Webshell is a malicious script often used by hackers. Its purpose is to obtain server execution permissions, such as executing system commands, stealing user data, deleting web pages, and modifying the home page. The harm is self-evident. Hackers usually use common vulnerabilities, such as SQL injection, remote file inclusion (RFI), FTP, and even use cross-site scripting attacks (XSS) as part of social engineering attacks, and ultimately achieve the purpose of controlling the website server.
Common webshell writing languages are asp, jsp and php. This article will use php Webshell as an example to explain in detail the common functions, working methods and common hiding techniques of Webshell.
The first step for a hacker to use Webshell is usually to upload it to a server that can be accessed, for example, to upload a simple php Webshell using a vulnerability in a third-party plug-in of the user's CMS system. Of course, Webshell types and functions are not exactly the same. Some simple Webshells only serve to connect with the outside world, allowing hackers to insert more precise malicious scripts and execute the instructions they need; others may be more complicated, with a database or The file browser allows hackers to view the code and data of the compromised system from thousands of miles away. Regardless of the design, Webshell is extremely dangerous and is a common tool for cyber criminals and advanced persistent threats (APTs). The common attack features of Webshell mainly include the following:
Persistent remote access
Webshell scripts usually include backdoors. After uploading Webshell, hackers can make full use of Webshell backdoors to achieve remote access and control the server, so as to achieve the purpose of long-term control of the website server. In addition, after uploading the Webshell, the hacker will choose to fix the vulnerability himself to ensure that no one else will exploit the vulnerability. In this way, the hacker can use a low-key gesture to avoid any interaction with the administrator while still obtaining the same results.
Elevation of authority
In the case of no server configuration errors, Webshell will run under the user rights of the web server, and user rights are limited. Through Webshell, hackers can take advantage of local vulnerabilities on the system to achieve privilege escalation to obtain root permissions, so that hackers can basically do anything on the system, including installing software, changing permissions, adding and deleting users, stealing passwords, reading electronic Mail and so on.
Extremely concealed
Webshell can be nested and run in normal web pages, and it is not easy to be killed. It can also pass through the server firewall. Since the data interacting with the controlled server or remote host is transmitted through port 80, it will not be intercepted by the firewall. In the case of no recorded traffic, Webshell uses post packets to send, nor It is recorded in the system log, and only some data submission records are recorded in the web log.
Webshell is applicable to almost all Web programming languages. The reason why PHP is concerned is because it is the most widely used programming language on the web. Here are some of the most commonly used functions for executing shell commands in PHP.
system
The system function takes the command as a parameter and outputs the result.
The following example is to run the dir command on the Windows operating system and then return the directory list of the directory where the PHP file is located.
Similarly, executing the ls command on a Linux machine will give similar results.
exec
The exec function takes the command as a parameter, but does not output the result. If the second optional parameter is specified, the returned result is an array. Otherwise, if echoed, only the last line of the result will be displayed.
Exec function using the exec function will only output the last command result.
If the second parameter is specified, the returned result is an array.
shell_exec
The shell_exec function is similar to exec, but its entire output is a string.
passthru
passthru executes a command and returns the output in its original format.
proc_open
The proc_open function may be difficult to understand. Simply put, we can use proc_open to create a handler (flow) to achieve communication between the script and the program to be run.
Backquotes
Many PHP developers are not aware of this, but PHP will first execute the content within the back quotes (`) in the shell command. Please note that the back quotes (`) and single quotes (’) are different.
Based on the above, the following is a simple PHP Webshell.
It uses the system function to execute commands passed through the GET parameter in the ‘cmd’ HTTP request.
We have determined that these functions (and some others) can be very dangerous. Even more dangerous is that when installing PHP, all these built-in PHP commands are enabled by default, and most system administrators will not disable these functions. If you are not sure whether these functions are enabled on the system, entering the following will return a list of the dangerous functions that are enabled.
In the case of default installation, the following functions are enabled by default.
How hackers hide Webshell
Modify the header
Hackers use user agent strings instead of passing commands through the $_POST request parameter.
Then, a hacker can make a specific HTTP request by placing the command in the User-Agent HTTP header.
The effect of this behavior can be seen in the server log, where the HTTP User-Agent in the second request was replaced by the cat /etc/passwd command.
The above method will generate a lot of noise and can easily prompt the administrator to view the server logs. But using the following methods, it is difficult for administrators to find out.
Hidden in normal file
The easiest way for hackers to hide Webshell is to upload them to deep subdirectories and/or use random names.
In addition, a more effective method is to embed Webshell code into existing legal files.
Or use CMS (eg WordPress)
Note: hackers usually use the @ operator in front of the function to prevent any errors from occurring and to write to the error log.
Confused
Hackers use various obfuscation techniques to avoid being detected by administrators. They are constantly proposing new and more complex methods to hide their code and bypass security systems. Here are some of the most commonly used technologies we have seen:
Remove space line breaks
By removing the space and line breaks from the code block, the code looks like a large string, which makes the code less readable and harder to identify what the script is going to achieve.
encryption
This technology can encrypt the code, reduce the readability of the code, and make full use of various functions that can reconstruct the code at runtime.
Use Hex for obfuscation
The hexadecimal value of ASCII characters can also be used to further obfuscate Webshell commands. The following example can well illustrate the application of obfuscation technology in Webshell.
The following is the hexadecimal value of the above string.
Therefore, the following code can be used to accept a hex-encoded string and convert it into PHP code.
Via controllable input
Commonly used controllable inputs of PHP include: $_GET, $_POST, $_REQUEST, $_FILES, $_SERVER, $_COOKIE, etc., which are predefined variables of PHP, and can pass the hacker-defined value to the browser.
The following example is very simple, but very practical. Although the code is not encoded or encrypted, it does not use any suspicious function names (such as eva l() or assert()), lengthy encoding strings, or complex codes, so compared with the previous code, it can be Detectability is still low. Most importantly, when the administrator views the log, it does not cause any danger.
We take Weevely as an example to analyze how Webshell is used. Weevely is a lightweight Webshell similar to PHP telnet, with multiple options, in this example we will use these options.
For demonstration purposes, we will use Weevely to create a backdoor proxy and deploy it on the target server. We only need to specify a password and a file name. Then use the password to access the back door.
agent.php contains the following encoded files.
Rename agent.php to ma.php, and then upload it to the lost server. Then, instead of using a browser to access the file, we use a shell to connect to the file.
Now that we have a backdoor to access the target server, we can execute commands.
Check the server's access log, we will notice something strange.
The request sent is encoded and the source URL also appears to be Google. If we want to analyze the logs for malicious activity, this is very likely to cause us trouble, because Google should be a legitimate source of referrals. Of course, this is part of the Webshell strategy to prevent detection.
Another interesting feature of the Webshell we use is the bounce TCP Shell option. This means that the trapped server will establish a connection with us in the reverse direction, or we request to connect to the Webshell.
On the source computer, we set up a Netcat listener on port 8181.
Use the established backdoor shell connection to initiate a bounce TCP request.
You have now established a rebound shell connection (192.168.5.25 → 192.168.5.26).
By using the bounce TCP Shell to control the server, there is no trace in the access or error logs, because the communication is carried out via TCP (Layer 4) instead of HTTP (Layer 7).
Webshell coding is simple and easy to use, but because of the way in which many Web servers are set up, even a simple script is enough to cause serious damage. This is why there are thousands of public Webshells. There are so many variations of Webshell that make it difficult for intrusion detection and intrusion prevention systems (IDS/IPS) to detect them, especially when using signatures to detect such Webshells. Some Webshells are very complex, and even behavior analysis is almost impossible to detect.
Having said that, Webshell is just an implementation tool after exploiting the vulnerability, which means that the Webshell must be detected as early as possible to prevent its exploitation after being uploaded.
