Aweb shell is ashell-like interface that facilitates remote access to aweb server, commonly exploited forcyberattacks.[1] Unlike traditional shells, it is accessed via aweb browser, making it a versatile tool for malicious activities.[2][3]
Web shells can be coded in anyprogramming language supported by a server, withPHP being the most prevalent due to its widespread use inweb applications. Other languages, such asActive Server Pages,ASP.NET,Python,Perl,Ruby, andUnix shell scripts, are also employed.[1][2][3]
Attackers identifyvulnerabilities often in web server application usingnetwork monitoring tools, which can be exploited to deploy a web shell.[2]
Once installed, a web shell allows attackers to execute shell commands, performprivilege escalation, and manage files by uploading, deleting, downloading, or executing them on the server.[2]
Web shells are favored in cyberattacks for their versatility and elusiveness.[4] Common applications include:
Web shells enable hackers to extract data, corrupt systems, and deploy more damagingmalware. The threat intensifies when compromised servers are used to infiltrate additional systems. They are also employed in cyber espionage targeting sectors like government, finance, and defense. A notable example is the "China Chopper" web shell.[6]
Web shells are deployed by exploiting vulnerabilities in web applications or weak server configurations, including:[2][4]
Attackers may also spoof theContent-Type header during file uploads to bypass weak file validation, enabling shell deployment.
The following is a basic PHP web shell that executes a shell command and displays the output:
<?=`$_GET[x]`?>
With a filename ofexample.php, the command to display the/etc/passwd file could be:
https://example.com/example.php?x=cat%20%2Fetc%2Fpasswd
This executes the commandcat /etc/passwd. Such risks can be mitigated by disabling PHP shell functions to prevent arbitrary command execution.
Preventing web shell installation requires addressing server vulnerabilities. Key measures include:[2][3]
Web shells are challenging to detect due to their modifiability, often evadingantivirus software.[2][9]
Indicators of a web shell include:[2][3]
cmd.exe oreval)For instance, aPNG file withPOST parameters or dubious logins between DMZ servers and internal subnets may signal a web shell.[2][10][11][12]
Web shells may include disguised login forms, such as fakeerror pages.[2][13][14][15]
Attackers can modify the.htaccess file (onApache HTTP Server) to redirectsearch engine queries to malware orspam pages, often tailoring content based onuser-agent detection. Identifying the shell may require altering the crawler's user-agent, after which it can be easily removed.[2]
Analyzing server logs can pinpoint the web shell's location, as legitimate users typically have diverseuser-agents andreferers, while attacker access is more uniform.[2]
This article incorporates text from this source, which is in thepublic domain.{{cite web}}: CS1 maint: numeric names: authors list (link)