Web shell facts for kids
A Web shell is a script that can be uploaded to a web server to enable remote administration of the machine. A web shell can be written in any language that the target web server supports. The most commonly observed web shells are written in languages that are widely supported, such as PHP and ASP. Perl, Ruby, Python, and Unix shell scripts are also used. Once successfully uploaded, an adversary can use the web shell to leverage other exploitation techniques to escalate privileges and to issue commands remotely. These commands are directly linked to the privilege and functionality available to the web server and may include the ability to add, delete, and execute files as well as the ability to run shell commands, further executables, or scripts.
Examples of Web shells
Web shells such as China Chopper, WSO, C99 and B374K are frequently chosen by adversaries; however these are just a small number of known used web shells.
- b374k – A web shell written in PHP with abilities such as monitoring processes & command execution. The latest version of the b374k shell is 3.2.3.
- C99 – A version of the WSO shell with additional functionality. Can display the server’s security measures and contains a self-delete function.
- China Chopper – A small web shell packed with features. Has several command and control features including a password brute force capability.
- WSO – Stands for “web shell by orb” and has the ability to masquerade as an error page containing a hidden login form.
- Web shells can be as short as just one line of code.
<?=`$_GET[1]`?> Web shell of size 15 bytes.
Delivery tactics
Web shells can be delivered through a number of web application exploits or configuration weaknesses such as:
- Cross-site scripting
- SQL injection
- Vulnerabilities in applications/services (such as WordPress or other CMS applications)
- File processing vulnerabilities (such as upload filtering or assigned permissions)
- Remote file inclusion (RFI) and local file influsion (LFI) vulnerabilities
- Exposed admin interfaces