You are ‘Shell’ed Part 1: In a nutshell
What are Web Shells?
Web shells have become one of the most popular malware techniques used on application servers, even though they seem to be lost in the pack of the latest Ransomware attacks. A web shell is a malicious program installed by a threat actor on an exploited web server or application. It’s unique in that it enables user’s access to a web server by way of a web browser used as a command-line interface. No command-line environment is required on either the host or the client. For this reason, a web shell is often considered a remote access trojan. Its sole purpose is to provide a persistent connection to the server or web application after a successful initial attack. Typically, the initial pivot is established by exploiting SQL injection, remote file inclusion (RFI), cross-site scripting (XSS) or any other remote execution vulnerabilities.
Following a successful attack, a web shell is installed, and it runs with the privileges of the web server. However, in most cases, a threat actor would attempt to elevate privileges by exploiting local vulnerabilities or misconfigurations on the server itself. This would provide key access to local file system which enables further actions such as installing software, stealing passwords, adding/removing users etc. for the threat actor.
Notice the ease with which a web shell can be installed to gain persistent access:
Is that it?
A web shell can also be used to establish a pivot to laterally move within the network. This serves as a backdoor, enabling a threat actor to scan an internal network, enumerate hosts, routers, firewall information etc. In other cases, a web shell could act as an intermediary to scan outside networks too, providing anonymity to the threat actor.
Web shells are also used to recruit web servers to be part of a botnet. A botnet is a network of interconnected devices or systems controlled by an attacker. The web shell receives instructions from an attacker-controlled server through a command and control (c&c) channel.
Example Web shell attack:
|Initial Access||Execution||Persistence||Credential Access||Discovery||Lateral Movement||Collection||Command and Control||Exfiltration|
|Exploit Public Facing Application (Web server)||Command-Line Interface||Attacker installs web shell||Brute force (Hydra)||Account Discovery (net user)||Remote Desktop Protocol||Automated collection||Commonly Used Port (port 80 for callback)||Data Compressed (zip)|
|External Remote Services (misconfigured servers)||Compiled HTML File||Credential Dumping (Mimikatz, SecretsDump)||Network Service Scanning (SoftPerfect)||Remote File Copy||Data staged (in %AppData% folder)||Custom Command Control (DNS Tunneling)||Data encrypted (password protected file)|
|Credentials in File (Valuevault)||System Service Discovery (sc query)||Remote Services (ssh)||Exfiltration over alternate protocol (FTP)|
|Network Share Discovery||Windows Admin Shares|
|Remote System Discovery|
Common vulnerabilities exploited
Web shells themselves cannot attack a server but are used to establish a foothold to compromise one system for the purposes of pivoting to another. Threat actors install web shells by exploiting vulnerabilities in popular applications such as Wordpress, Citrix, Microsoft Sharepoint etc. NSA has provided a list of commonly exploited vulnerabilities:
|Vulnerability Reference||Product||Base CVSS Score|
|CVE-2019-18935||Progress Telerik UI||9.8|
|CVE-2017-11317||Progress Telerik UI||9.8|
|CVE-2017-11357||Progress Telerik UI||9.8|
In part 2 of the web shell series, we will dive deeper into an example of a popular web shell.