Server Software Component: Web Shell [T1505.003]
Attacker escalates privilege or maintains persistent access on an already compromised web application using malicious scripts called a web shell. A Web shell is used in the post-exploitation phase as a web shell itself cannot attack or exploit a remote vulnerability.
An attacker may take advantage of common web application vulnerabilities such as SQL injection, remote file inclusion, or cross-site scripting attack to attain file upload capabilities and upload the malicious files. With successful upload and execution of the web shell, the attacker could gain access to execute shell commands, code execution, or even database enumeration.
One interesting thing about web shell is that most of them may not be detected by antivirus or antimalware software as they do not use any executable file types. Moreover, they are easily available to the public for download.
Will see how we can exploit the file upload functionality on a web application and obtain a shell. For this tutorial, I am using the DVWA (Damn Vulnerable Web Application) which is hosted on OWASP Broken Web Application.
For this, we are going to use the php-backdoor.php file to exploit the web application.
Below screenshot is the web application interface where we have uploaded the malicious PHP file.
As seen in the above screenshot the PHP file is uploaded successfully regardless that it is not an image file and the same can be found in the upload’s directory of the web application.
So, this backdoor gives us the capability to execute commands, to upload additional files, to browse directories, and to execute MySQL queries.
So, let’s start with the command execution. And let’s find out the current user.
Another important command is the cat /etc/passwd, which will display the contents of the passwd file.
So as seen in the above screenshot we are successfully able to execute commands on the target system using a web shell.
We can also upload a reverse shell PHP file to get a reverse shell, as seen in the below screenshot.
And now we can start our Netcat and make it listen on the configured port.
So, we have successfully acquired a reverse shell, and now we can execute all commands.
These web shells are hard to detect as already said this may not be detected by even antivirus and antimalware software. But still, it is not impossible to detect, continuous process monitoring can be used to detect Web servers that perform suspicious actions such as running cmd.exe or accessing files that are not in the Web directory. Also, file monitoring can be used to detect changes in the directory of the web servers, and traffics of the servers can also be monitored to check for unusual traffics to or from servers.