[Warning: this diary contains many pictures and may take some time to load on slow links]
Web shellsare not new in the threats landscape. A web shell is a script (written in PHP, ASL, Perl, ... - depending on the available environment) that can be uploaded to a web server to enable remote administration. If web shells are usually installed for good purposes, many of them are installed on compromisedservers. Once in place, the web shell will allow a complete takeover of the victims server but it can also be used to pivot and attack internal systems.
In a recent investigation, I found on a shared platform a compromised website that was delivering phishing pages. I was able to get access to the archive containing the phishing kit but alsoa web shell.It was also installed on the server and the location was easy to guess. The web shell is presenting itself as RC-SHELL">I found reference to it in 2013) but ithas a very low detection rate in VT (4/55) and was uploaded for the first time a few hours before me. Maybe it has been improved or updated?
Modern web shells are very powerful and offer plenty of features to the attacker. Because some pictures are worth a thousand words, I decided to make a tour of the interface to give you more details about modern web shells and to show their power. This web shell is written in PHP and, as usual, access to the web interface is restricted via hardcoded credentials. The login / password hashes are in the source code. A quick search in rainbow tables returned test" />
On top of the screen, you can see details about the host and basic PHP settings like the safe-mode status, available databases support. Then, the single-line menu to access all the features. Lets review them.
The menu Files" />
The menu Search performs file search operations (think about the find Linux command) but you can also search for specific contain inside files (like grep" />
The Upload menu transfers files on the local file system. Files can be uploaded from the local drive (on the attacker" />
The Cmd menuexecutes shell commands on the target (this is really the core feature of a web shell). Commands are executed (with the web server UID rights) and output is returned in the browser:" />
The Eval menu offers the same features as Cmd but executes native PHP code. This is a PHP Shell" />
The FTP" />
The SQL" />
The Mailers menu, as the name" />
The Calc" />
The Tools" />
Finally, the two last menus are used to manage processes on the box ( la top" />
As you can see a modern web shell is a powerful tool. Keep in mind that a web shell will be executed with the rights and permissions of the web server (ex: www-data on a Linux system). To reduce the risks, apply best practices like:
- Run the web server in a restricted environment (a VM, a Docker container, a chroot() jail).
- Do NOT allow access to privileged access via commands like sudo.
- Do NOT give full DBA access to your database, restrict access to required database/tables and allow required SQL commands only.
- Implement egress filters and restrict communications with the outside world.
- Protect your web server directories against write operations
Do not hesitate to share your stories about web shells. Did you find one, how, where?
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key