You are ‘Shell’ed Part 1: In a nutshell

Ramani Pathak

Ramani Pathak

September 29, 2020

What are Web Shells? 

Web shells have become one of the most popular malware techniques used on application servers, even though they seem to be lost in the pack of the latest Ransomware attacks. A web shell is a malicious program installed by a threat actor on an exploited web server or application. It’s unique in that it enables user’s access to a web server by way of a web browser used as a command-line interface. No command-line environment is required on either the host or the client. For this reason, a web shell is often considered a remote access trojan. Its sole purpose is to provide a persistent connection to the server or web application after a successful initial attack. Typically, the initial pivot is established by exploiting SQL injection, remote file inclusion (RFI), cross-site scripting (XSS) or any other remote execution vulnerabilities.

What happens? 

Following a successful attack, a web shell is installed, and it runs with the privileges of the web server.  However, in most cases, a threat actor would attempt to elevate privileges by exploiting local vulnerabilities or misconfigurations on the server itself. This would provide key access to local file system which enables further actions such as installing software, stealing passwords, adding/removing users etc. for the threat actor.

Notice the ease with which a web shell can be installed to gain persistent access:

Is that it? 

A web shell can also be used to establish a pivot to laterally move within the network. This serves as a backdoor, enabling a threat actor to scan an internal network, enumerate hosts, routers, firewall information etc. In other cases, a web shell could act as an intermediary to scan outside networks too, providing anonymity to the threat actor.

Web shells are also used to recruit web servers to be part of a botnet. A botnet is a network of interconnected devices or systems controlled by an attacker. The web shell receives instructions from an attacker-controlled server through a command and control (c&c) channel.

Example Web shell attack: 

Initial Access  Execution  Persistence  Credential Access  Discovery  Lateral Movement  Collection  Command and Control  Exfiltration 
Exploit Public Facing Application (Web server)  Command-Line Interface  Attacker installs web shell  Brute force (Hydra)  Account Discovery (net user)  Remote Desktop Protocol  Automated collection  Commonly Used Port (port 80 for callback)  Data Compressed (zip) 
External Remote Services (misconfigured servers)  Compiled HTML File    Credential Dumping (Mimikatz, SecretsDump)  Network Service Scanning (SoftPerfect)  Remote File Copy  Data staged (in %AppData% folder)  Custom Command Control (DNS Tunneling)  Data encrypted (password protected file) 
      Credentials in File (Valuevault)  System Service Discovery (sc query)  Remote Services (ssh)      Exfiltration over alternate protocol (FTP) 
        Network Share Discovery  Windows Admin Shares       
        Remote System Discovery         

Common vulnerabilities exploited 

Web shells themselves cannot attack a server but are used to establish a foothold to compromise one system for the purposes of pivoting to another. Threat actors install web shells by exploiting vulnerabilities in popular applications such as Wordpress, Citrix, Microsoft Sharepoint etc. NSA has provided a list of commonly exploited vulnerabilities:

Vulnerability Reference  Product  Base CVSS Score 
CVE-2019-0604  Microsoft Sharepoint  9.8 
CVE-2019-19781  Citrix  9.8 
CVE-2019-3396  Atlassian Confluence  9.8 
CVE-2019-3398  Atlassian Confluence  8.8 
CVE-2019-9978  WordPress  6.1 
CVE-2019-18935  Progress Telerik UI  9.8 
CVE-2017-11317  Progress Telerik UI  9.8 
CVE-2017-11357  Progress Telerik UI  9.8 
CVE-2019-11580  Atlassian Crowd  9.8 
CVE-2020-10189  Zoho ManageEngine  9.8 
CVE-2019-8394  Zoho ManageEngine  6.5 
CVE-2020-0688  Microsoft Exchange  8.8 
CVE-2018-15961  Adobe ColdFusion  9.8 

In part 2 of the web shell series, we will dive deeper into an example of a popular web shell.