A Web Shell is a shell-like interface that enables a web server to be remotely accessed, often for the purposes of cyberattacks.
What is a Web Shell?
A Web Shell is a malicious script used by an attacker with the intent of escalating and maintaining persistent access to an already compromised web application.
A Web Shell itself cannot attack or exploit a remote vulnerability, so it is always the second step in an attack (this stage is also referred to as post-exploitation).
An attacker can exploit common web page vulnerabilities such as SQL injection, remote file inclusion (RFI), or even use cross-site scripting (XSS) as part of a social engineering attack, in order to achieve web page loading capabilities files and transfer malware.
Web Shells could be written in various web languages, for example PHP Web Shells are very common.
Web Shells may not be detected by antivirus or anti-malware software because they do not use typical executable files.
At the same time, they are easily accessible to the public, for example via various GitHub projects.
Persistent remote access
A Web Shell script usually contains a backdoor, which allows an attacker to remotely access and possibly control a server with access to the Internet at any time.
This would save the attacker from the inconvenience of having to exploit a vulnerability every time access to the compromised server is required.
An attacker could also choose to fix the vulnerability to ensure that no one else can exploit it.
In this way, the attacker can keep a low profile and avoid any interaction with an admin, while still achieving the same result.
It is also worth mentioning that many popular Web Shells use password authentication and other techniques to ensure that only the attacker who charges it has access to it.
These techniques include script blocking on a specific custom HTTP header, specific cookie values, specific IP addresses, or a combination of these techniques.
Most Web Shells also contain code to identify and prevent search engines from listing the shell and, as a result, blacklist the entire domain or server on which the web application is hosted.
Unless a server is configured incorrectly, the Web Shell will run with the webserver software user permissions, which are (or at least should be) limited.
Using a Web Shell, an attacker can attempt to perform privilege escalation attacks by exploiting local vulnerabilities on the system in order to assume root (or superuser, on UNIX-based) privileges.
With access to the root account, the attacker can essentially do anything on the system, including managing local files, installing software, changing permissions, adding and removing users, password theft, e-mail reading, and more.
Activate and launch attacks
A Web Shell can be used by an attacker to monitor (sniff) network traffic on the system, scan the internal network for live hosts, and enumerate firewalls and routers within the network.
This process can take days, even months, mainly because the attacker typically tries to keep a low profile and attract as little attention as possible.
Once he has persistent access, he can patiently move his moves.
The compromised system can also be used to attack or scan targets residing outside the network.
Zombie and Web Shell
Another use of Web Shells is to make servers part of a botnet, which is a network of compromised systems that an attacker can control for a variety of uses.
The Web Shell or backdoor is connected to a command and control server from which it can take directives as to which instructions to execute.
This configuration is commonly used in Distributed Denial of Service attacks (DDoS), which require large amounts of bandwidth.
In this case, the attacker has no interest in damaging or stealing anything from the system on which the Web Shell was deployed: he will simply use its resources.