tutorial we will:
  • Learn about shells and how they are used
  • Learn how to use shells to deface a website

So, let's jump right in!

The Tutorial

Before we begin, please read the disclaimer.

The first thing we'll need is a shell (duh).

Shells are very easy to find, you can simply use Google to look them up and find what you need (click here), however, it might be easier to go to the site below:

An antivirus may detect a shell as a virus, and for good cause, there is a chance that a shell does contain a virus if you're downloading it from an unusual or disreputable source. More than likely, these alarms are false, and you are fine.

We'll now need to use a Google dork to find a site that lets us upload our shell.
The dork is:
Most sites will be image hosting. However, if you get a website such as audio hosting you will have to use your common sense.

If the website is an image host, you will have to rename your PHP (or other file type) file to shell.php.gif or any other image type. For audio hosting websites, you will have to rename the PHP file to shell.php.mp3 or any other audio type. You get the picture. The website usually tells you what formats the script allows you to upload, it's common sense.


You can edit the PHP shell and add the following code to the top of your PHP code. Remember to change "jpeg" to what ever file extension the site allows such as MP3 etc and so on.

header('Content-type: image/jpeg');
Upload the shell you just renamed to the server. Most sites will show you have uploaded the shell to the server, some sites still might not allow you to upload this file.

Once you have done this, the website will show that you have uploaded an image. It will be blank. This is because you haven't really uploaded an image, you have uploaded a PHP file.

Find the path to your image. On the upload image, try clicking on the blank space, Copy Link Location and paste it into your browser and hit enter. This will load your shell.


I am not responsible for your actions. I am not responsible for the consequences you may face. This guide is meant for educational purposes only. I do not support illegal hacking.


  1. I'm using AVG antivirus for a number of years now, and I'd recommend this anti virus to all of you.

  2. DreamHost is the best web-hosting provider with plans for any hosting requirements.