Web shell

An example of what a fake error page might look like in a WSO web shell.

A Web shell is a script that can be uploaded to a web server to enable remote administration of the machine. A web shell can be written in any language that the target web server supports.[1] The most commonly observed web shells are written in languages that are widely supported, such as PHP and ASP. Perl, Ruby, Python, and Unix shell scripts are also used. Once successfully uploaded, an adversary can use the web shell to leverage other exploitation techniques to escalate privileges and to issue commands remotely. These commands are directly linked to the privilege and functionality available to the web server and may include the ability to add, delete, and execute files as well as the ability to run shell commands, further executables, or scripts.[2][3]

Examples of Web shells

Web shells such as China Chopper, WSO, C99 and B374K are frequently chosen by adversaries; however these are just a small number of known used web shells.

  • b374k – A web shell written in PHP with abilities such as monitoring processes & command execution. The latest version of the b374k shell is 3.2.3.[4][5][6]
  • C99 – A version of the WSO shell with additional functionality. Can display the server’s security measures and contains a self-delete function.
  • China Chopper – A small web shell packed with features. Has several command and control features including a password brute force capability.
  • WSO – Stands for “web shell by orb” and has the ability to masquerade as an error page containing a hidden login form.
  • Web shells can be as short as just one line of code.[7][8]
<?=`$_GET[1]`?>

Web shell of size 15 bytes.

Delivery tactics

Web shells can be delivered through a number of web application exploits or configuration weaknesses such as:

  • Cross-site scripting
  • SQL injection
  • Vulnerabilities in applications/services (such as WordPress or other CMS applications)
  • File processing vulnerabilities (such as upload filtering or assigned permissions)
  • Remote file inclusion (RFI) and local file influsion (LFI) vulnerabilities
  • Exposed admin interfaces

References

  1. Wrench, P. M.; Irwin, B. V. W. (1 August 2015). "Towards a PHP webshell taxonomy using deobfuscation-assisted similarity analysis". 2015 Information Security for South Africa (ISSA). pp. 1–8. doi:10.1109/ISSA.2015.7335066. ISBN 978-1-4799-7755-0. S2CID 10056400. Retrieved 17 February 2019 – via IEEE Xplore.
  2. US Department of Homeland Security. "Web Shells – Threat Awareness and Guidance". www.us-cert.gov. Retrieved 20 December 2018.   This article incorporates text from this source, which is in the public domain.
  3. admin (3 August 2017). "What is a Web shell?". malware.expert. Retrieved 20 December 2018.
  4. "Google Code Archive - Long-term storage for Google Code Project Hosting". code.google.com. Retrieved 22 December 2018.
  5. "The Webshell Game Continues". 8 July 2016. Retrieved 22 December 2018.
  6. "GitHub - b374k/b374k: PHP Webshell with handy features". GitHub.
  7. "WSO Shell: The Hack Is Coming From Inside The House!". 22 June 2017. Retrieved 22 December 2018.
  8. "Web Shells: The Criminal's Control Panel - Netcraft". news.netcraft.com. Retrieved 22 December 2018.