A web shell is a shell-like interface that enables a

web server A web server is computer software and underlying Computer hardware, hardware that accepts requests via Hypertext Transfer Protocol, HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, co ...

to be remotely accessed, often for the purposes of

cyberattack A cyberattack (or cyber attack) occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content. The rising dependence on increasingly complex and inte ...

s. A web shell is unique in that a

web browser A web browser, often shortened to browser, is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's scr ...

is used to interact with it. A web shell could be programmed in any

programming language A programming language is a system of notation for writing computer programs. Programming languages are described in terms of their Syntax (programming languages), syntax (form) and semantics (computer science), semantics (meaning), usually def ...

that is supported on a server. Web shells are most commonly written in

PHP PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. The PHP reference implementation is now produced by the PHP Group. ...

due to the widespread usage of PHP for

web application A web application (or web app) is application software that is created with web technologies and runs via a web browser. Web applications emerged during the late 1990s and allowed for the server to dynamically build a response to the request, ...

s. Though

Active Server Pages Active Server Pages (ASP) is Microsoft's first server-side scripting language and engine for dynamic web pages. It was first released in December 1996, before being superseded in January 2002 by ASP.NET. History Initially released as an a ...

ASP.NET ASP.NET is a server-side web-application framework designed for web development to produce dynamic web pages. It was developed by Microsoft to allow programmers to build dynamic web sites, applications and services. The name stands for Ac ...

Python Python may refer to: Snakes * Pythonidae, a family of nonvenomous snakes found in Africa, Asia, and Australia ** ''Python'' (genus), a genus of Pythonidae found in Africa and Asia * Python (mythology), a mythical serpent Computing * Python (prog ...

Perl Perl is a high-level, general-purpose, interpreted, dynamic programming language. Though Perl is not officially an acronym, there are various backronyms in use, including "Practical Extraction and Reporting Language". Perl was developed ...

Ruby Ruby is a pinkish-red-to-blood-red-colored gemstone, a variety of the mineral corundum ( aluminium oxide). Ruby is one of the most popular traditional jewelry gems and is very durable. Other varieties of gem-quality corundum are called sapph ...

, and

Unix shell A Unix shell is a Command-line_interface#Command-line_interpreter, command-line interpreter or shell (computing), shell that provides a command line user interface for Unix-like operating systems. The shell is both an interactive command languag ...

scripts are also used. Using network monitoring tools, an attacker can find

vulnerabilities Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." The understanding of social and environmental vulnerability, as a methodological approach, involves ...

that can potentially allow delivery of a web shell. These vulnerabilities are often present in applications that are run on a web server. An attacker can use a web shell to issue shell commands, perform

privilege escalation Privilege escalation is the act of exploiting a Software bug, bug, a Product defect, design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resource (computer science), resources that ar ...

on the web server, and the ability to

upload Uploading refers to ''transmitting'' data from one computer system to another through means of a network. Common methods of uploading include: uploading via web browsers, FTP clients, and terminals ( SCP/ SFTP). Uploading can be used in th ...

, delete,

download In computer networks, download means to ''receive'' data from a remote system, typically a server such as a web server, an FTP server, an email server, or other similar systems. This contrasts with uploading, where data is ''sent to'' a remote ...

, and

execute Execution, in capital punishment Capital punishment, also known as the death penalty and formerly called judicial homicide, is the state-sanctioned killing of a person as punishment for actual or supposed misconduct. The sentence (law), s ...

files to and from the web server.

General usage

Web shells are used in attacks mostly because they are multi-purpose and difficult to detect. They are commonly used for: *

Data theft Data theft is the unauthorized duplication or deletion of an organization's electronic information. Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database server ...

* Infecting website visitors ( watering hole attacks) *

Website defacement Website defacement is an attack on a website that changes the visual appearance of a website or a web page. These are typically the work of hackers, who break into a web server and replace the hosted website with malware or a website of thei ...

by modifying files with a malicious intent * Launch distributed denial-of-service (

DDoS In computing, a denial-of-service attack (DoS attack) is a cyberattack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host co ...

) attacks * To relay commands inside the network which is inaccessible over the Internet * To use as command and control base, for example as a bot in a

botnet A botnet is a group of Internet-connected devices, each of which runs one or more Internet bot, bots. Botnets can be used to perform distributed denial-of-service attack, distributed denial-of-service (DDoS) attacks, steal data, send Spamming, sp ...

system or in way to compromise the security of additional external networks. Web shells give hackers the ability to steal information, corrupt data, and upload malwares that are more damaging to a system. The issue increasingly escalates when hackers employ compromised servers to infiltrate a system and jeopardize additional machines. Web shells are also a way that malicious individuals target a variety of industries, including government, financial, and defense through cyber espionage. One of the very well known web shells used in this manner is known as “ China Chopper.”

Delivery of web shells

Web shells are installed through vulnerabilities in web application or weak server security configuration including the following: *

SQL injection In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injec ...

; * Vulnerabilities in applications and services (e.g.

software such as

NGINX (pronounced "engine x" , stylized as NGINX or nginx) is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Russian developer Igor Sysoev and publicly released in 20 ...

content management system A content management system (CMS) is computer software used to manage the creation and modification of digital content ( content management).''Managing Enterprise Content: A Unified Content Strategy''. Ann Rockley, Pamela Kostur, Steve Manning. New ...

applications such as

WordPress WordPress (WP, or WordPress.org) is a web content management system. It was originally created as a tool to publish blogs but has evolved to support publishing other web content, including more traditional websites, electronic mailing list, ma ...

); * File processing and uploading vulnerabilities, which can be mitigated by e.g. limiting the file types that can be uploaded; *

Remote file inclusion A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-con ...

(RFI) and

local file inclusion A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-con ...

(LFI) vulnerabilities; *

Remote code execution In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in softwar ...

; * Exposed administration interfaces; An attacker may also modify ( spoof) the Content-Type header to be sent by the attacker in a file upload to bypass improper file validation (validation using MIME type sent by the client), which will result in a successful upload of the attacker's shell.

Example

The following is a simple example of a web shell written in PHP that executes and outputs the result of a shell command: ?> Assuming the filename is example.php, an example that would output the contents of the /etc/passwd file is shown below: https://example.com/example.php?x=cat%20%2Fetc%2Fpasswd The above request will take the value of the x parameter of the

query string A query string is a part of a uniform resource locator ( URL) that assigns values to specified parameters. A query string commonly includes fields added to a base URL by a Web browser or other client application, for example as part of an HTML doc ...

, sending the following shell command: cat /etc/passwd This could have been prevented if the shell functions of PHP were disabled so that arbitrary shell commands cannot be executed from PHP.

Prevention and mitigation

A web shell is usually installed by taking advantage of vulnerabilities present in the web server's software. That is why removal of these vulnerabilities is important to avoid the potential risk of a compromised web server. The following are security measures for preventing the installation of a web shell: * Regularly update the applications and the host server's

operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...

to ensure immunity from known bugs * Deploying a

demilitarized zone A demilitarized zone (DMZ or DZ) is an area in which treaties or agreements between states, military powers or contending groups forbid military installations, activities, or personnel. A DZ often lies along an established frontier or boundary ...

(DMZ) between the web facing servers and the internal networks * Secure configuration of the web server * Closing or blocking

ports Ports collections (or ports trees, or just ports) are the sets of makefiles and Patch (Unix), patches provided by the BSD-based operating systems, FreeBSD, NetBSD, and OpenBSD, as a simple method of installing software or creating binary packages. T ...

and services which are not used * Using user input data validation to limit local and remote file inclusion vulnerabilities * Use a

reverse proxy In computer networks, a reverse proxy or surrogate server is a proxy server that appears to any client to be an ordinary web server, but in reality merely acts as an intermediary that forwards the client's requests to one or more ordinary web s ...

service to restrict the administrative URL's to known legitimate ones * Frequent vulnerability scan to detect areas of risk and conduct regular scans using web security software (this does not prevent zero day attacks) * Deploy a

firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...

* Disable directory browsing * Not using default passwords

Detection

Web shells can be easily modified, so it's not easy to detect web shells and

antivirus Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name ...

software are often not able to detect web shells. The following are common indicators that a web shell is present on a web server: *Abnormal high web server usage (due to heavy downloading and uploading by the attacker); *Files with an abnormal timestamp (e.g. newer than the last modification date); *Unknown files in a web server; *Files having dubious references, for example, cmd.exe or

eval 




In some programming languages, eval , short for evaluate, is a  function which evaluates a string as though it were an  expression in the language, and returns a result; in others, it executes multiple lines of code as though they had been incl ...

; *Unknown connections in the logs of web server For example, a file generating suspicious traffic (e.g. a PNG file requesting with

POST Post, POST, or posting may refer to: Postal services * Mail, the postal system, especially in Commonwealth of Nations countries **An Post, the Irish national postal service **Canada Post, Canadian postal service **Deutsche Post, German postal s ...

parameters). Dubious logins from DMZ servers to internal sub-nets and vice versa. Web shells may also contain a login form, which is often disguised as an error page. Using web shells, adversaries can modify the .htaccess file (on servers running the

Apache HTTP Server The Apache HTTP Server ( ) is a free and open-source software, free and open-source cross-platform web server, released under the terms of Apache License, Apache License 2.0. It is developed and maintained by a community of developers under the ...

software) on web servers to redirect

search engine A search engine is a software system that provides hyperlinks to web pages, and other relevant information on World Wide Web, the Web in response to a user's web query, query. The user enters a query in a web browser or a mobile app, and the sea ...

requests to the

web page A web page (or webpage) is a World Wide Web, Web document that is accessed in a web browser. A website typically consists of many web pages hyperlink, linked together under a common domain name. The term "web page" is therefore a metaphor of pap ...

with

malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

spam Spam most often refers to: * Spam (food), a consumer brand product of canned processed pork of the Hormel Foods Corporation * Spamming, unsolicited or undesired electronic messages ** Email spam, unsolicited, undesired, or illegal email messages ...

. Often web shells detect the

user-agent In computing, the User-Agent header is an HTTP header intended to identify the user agent responsible for making a given HTTP request. Whereas the character sequence User-Agent comprises the name of the header itself, the header value that a giv ...

and the content presented to the search engine spider is different from that presented to the user's browser. To find a web shell a

change of the crawler bot is usually required. Once the web shell is identified, it can be deleted easily. Analyzing the web server's log could specify the exact location of the web shell. Legitimate users/visitor usually have different

s and referers, on the other hand, a web shell is usually only visited by the attacker, therefore have very few variants of user-agent strings.

References