A web shell is a
shell-like interface that enables a
web server
A web server is computer software and underlying hardware that accepts requests via HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initiate ...
to be remotely accessed, often for the purposes of
cyberattack
A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...
s.
A web shell is unique in that a
web browser
A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...
is used to interact with it.
[ ]
A web shell could be programmed in any
programming language
A programming language is a system of notation for writing computer programs. Most programming languages are text-based formal languages, but they may also be graphical. They are a kind of computer language.
The description of a programming ...
that is supported on a server. Web shells are most commonly written in the
PHP programming language due to the widespread usage of PHP for
web application
A web application (or web app) is application software that is accessed using a web browser. Web applications are delivered on the World Wide Web to users with an active network connection.
History
In earlier computing models like client-serve ...
s. However,
Active Server Pages
Active Server Pages (ASP) is Microsoft's first server-side scripting language and engine for dynamic web pages.
It was first released in December 1996, before being superseded in January 2002 by ASP.NET.
History
Initially released as an add ...
,
ASP.NET
ASP.NET is an open-source, server-side web-application framework designed for web development to produce dynamic web pages. It was developed by Microsoft to allow programmers to build dynamic web sites, applications and services. The name s ...
,
Python
Python may refer to:
Snakes
* Pythonidae, a family of nonvenomous snakes found in Africa, Asia, and Australia
** ''Python'' (genus), a genus of Pythonidae found in Africa and Asia
* Python (mythology), a mythical serpent
Computing
* Python (pro ...
,
Perl
Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages. "Perl" refers to Perl 5, but from 2000 to 2019 it also referred to its redesigned "sister language", Perl 6, before the latter's name was offici ...
,
Ruby
A ruby is a pinkish red to blood-red colored gemstone, a variety of the mineral corundum ( aluminium oxide). Ruby is one of the most popular traditional jewelry gems and is very durable. Other varieties of gem-quality corundum are called sa ...
, and
Unix shell
A Unix shell is a command-line Interpreter (computing), interpreter or shell (computing), shell that provides a command line user interface for Unix-like operating systems. The shell is both an interactive command language and a scripting langua ...
scripts are also used, although these languages are less commonly used.
Using
network monitoring tools, an attacker can find
vulnerabilities
Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally."
A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
that can potentially allow delivery of a web shell. These vulnerabilities are often present in applications that are run on a web server.
An attacker can use a web shell to issue shell commands, perform
privilege escalation
Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The res ...
on the web server, and the ability to
upload
Uploading refers to ''transmitting'' data from one computer system to another through means of a network. Common methods of uploading include: uploading via web browsers, FTP clients], and computer terminal, terminals (SCP/ SFTP). Uploading c ...
,
File deletion, delete,
download
In computer networks, download means to ''receive'' data from a remote system, typically a server such as a web server, an FTP server, an email server, or other similar system. This contrasts with uploading, where data is ''sent to'' a remote s ...
, and
execute
Execute, in capital punishment, is to put someone to death.
Execute may also refer to:
* Execution (computing), the running of a computer program
* ''Execute'' (album), a 2001 Garage hip-hop album by Oxide & Neutrino
* USS ''Execute'' (AM-232), a ...
files to and from the web server.
General usage
Web shells are used in attacks mostly because they are multi-purpose and difficult to detect.
Web shells are commonly used for:
*
Data theft Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database servers, desktop computers and a growing list of hand-held devices capable of storing digital information, su ...
* Infecting website visitors (
watering hole attack
Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hac ...
s)
*
Website defacement
Website defacement is an attack on a website that changes the visual appearance of a website or a web page. These are typically the work of defacers, who break into a web server and replace the hosted website with one of their own. Defacement ...
by modifying files with a malicious intent
* Launch distributed denial-of-service (
DDoS
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connec ...
) attacks
* To relay commands inside the network which is inaccessible over the Internet
* To use as
command and control
Command and control (abbr. C2) is a "set of organizational and technical attributes and processes ... hatemploys human, physical, and information resources to solve problems and accomplish missions" to achieve the goals of an organization or en ...
base, for example as a bot in a
botnet
A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
system or in way to compromise the security of additional external networks.
Delivery of web shells
Web shells are installed through vulnerabilities in web application or weak server security configuration including the following:
*
SQL injection
In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL inj ...
;
* Vulnerabilities in applications and services (e.g.
web server
A web server is computer software and underlying hardware that accepts requests via HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initiate ...
software such as
NGINX
Nginx (pronounced "engine x" ) is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and publicly released in 2004. Nginx is free and open-source software ...
or
content management system
A content management system (CMS) is computer software used to manage the creation and modification of digital content (content management).''Managing Enterprise Content: A Unified Content Strategy''. Ann Rockley, Pamela Kostur, Steve Manning. New ...
applications such as
WordPress
WordPress (WP or WordPress.org) is a free and open-source content management system (CMS) written in hypertext preprocessor language and paired with a MySQL or MariaDB database with supported HTTPS. Features include a plugin architecture ...
);
* File processing and uploading vulnerabilities, which can be mitigated by e.g. limiting the file types that can be uploaded;
*
Remote file inclusion A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-cont ...
(RFI) and
local file inclusion A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-cont ...
(LFI) vulnerabilities;
*
Remote code execution
In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in softwar ...
;
* Exposed administration interfaces;
An attacker may also modify (
spoof
Spoof, spoofs, spoofer, or spoofing may refer to:
* Forgery of goods or documents
* Semen, in Australian slang
* Spoof (game), a guessing game
* Spoofing (finance), a disruptive algorithmic-trading tactic designed to manipulate markets
__NOTOC__ ...
) the
Content-Type
header to be sent by the attacker in a file upload to bypass improper file validation (validation using MIME type sent by the client), which will result in a successful upload of the attacker's shell.
Example
The following is a simple example of a web shell written in PHP that executes and outputs the result of a shell command:
=`$_GET ?>
Assuming the filename is
example.php
, an example that would output the contents of the
/etc/passwd
file is shown below:
https://example.com/example.php?x=cat%20%2Fetc%2Fpasswd
The above request will take the value of the
x
parameter of the
query string
A query string is a part of a uniform resource locator (URL) that assigns values to specified parameters. A query string commonly includes fields added to a base URL by a Web browser or other client application, for example as part of an HTML, cho ...
, sending the following shell command:
cat /etc/passwd
This could have been prevented if the shell functions of PHP were disabled so that arbitrary shell commands cannot be executed from PHP.
Prevention and mitigation
A web shell is usually installed by taking advantage of vulnerabilities present in the web server's software. That is why removal of these vulnerabilities is important to avoid the potential risk of a compromised web server.
The following are security measures for preventing the installation of a web shell:
* Regularly update the applications and the host server's
operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs.
Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
to ensure immunity from known
bugs
* Deploying a
demilitarized zone
A demilitarized zone (DMZ or DZ) is an area in which treaties or agreements between nations, military powers or contending groups forbid military installations, activities, or personnel. A DZ often lies along an established frontier or bounda ...
(DMZ) between the web facing servers and the internal networks
* Secure configuration of the web server
* Closing or blocking
ports
A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as H ...
and services which are not used
* Using user input data validation to limit
local and remote file inclusion vulnerabilities
* Use a
reverse proxy
In computer networks, a reverse proxy is the application that sits in front of back-end applications and forwards client (e.g. browser) requests to those applications. Reverse proxies help increase scalability, performance, resilience and securi ...
service to restrict the administrative URL's to known legitimate ones
* Frequent vulnerability scan to detect areas of risk and conduct regular scans using web security software (this does not prevent
zero day attacks)
* Deploy a
firewall
Firewall may refer to:
* Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts
* Firewall (construction), a barrier inside a building, designed to limit the spre ...
* Disable directory browsing
* Not using default passwords
Detection
Web shells can be easily modified, so it's not easy to detect web shells and
antivirus
Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware.
Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...
software are often not able to detect web shells.
The following are common indicators that a web shell is present on a web server:
*Abnormal high web server usage (due to heavy downloading and uploading by the attacker);
*Files with an abnormal timestamp (e.g. newer than the last modification date);
*Unknown files in a web server;
*Files having dubious references, for example,
cmd.exe
or
eval
In some programming languages, eval , short for the English evaluate, is a function which evaluates a string as though it were an expression in the language, and returns a result; in others, it executes multiple lines of code as though they had b ...
;
*Unknown connections in the logs of web server
For example, a file generating suspicious traffic (e.g. a
PNG file requesting with
POST
Post or POST commonly refers to:
*Mail, the postal system, especially in Commonwealth of Nations countries
**An Post, the Irish national postal service
**Canada Post, Canadian postal service
**Deutsche Post, German postal service
**Iraqi Post, Ira ...
parameters);
Dubious logins from
DMZ
A demilitarized zone (DMZ or DZ) is an area in which treaties or agreements between nations, military powers or contending groups forbid military installations, activities, or personnel. A DZ often lies along an established frontier or bounda ...
servers to internal sub-nets and vice versa.
Web shells may also contain a login form, which is often disguised as an
error page.
Using web shells, adversaries can modify the
.htaccess file (on servers running the
Apache HTTP Server
The Apache HTTP Server ( ) is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. Apache is developed and maintained by an open community of developers under the auspices of the Apache So ...
software) on web servers to redirect
search engine
A search engine is a software system designed to carry out web searches. They search the World Wide Web in a systematic way for particular information specified in a textual web search query. The search results are generally presented in a ...
requests to the
web page with
malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
or
spam
Spam may refer to:
* Spam (food), a canned pork meat product
* Spamming, unsolicited or undesired electronic messages
** Email spam, unsolicited, undesired, or illegal email messages
** Messaging spam, spam targeting users of instant messaging ( ...
. Often web shells detect the
user-agent
In computing, a user agent is any software, acting on behalf of a user, which "retrieves, renders and facilitates end-user interaction with Web content". A user agent is therefore a special kind of software agent.
Some prominent examples of us ...
and the content presented to the
search engine spider
A Web crawler, sometimes called a spider or spiderbot and often shortened to crawler, is an Internet bot that systematically browses the World Wide Web and that is typically operated by search engines for the purpose of Web indexing (''web spid ...
is different from that presented to the user's browser. To find a web shell a
user-agent
In computing, a user agent is any software, acting on behalf of a user, which "retrieves, renders and facilitates end-user interaction with Web content". A user agent is therefore a special kind of software agent.
Some prominent examples of us ...
change of the crawler bot is usually required. Once the web shell is identified, it can be deleted easily.
Analyzing the web server's log could specify the exact location of the web shell. Legitimate users/visitor usually have different
user-agent
In computing, a user agent is any software, acting on behalf of a user, which "retrieves, renders and facilitates end-user interaction with Web content". A user agent is therefore a special kind of software agent.
Some prominent examples of us ...
s and
referers (referrers), on the other hand, a web shell is usually only visited by the attacker, therefore have very few variants of user-agent strings.
See also
*
Backdoor (computing)
A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device (e.g. a home router), or its embodiment (e.g. part of a cryptosystem, algorithm, chipset, or even a "homunculus compu ...
*
Cyberwarfare
Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic war ...
*
Internet security
Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules a ...
*
Network security
Network security consists of the policies, policies, processes and practices adopted to prevent, detect and monitor unauthorized access, Abuse, misuse, modification, or denial of a computer network and network-accessible resources. Network securi ...
*
China Chopper
References
{{Authority control
Web shells
Web security exploits
Hacking (computer security)