What is a Web Shell
A web shell is a file parsed and executed as code by a web server, which sends the results back to the originator of the web request. They are coded in many languages, such as PHP, Python, ASP, and Perl, and are further used as a backdoor for illegitimate access to any server by uploading them to a web server.
Once the backdoor is uploaded to a destination, the attacker gains direct read-write operation capabilities. Web shells are placed on the web server without the permission of the site’s owners.
How does Web Shell work?
Most programming languages used on the web allow for the running of system commands and external processes via various functions, such as “system()” or “exec()”. This is not a vulnerability, but if an attacker can control the parameters passed to the function, a “command injection vulnerability” occurs.
Attackers can intentionally create scripts with such functions to execute commands on the target host. Consider a scenario where an attacker uploads a PHP file to a PHP-supported website:
Assuming this script was placed in the web root directory of example.com, a request to “https://example.com/example_webshell.php?cmd=ls” would execute the “ls” command on the host and return results.
This will pass whatever text is sent in the “cmd” parameter to the PHP system() function, which runs the provided string as a command via a “shell” program on the server, such as “bash” or “zsh” on Linux, or “cmd.exe” on Windows.
In the example request above, the “cmd” parameter contains “ls”, a valid shell command to list the files in the current directory on the server which in this case is the contents of the web root directory.
Other commands may be run, which allows attackers to read files, navigate the file system, start processes, and possibly other things, all with the privilege level of the web server process.
Web Shell Capabilities
The capabilities of web shells vary depending on their complexity and the sophistication of the attacker but generally include the following functions:
- Remote Command Execution
Shell Access: Web shells provide a web-based interface to execute shell commands on the compromised server.
Script Execution: Ability to run scripts (e.g., PHP, Python, Perl, etc.) on the server.
- File Management
Upload/Download Files: Attackers can upload and download files to and from the server.
File Editing: Modify, delete, or create files and directories.
File Searching: Search for specific files or types of files on the filesystem.
- Database Manipulation
Database Access: Execute SQL queries, exfiltrate data from databases, and perform other database manipulations.
Credential Dumping: Extract and harvest credentials and other sensitive information stored in databases.
- Network Operations
Port Scanning: Conduct internal or external network reconnaissance by scanning for open ports and services.
Pivoting: Use the compromised server as a pivot point to launch attacks on other networked machines.
Connection Relaying: Relay traffic through the compromised server to mask the attacker’s origin.
- System Information Gathering
System Info: Gather detailed information about the server, including the operating system, installed software, running processes, and network configuration.
Environment Variables: Access and manipulate environment variables.
- Privilege Escalation
Exploiting Vulnerabilities: Use known vulnerabilities to escalate privileges from a regular user to root or administrator.
Adding Accounts: Create new user accounts with higher privileges.
Inbuilt Kali-Linux Web Shells
Kali Linux has built-in PHP scripts that can be used as a backdoor to assist pen-testing work. They are stored inside /usr/share/webshells/php, and a pen-tester can use them without wasting time writing PHP code for the malicious script.
- simple backdoor.php
- qsd-php backdoor web shell
- php-reverse-shell.php
Simplebackdoor.php Shell
Simple-backdoor.php is a kind of web shell that can generate a remote code execution once injected into the web server and script made by “John Troon.” It is already accessible in Kali in the/usr/share/web shells/php folder, as shown in the picture below. After that, we will run the ls -al command to check the permissions given to the files.
Now you must discover a way to upload a shell in your application, so we will first try to upload here simple backdoor php shell which is already available in kali and click on send the file to upload the shell.
As you can see, we have successfully uploaded the malicious php file and received the hyperlink for the uploaded file.
Thus, we try to access simple-backdoor.php and obtain the following output. As we can observe that here “cmd=cat+/etc/passwd” is a clear indication for Remote code execution.
So, let’s try to retrieve all the passwords of the server.
qsd-php Backdoor Web Shell
An exploit of a web shell is generally considered a backdoor that enables an attacker to access and control a server remotely. The qsd-php backdoor shell is a kind of backdoor that provides a platform for executing system commands, and the wonderful script was made by Daniel Berliner.
As you can see, we have uploaded the qsd-php-backdoor.php file successfully.
Then try accessing qsd-php-backdoor.php as you did in the previous step. You will find something like the image below. Here, you can perform directory traversal and access the Web Server directory directly by entering the command and clicking on the go button.
Then click on the “Go to current working directory”
As you can observe, we have accessed the current directory directly without executing any system command.
We can also execute arbitrary system commands since this backdoor provides a platform to execute shell commands such as cat/etc/passwd, ls -al, and many more. We can also run two commands simultaneously and see the result.
As you can see, we got the result successfully.
PHP-reverse Shell
A PHP reverse shell is a type of shell that gives a remote attacker command-line access to a target machine. Unlike a traditional (bind) shell, which opens a listening port on the target machine for an attacker to connect, a reverse shell initiates an outbound connection from the target machine to the attacker’s machine. This can bypass specific network security measures, such as firewalls blocking incoming connections.
For this, we need to open this script through nano:
Here, we need to give the LISTEN_IP (Kali Linux) where we want the connection, and the LISTEN_PORT number can be set to any.
Now, we need to upload this web shell to get the reverse connection. So, we will upload the malicious file and, on the other hand, start the netcat listener inside a new terminal.
We can see that it is uploaded successfully.
Now, as soon as you execute the uploaded file, if all goes well, the webserver should throw back a reverse shell to your netcat listener. You can verify that we have successfully obtained the shell.
PHP Backdoor using MSFvenom
We can also generate a php web shell with the help of msfvenom. We, therefore, write and use msfvenom following command for generating malicious php code in raw format.
Now, we will upload this malicious shell in the DVWA lab to get the reverse connection.
Simultaneously, we will start a multi-handler, where we will get the meterpreter shell, and we will run the following commands where we need to specify the host and port to get the reverse connection.
As soon as you will explore the uploaded path and execute the backdoor, it will give you a meterpreter session.
PHPbash Shell
PHPbash is another standard web shell specifically designed to emulate a bash terminal through a PHP web interface. It allows attackers to execute shell commands on a compromised web server, similar to how they interact with a standard command-line terminal.
We will download it from GitHub, then go to the PHPbash directory and execute the ls -al command to check the available files.
Now, we will upload this web shell in the DVWA lab.
Going ahead; we will open the URL to execute the shell.
Here, a malicious PHPbash file is executed and given the web shell. The benefit of PHPbash is that it doesn’t require any type of listener, such as Netcat, because it has an inbuilt bash shell, which you can observe from the given image.
Detection and Defense
Detection Strategies
Successful detection of web shells involves understanding their common characteristics and behaviors:
- Anomaly Detection: Monitoring web traffic for unusual patterns, such as unexpected spikes in outbound traffic or irregular access times, can help identify potential web shell activity.
- File Integrity Monitoring: Continuously verifying the integrity of web files can alert administrators to unauthorized changes, which may indicate the presence of a web shell.
- Signature-based Detection: Utilizing known web shell signatures can effectively flag many common malicious scripts. However, this method should be paired with other strategies due to its limitations with novel or obfuscated shells.
- Behavioral Analysis: It is crucial to examine the behavior of web applications and scripts for abnormal activities, such as unauthorized command execution or unusual file operations.
- Threat Intelligence: Incorporating threat intelligence feeds can help quickly recognize known indicators of compromise (IoCs) associated with web shells, allowing faster response times.
Defense Mechanisms
Robust defenses against web shells should integrate preventative, detective, and responsive measures:
- Web Application Security: Ensure web applications are regularly updated and patched to mitigate vulnerabilities. Web application firewalls (WAFs) can also help filter out malicious inputs.
- Access Control: Implement strict access control policies, including the principle of least privilege, to limit users’ ability to upload or modify server-side scripts.
- Regular Audits and Penetration Testing: Conduct routine security audits and penetration tests to identify and remediate vulnerabilities before they can be exploited.
- Environment Hardening: Secure web server configurations and disable unnecessary services to reduce the attack surface.
- Incident Response Planning: Develop and rehearse incident response plans that address web shell incidents, ensuring a quick and coordinated response to contain and remediate the threat.
Conclusion
Web shells are a prevalent method for attackers to execute commands on a server while avoiding detection by blending into regular web traffic. They are highly customizable and require only modest technical skills to deploy, making them accessible for malicious use. For targeted organizations, web shells can be devastating, leading to data theft, malware installation, and additional reconnaissance by attackers.
Companies running dynamic websites must leverage all available detection and mitigation tools to defend against web shells. Particular focus should be given to the storage contents accessible by their web servers. Secure coding practices are critical to prevent attackers from uploading malicious content, the most common method for web shell installation. Additionally, in-depth monitoring of web server processes requested URLs, parameters, and the content delivered to clients are all effective detection methods.
~ Author : Hashan Nethkalum ~