A webshell itself cannot attack or exploit a remote vulnerability, so it is always the second step of an attack (this stage is also referred to as post-exploitation).
PHP Webshell with many features such as :
* File manager (view, edit, rename, delete, upload, download as archive,etc)
* Command execution
* Script execution (php, perl, python, ruby, java, node.js, c)
* Give you shell via bind/reverse shell connect
* Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more using ODBC or PDO)
* Process list/Task manager
* API to control this shell within another scripts/programs (see wiki)
* All of that only in 1 file, no installation needed
* Support PHP v4 and v5
* Search function (ver 2.4)
* Hex editor (ver 2.4)
* SQL Explorer (ver 2.4)
Why Use Webshells
A webshell usually contains a backdoor which allows an attacker to remotely access and possibly, control a server at any time. All actions take place within a web browser with user permissions. This would save the attacker the inconvenience of having to exploit a vulnerability each time access to the compromised server is required.
Hacker might also choose to fix the vulnerability themselves, in order to ensure that no one else will exploit that same vulnerability. This way the attacker can keep a low-profile and avoid any interaction with an administrator, while still obtaining the same result.