Web shells can be used to leverage unauthorised access and can lead to wider network compromise.
The ACSC has responded to multiple instances where the use of web shells by Advanced Persistent Threat (APT) and criminal groups has led to significant cyber incidents in Australia and globally.
Web Shell Description
A web shell is a script that can be uploaded to a web server to enable remote administration of the machine. Infected web servers can either be internet-facing or internal to the network, where the web shell is used to pivot further to internal hosts.
A web shell can be written in any language that the target web server supports. The most commonly observed web shells are written in languages that are widely supported, such as PHP and ASP. Perl, Ruby, Python and Unix shell scripts are also used.
Using network reconnaissance tools, an adversary can identify vulnerabilities that can be exploited and result in the installation of a web shell. For example, these vulnerabilities can exist in content management systems (CMS) or web server software.
Once successfully uploaded, an adversary can use the web shell to leverage other exploitation techniques to escalate privileges and to issue commands remotely. These commands are directly linked to the privilege and functionality available to the web server and may include the ability to add, delete and execute files as well as the ability to run shell commands, further executables, or scripts.
How/Why are they used by malicious adversaries?
Web shells are frequently used in compromises due to the combination of remote access and functionality. Even simple web shells can have a considerable impact and often maintain minimal presence.
Web shells are utilised for the following purposes:
- Harvesting and exfiltration of sensitive data and credentials;
- To upload additional malware for the potential of creating, for example, a watering hole for infection and scanning of further victims;
- To use as a relay point to issue commands to hosts inside the network without direct internet access;
- To use as command and control infrastructure, potentially in the form of a bot in a botnet or in support of compromises to additional external networks. This could occur if the adversary intends to maintain long-term persistence.
While a web shell itself would not normally be used for denial of service (DoS) attacks, it can act as a platform for uploading further tools, including DoS capability.
Web shells can be delivered through a number of web application exploits or configuration weaknesses including:
- Cross-Site Scripting;
- SQL Injection;
- Vulnerabilities in applications/services (e.g. Wordpress or other CMS applications);
- File processing vulnerabilities (e.g. upload filtering or assigned permissions);
- Remote File Include (RFI) and Local File Include (LFI) vulnerabilities;
- Exposed Admin Interfaces (possible areas to find vulnerabilities mentioned above).
The above tactics can be and are combined regularly. For example, an exposed admin interface also requires a file upload option, or another exploit method mentioned above, to deliver successfully.