{"id":5873,"date":"2024-02-22T12:21:44","date_gmt":"2024-02-22T06:51:44","guid":{"rendered":"https:\/\/shreshtait.com\/blog\/?p=5873"},"modified":"2024-02-22T13:36:07","modified_gmt":"2024-02-22T08:06:07","slug":"web-shell-a-primer","status":"publish","type":"post","link":"https:\/\/shreshtait.com\/blog\/2024\/02\/web-shell-a-primer\/","title":{"rendered":"Web shell – A primer"},"content":{"rendered":"\n

What is a web shell?<\/strong><\/h3>\n\n\n\n

A web shell is a malicious script written using commonly used web application languages such as PHP, JSP, or ASP. They provide an attacker with a easy way to attack a compromised web server via web-based vulnerabilities, and once installed on a web server’s operating system, the web shell’s facilitate remote administration. <\/p>\n\n\n\n

A web shell can allow threat actors to modify files on the web server and even access the root directory of the web server.<\/p>\n\n\n\n

Web shells are a tactic used by threat actors to maintain persistence T1505.003<\/a><\/p>\n\n\n\n

\"MITRE<\/figure>\n\n\n\n
<\/div>\n\n\n\n

How do attackers use a web shell?<\/strong><\/h3>\n\n\n\n
\"Image<\/figure>\n\n\n\n

Threat attackers do a search for servers which are vulnerable to web shell attacks. On discovering a\u00a0vulnerable web server threat actors launch a web shell attack before the victim becomes alert and patches the vulnerability. The attacker usually takes advantage of common web page vulnerabilities such as SQL injection<\/a>, remote file inclusion (RFI)<\/a>, and cross-site scripting (XSS)<\/a> <\/p>\n\n\n\n

The web shell runs on web server software with limited user permissions. Using the web shell, attackers attempt to perform privilege escalation<\/a> by exploiting local vulnerabilities in the system to gain root access, enabling them to take complete control of the server.<\/p>\n\n\n\n

<\/div>\n\n\n\n

Characteristics of some the Web Shells are shown below<\/strong><\/h3>\n\n\n\n

Shreshta Threat Intelligence<\/a> team has decrypted some web shells, and snippets of the characteristics of the web shell are shown below.<\/p>\n\n\n\n

Webshell #1 0byte v2 Shell<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1 – Screenshot of the decrypted code of the 0byte v2 web shell<\/p>\n\n\n\n

The code is designed to execute shell commands using various PHP functions such as system, exec, passthru, and shell_exec. It incorporates error and log suppression functions to avoid detection.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 2-  Screenshot of code that allows the attacker to download the data<\/span><\/p>\n\n\n\n

The above code snippet allows the attacker to download files from the server by specifying the file path in the $_GET[‘file’] parameter<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 3 – Screenshot of the snippet of the reverse shell code <\/p>\n\n\n\n

The above code echoes HTML to display a form for configuring and executing a reverse shell by using the POST method.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 4 – Screenshot of the encrypted and decrypted code<\/p>\n\n\n\n

This part of the code is used for tracking or reporting the usage of the backdoor to a remote server.<\/p>\n\n\n\n

<\/div>\n\n\n\n

Webshell #2 0x Shell<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 5 – Screenshot of code snippet defines various parameters<\/p>\n\n\n\n

The parameter includes the shell name, slogan, version, and security bypass setting. It also incorporates bot protection, preventing it from being cached or crawled, along with error suppression.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 6 – Screenshot of the code file scanner<\/p>\n\n\n\n

This code tries to identify popular web application configuration files (e.g., WordPress, Joomla, Magento) based on file paths.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 7 – Screenshot of the code handling file download and upload<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 8 – Screenshot of tool creation function<\/p>\n\n\n\n

The code downloads tools from external URLs and stores them in the “0x1” directory.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 9 – Screenshot of code attempting to extract passwords of web applications from their configuration files.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 10 – Screenshot of base64 encrypted Perl script that opens a reverse shell<\/p>\n\n\n\n

Reverse shell also known as a remote shell or \u201cconnect-back shell,\u201d which takes advantage of the target system\u2019s vulnerabilities to initiate a shell session and then access the victim\u2019s computer<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 11 – Screenshot of the code extracts information from the listed configuration path<\/p>\n\n\n\n

<\/div>\n\n\n\n

The code extracts information from specified configuration files on the web server. The extracted information is then either saved in a new file or symlinked, depending on the value of the ‘tipe’ parameter<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 12 – Screenshot of the code having the self-remove option<\/p>\n\n\n\n

<\/div>\n\n\n\n

Web shell #3 1337 3YP455 Shell<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 13 – Screenshot of the code for error suppression and initialisation of the session<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 14 – Screenshot of the file upload functionality<\/p>\n\n\n\n

<\/div>\n\n\n\n

Web shell #4 2018 WSO Shell<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 15 – Screenshot of Encrypted web shell using multistage encryption<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 16 – Screenshot depicting error reporting and configuration settings<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 17 – Screenshot of the hard login function with bot protection<\/p>\n\n\n\n

It incorporates bot protection, preventing it from being cached or crawled by the listed user agents<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 18 – Screenshot of the code using exploit-db<\/p>\n\n\n\n

The $explink variable constructs a URL for searching the Exploit Database for exploits related to the server’s operating system and kernel version<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 19 – Screenshot of the encrypted and decrypted code <\/p>\n\n\n\n

The code creates an email ($xd) with server details and sends it to the specified address ($hex) using the mail function<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 20 – The encrypted code of the cPanel information grabber<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 21 – Screenshot of the heading of the code with error suppression<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 22 – Screenshot of the code exfiltrating encoded information to a C&C<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 23 – Screenshot of the encrypted code that scans the \u201c\/home\u201d directory<\/p>\n\n\n\n

This script scans and displays the \u201c\/home\u201d directory for possible readable and writable directories<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 24 – Screenshot of the code having the self-remove option<\/p>\n\n\n\n

<\/div>\n\n\n\n

Web shell #5 22XC Mini Shell<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 25 – Screenshot of the session and security settings<\/p>\n\n\n\n

The PHP script is modified using \u201cini_set\u201d to suppress errors, clear stat cache, and disable error logging\/display.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 26 – Screenshot of the hard login function with bot protection<\/p>\n\n\n\n

It incorporates bot protection, preventing it from being cached or crawled by the listed user agents<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 27 – Screenshot of code that allows the attacker to download the data<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 28 – Screenshot of code that is related to the creation and execution of a ransomware script<\/p>\n\n\n\n

<\/div>\n\n\n\n

Web shell #6 22XploiterCrew Shell<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 29 – Screenshot of the meta tags of the 22XploiterCrew Shell<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 30 – Screenshot of the script extracting various details of the server and sending it to a C&C<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 31 – Screenshot of the code handling file uploads<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 32 – Screenshot of the code handling website defacement<\/p>\n\n\n\n

Website defacement<\/a> is an attack on a website that changes the visual appearance of a website or a web page<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 33 – Screenshot of the code checking for and installing Adminer<\/p>\n\n\n\n

The web shell checks for the presence of Adminer<\/a> on the server; if it is not found, the script attempts to install it.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 34 – Screenshot of the code handling the reset of cPanel\u2019s credentials.<\/p>\n\n\n\n

<\/div>\n\n\n\n

Web shell #7 404 Not Found Mini Shell<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 35 – Screenshot of the file upload functionality <\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 36 – Screenshot of the file download functionality<\/p>\n\n\n\n

<\/div>\n\n\n\n

Web shell #8 404 Not Found Mini Shell<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 37 – Screenshot of the code searching for the particular OS vulnerability on \u201cMilw0rm\u201d website<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 38 – Screenshot of the code with a list of arrays<\/p>\n\n\n\n

The arrays are listed to verify the presence of databases, security tools, and downloading capabilities.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 39 – Screenshot of the file upload functionality <\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 40 – Screenshot of the code having the log-out option<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 41 – Screenshot of the code having the self-remove option<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 42 – Screenshot of the code for the brute-force function<\/p>\n\n\n\n

The PHP script performs brute-force<\/a> attacks on different types of servers, specifically for FTP, MySQL, and PostgreSQL protocols.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 43 – Screenshot of the script that compiles and executes a C program backdoor \u201c$back_connect_c\u201d<\/p>\n\n\n\n

The compilation and the execution of the code happens in the background<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 44 – Screenshot of the script that compiles and executes a Perl script backdoor \u201c$back_connect_p\u201d<\/p>\n\n\n\n

The compilation and the execution of the code happens in the background<\/p>\n\n\n\n

<\/div>\n\n\n\n

Web shell #9 407 Mini Shell<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 45 – Screenshot of the hard login function with bot protection<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 46 – Screenshot of the file upload functionality <\/p>\n\n\n\n

<\/div>\n\n\n\n

Web shell #10 51mp3L Web Backdoor<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 47 – Screenshot of the file upload functionality <\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Figure 48 – Screenshot of the code sending information to an external server<\/p>\n\n\n\n

<\/div>\n\n\n\n

Web shell marketplace<\/strong><\/h2>\n\n\n\n

Web shells are readily available on the Internet, accessible through platforms such as Telegram, GitHub etc. Some of them are shown below.<\/p>\n\n\n\n

Telegram chat #1 offers free downloads of web shells<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 49 – The Telegram chatroom offers free downloads for web shells and hack tools<\/p>\n\n\n\n

<\/div>\n\n\n\n

Telegram chat #2 offers free downloads of web shells<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 50 – The Telegram chatroom offers free downloads of the latest web shell.<\/p>\n\n\n\n

<\/div>\n\n\n\n

Website #1 allows users to download webshells<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 51 – The website presents webshells with descriptions and offers free downloads<\/p>\n\n\n\n

<\/div>\n\n\n\n

Website #2 allows users to download webshells<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 52 – The website offers free downloads of webshells with various features<\/p>\n\n\n\n

<\/div>\n\n\n\n

Website #3 allows users to download webshells<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 53 – The website provides free downloads of webshells along with an archive of past versions.<\/p>\n\n\n\n

<\/div>\n\n\n\n

Safety Recommendations <\/strong><\/h2>\n\n\n\n