A Detailed Explanation of Webshell

Webshell is a malicious script often used by hackers. Its purpose is to gain execution authority on the server, such as executing system commands, stealing user data, deleting web pages, and modifying homepages. The harm is self-evident. Hackers usually use common vulnerabilities, such as SQL injection, remote file inclusion (RFI), FTP, and even cross-site scripting (XSS) as part of social engineering attacks, and ultimately achieve the purpose of controlling the website server.



Common webshell writing languages are asp, jsp and php. This article will take php Webshell as an example to explain in detail the common functions, working methods and common hiding techniques of Webshell.

1. Why is Webshell favored by hackers
The first step for hackers to use Webshell is usually to upload it to an accessible server, such as uploading a simple php Webshell by exploiting a vulnerability in the third-party plug-in of the user's CMS system. Of course, the types and functions of Webshells are not exactly the same. Some simple Webshells only serve to connect to the outside world, allowing hackers to insert more precise malicious scripts and execute the instructions they need; others may be more complex, with databases or The file browser allows hackers to view the code and data of the intrusion system from thousands of miles away. Regardless of its design, Webshell is extremely dangerous and is a common tool for cybercriminals and advanced persistent threats (APTs). The main characteristics of Webshell attacks are as follows:



Persistent remote access


Webshell scripts usually contain backdoors. After the hacker uploads the Webshell, they can make full use of the Webshell backdoor to realize remote access and control the server, so as to achieve the long-term control of the website server. In addition, after uploading the Webshell, hackers will choose to fix the vulnerability themselves to ensure that no one else will take advantage of the vulnerability. In this way, the hacker can take a low-key attitude and avoid any interaction with the administrator while still obtaining the same results.



Right escalation

If the server has no configuration error, Webshell will run under the user authority of the web server, and the user authority is limited. Through Webshell, hackers can use local vulnerabilities on the system to achieve privilege escalation, thereby gaining root privileges, so that hackers can basically do anything on the system, including installing software, changing privileges, adding and deleting users, stealing passwords, and reading electronics. Mail etc.



Very concealed

Webshell can be nested and run in normal web pages, and it is not easy to be checked and killed. It can also traverse the server firewall. Because the data interacting with the controlled server or remote host is transmitted through port 80, it will not be intercepted by the firewall. In the case of no traffic being recorded, Webshell uses post packets to send, and it will not It is recorded in the system log, and only some data submission records are recorded in the Web log.

Two, PHP functions commonly used in Webshell
Webshell is suitable for almost all Web programming languages. I pay attention to PHP because it is the most widely used programming language on the web. The following are some of the most commonly used functions in PHP to execute shell commands.


system()
The system() function takes the command as a parameter and outputs the result.



exec()
The exec() function takes the command as a parameter, but does not output the result. If the second optional parameter is specified, the returned result is an array. Otherwise, if it is echoed, only the last line of the result is displayed.


shell_exec(

The shell_exec() function is similar to exec(), but the entire output result is a string.


passthru()
passthru() executes a command and returns the output in the original format.


proc_open()
The procopen() function may be difficult to understand. Simply put, we can use procopen() to create a handler (process) to implement the communication between the script and the program to be run.



Backquote
Many PHP developers are not aware of this, but PHP will first execute the content inside the backquotes () in the shell command. Please note that the backquote () is different from the single quote (’).