Generally, you will need a
WebShell very much in the following scenarios:
You discovered and exploited a website vulnerability
Got web permissions but no system permissions
Hope to connect the system gracefully next time
The main function
In different usage scenarios and operating environments, the functions of
WebShell are not the same. Typical WebShell functions mainly include the following categories:
Environmental probe
Resource management
File editing
Execute OS commands
Read registry
Create Socket
Call system components
Taking execution commands as an example, WebShell can call internal functions of script files to execute operating system shell commands. As long as the permissions are sufficient, you can play this function infinitely.
<?php echo system($_GET['cmd']); ?>
extensions
In fact, after years of application and expansion in the industry, WebShell has become more and more powerful. In some specific scenarios, WebShell can often play a super lethality.
Privilege escalation
In general, the permissions of WebShell are equivalent to those of Web Server. If you need more advanced system permissions, you need to increase the execution permissions of the shell. Some powerful WebShells can help attackers to elevate the permissions of Web Servers such as IIS/Apache/Nginx to the operating system Administrator/Root permissions.
DDoS
Using the computing power and bandwidth resources of the Web server to launch DDoS attacks can replace the clients that need to be implanted with Trojan horses in traditional botnets.
Web page hanging horse
The content of the webpage code is tampered with, and malicious JS code is implanted, so as to brush traffic and steal Cookies; even more, implant 0Day attack code for browsers or controls for visitors.
"Black Hat" SEO
It can only be said that this is a large industrial chain, and different content can be returned to crawlers and real users through page hijacking. You see in search engines that the titles of many gov websites are unsightly, which is usually a sufficient proof that this website has fallen. To see the effect, Baidu "inurl:gov.cn Mark Six" by yourself.
Proxy server
It is common for websites to be taken down and used as proxy servers. As we all know, usually websites are not lost in the IDC computer room, and the computing power and bandwidth resources are very abundant, so it is a very good choice to use as a proxy server. Especially when you want to access certain overseas resources, having an IDC server can help you make a ferry, which will be much faster.
Port scan
Although using a Web server as a scanner is inefficient and may not fully meet the requirements, it can effectively conceal the identity of the attacker to a certain extent.
Intranet detection
Web servers can often communicate directly with other servers in the intranet, such as database servers, LDAP servers, etc. Making full use of this advantage of WebShell can help intranet penetration attacks. The security policy between intranet servers is relatively loose, and the request response delay is low. WebShell is one of the best tools for spying on intranet intelligence.
Use your imagination
The powerful function of WebShell depends entirely on your imagination!
Classification based on function strength
Full-featured: everything can be done
Decathlon in the WebShell world. Of course, the basis for powerful functions is the large amount of code. Its string characteristics are obvious, and it is easy to be checked and killed by security tools.
Resource management: file and directory management
Usually this type of WebShell is called a webmaster management tool, which is convenient for webmasters to edit website files online. Of course it can also be used for malicious operations:)
Command execution: execute system commands
As the name suggests, the WebShell is only responsible for executing system commands. If the system commands are used well, everything can be done! for example:
http://www.example.com/cmd.php?cmd=cat /etc/passwd
Upload type: responsible for uploading "Malaysia"
In some special scenarios, the attacker cannot upload a versatile WebShell with a length of more than a few hundred K. In this case, you can choose to upload a simple "repeater" first. The relay WebShell is only responsible for one function, providing the ability to create new files on the server.
One-sentence type: short and powerful
As the name suggests, the code of this WebShell is only one line. Because of its short size, it has become an indispensable tool for home travel, killing, and penetration testing. In a word, WebShell is usually used to execute the script code passed by the client, not the parameters of a certain function or module. This provides a huge room for imagination for WebShell function expansion. A typical one-sentence WebShell code is as follows:
