A web shell is a
shell-like interface that enables a
web server
A web server is computer software and underlying hardware that accepts requests via HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initia ...
to be remotely accessed, often for the purposes of
cyberattack
A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricte ...
s.
A web shell is unique in that a
web browser
A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used o ...
is used to interact with it.
[ ]
A web shell could be programmed in any
programming language
A programming language is a system of notation for writing computer programs. Most programming languages are text-based formal languages, but they may also be graphical. They are a kind of computer language.
The description of a programming ...
that is supported on a server. Web shells are most commonly written in the
PHP programming language due to the widespread usage of PHP for
web application
A web application (or web app) is application software that is accessed using a web browser. Web applications are delivered on the World Wide Web to users with an active network connection.
History
In earlier computing models like client-serv ...
s. However,
Active Server Pages
Active Server Pages (ASP) is Microsoft's first server-side scripting language and engine for dynamic web pages.
It was first released in December 1996, before being superseded in January 2002 by ASP.NET.
History
Initially released as an ...
,
ASP.NET,
Python,
Perl
Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages. "Perl" refers to Perl 5, but from 2000 to 2019 it also referred to its redesigned "sister language", Perl 6, before the latter's name was offic ...
,
Ruby
A ruby is a pinkish red to blood-red colored gemstone, a variety of the mineral corundum ( aluminium oxide). Ruby is one of the most popular traditional jewelry gems and is very durable. Other varieties of gem-quality corundum are called ...
, and
Unix shell scripts are also used, although these languages are less commonly used.
Using
network monitoring tools, an attacker can find
vulnerabilities
Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally."
A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
that can potentially allow delivery of a web shell. These vulnerabilities are often present in applications that are run on a web server.
An attacker can use a web shell to issue shell commands, perform
privilege escalation on the web server, and the ability to
upload,
delete,
download, and
execute files to and from the web server.
General usage
Web shells are used in attacks mostly because they are multi-purpose and difficult to detect.
Web shells are commonly used for:
*
Data theft Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database servers, desktop computers and a growing list of hand-held devices capable of storing digital information, s ...
* Infecting website visitors (
watering hole attacks)
*
Website defacement by modifying files with a malicious intent
* Launch distributed denial-of-service (
DDoS
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host conn ...
) attacks
* To relay commands inside the network which is inaccessible over the Internet
* To use as
command and control
Command and control (abbr. C2) is a "set of organizational and technical attributes and processes ... hatemploys human, physical, and information resources to solve problems and accomplish missions" to achieve the goals of an organization o ...
base, for example as a bot in a
botnet system or in way to compromise the security of additional external networks.
Delivery of web shells
Web shells are installed through vulnerabilities in web application or weak server security configuration including the following:
*
SQL injection;
* Vulnerabilities in applications and services (e.g.
web server
A web server is computer software and underlying hardware that accepts requests via HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initia ...
software such as
NGINX
Nginx (pronounced "engine x" ) is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and publicly released in 2004. Nginx is free and open-source softw ...
or
content management system
A content management system (CMS) is computer software used to manage the creation and modification of digital content ( content management).''Managing Enterprise Content: A Unified Content Strategy''. Ann Rockley, Pamela Kostur, Steve Manning. New ...
applications such as
WordPress
WordPress (WP or WordPress.org) is a free and open-source content management system (CMS) written in hypertext preprocessor language and paired with a MySQL or MariaDB database with supported HTTPS. Features include a plugin architectu ...
);
* File processing and uploading vulnerabilities, which can be mitigated by e.g. limiting the file types that can be uploaded;
*
Remote file inclusion (RFI) and
local file inclusion (LFI) vulnerabilities;
*
Remote code execution
In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in soft ...
;
* Exposed administration interfaces;
An attacker may also modify (
spoof) the
Content-Type
header to be sent by the attacker in a file upload to bypass improper file validation (validation using MIME type sent by the client), which will result in a successful upload of the attacker's shell.
Example
The following is a simple example of a web shell written in PHP that executes and outputs the result of a shell command:
=`$_GET ?>
Assuming the filename is
example.php
, an example that would output the contents of the
/etc/passwd
passwd is a command on Unix, Plan 9, Inferno, and most Unix-like operating systems used to change a user's password. The password entered by the user is run through a key derivation function to create a hashed version of the new password, wh ...
file is shown below:
https://example.com/example.php?x=cat%20%2Fetc%2Fpasswd
The above request will take the value of the
x
parameter of the
query string, sending the following shell command:
cat /etc/passwd
This could have been prevented if the shell functions of PHP were disabled so that arbitrary shell commands cannot be executed from PHP.
Prevention and mitigation
A web shell is usually installed by taking advantage of vulnerabilities present in the web server's software. That is why removal of these vulnerabilities is important to avoid the potential risk of a compromised web server.
The following are security measures for preventing the installation of a web shell:
* Regularly update the applications and the host server's
operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs.
Time-sharing operating systems scheduler (computing), schedule tasks for ef ...
to ensure immunity from known
bugs
* Deploying a
demilitarized zone (DMZ) between the web facing servers and the internal networks
* Secure configuration of the web server
* Closing or blocking
ports and services which are not used
* Using user input data validation to limit
local and remote file inclusion vulnerabilities
* Use a
reverse proxy service to restrict the administrative URL's to known legitimate ones
* Frequent vulnerability scan to detect areas of risk and conduct regular scans using web security software (this does not prevent
zero day attacks)
* Deploy a
firewall
Firewall may refer to:
* Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts
* Firewall (construction), a barrier inside a building, designed to limit the spre ...
* Disable directory browsing
* Not using default passwords
Detection
Web shells can be easily modified, so it's not easy to detect web shells and
antivirus
Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware.
Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...
software are often not able to detect web shells.
The following are common indicators that a web shell is present on a web server:
*Abnormal high web server usage (due to heavy downloading and uploading by the attacker);
*Files with an abnormal timestamp (e.g. newer than the last modification date);
*Unknown files in a web server;
*Files having dubious references, for example,
cmd.exe
or
eval
;
*Unknown connections in the logs of web server
For example, a file generating suspicious traffic (e.g. a
PNG file requesting with
POST parameters);
Dubious logins from
DMZ
A demilitarized zone (DMZ or DZ) is an area in which treaties or agreements between nations, military powers or contending groups forbid military installations, activities, or personnel. A DZ often lies along an established frontier or bounda ...
servers to internal sub-nets and vice versa.
Web shells may also contain a login form, which is often disguised as an
error page.
Using web shells, adversaries can modify the
.htaccess file (on servers running the
Apache HTTP Server
The Apache HTTP Server ( ) is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. Apache is developed and maintained by an open community of developers under the auspices of the Apache S ...
software) on web servers to redirect
search engine
A search engine is a software system designed to carry out web searches. They search the World Wide Web in a systematic way for particular information specified in a textual web search query. The search results are generally presented in a ...
requests to the
web page with
malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depr ...
or
spam
Spam may refer to:
* Spam (food), a canned pork meat product
* Spamming, unsolicited or undesired electronic messages
** Email spam, unsolicited, undesired, or illegal email messages
** Messaging spam, spam targeting users of instant messaging ...
. Often web shells detect the
user-agent and the content presented to the
search engine spider is different from that presented to the user's browser. To find a web shell a
user-agent change of the crawler bot is usually required. Once the web shell is identified, it can be deleted easily.
Analyzing the web server's log could specify the exact location of the web shell. Legitimate users/visitor usually have different
user-agents and
referers (referrers), on the other hand, a web shell is usually only visited by the attacker, therefore have very few variants of user-agent strings.
See also
*
Backdoor (computing)
A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device (e.g. a home router), or its embodiment (e.g. part of a cryptosystem, algorithm, chipset, or even a "homunculus ...
*
Cyberwarfare
Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic ...
*
Internet security
*
Network security
*
China Chopper
China Chopper is a web shell approximately 4 kilobytes in size, first discovered in 2012. This web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. This web sh ...
References
{{Authority control
Web shells
Web security exploits
Hacking (computer security)