Web Shells are malicious scripts updated to web servers to gain persistent access and enable remote administration of an already-compromised server. Attackers use web shells to obtain backdoor access to the web server and often move laterally across the network to search for assets and other sensitive data to steal. These web shells can range from simple PHP scripts that just execute a small shell command to deeper and more sophisticated ones that can dump database tables and even launch widespread distributed denial-of-service (DDos) attacks.
LOverall, there are many kinds of web shells. However, some are observed more often than others. With that in mind, here are the three most commonly-used web shells in the cybersecurity field:
X-Zone web shells were a new development to the cybersecurity world not long ago, and is primarily obfuscated with gzip and Base64. This form of web shell features basic functionality, like getting system information, checking ports, reading and writing files, creating folders, uploading and downloading, and executing files.
This form of web shell is a fully-featured PHP shell with basic file browsers, file-search functionality, and a dedicated client for accessing databases and downloading data. The PHP’s script is protected by a password that is used for encryption purposes. This protection makes it one of the most secure shells and one of the hardest to crack unless the password is captured from the attacker while in use.
WSO stands for web shell by Orb. This form of web shell is a PHP script and is generally obfuscated using simple techniques like string replacement, gzip, and Base64. This form of web shell avoids web crawlers from search engines like Google, Yahoo, Bing, and more. This is done so the web shell is not discovered or listed in search results. Attackers often employ WSO to view host server information, but it also includes a file manager, a remote shell, a password brute-force tool, and an SQL browser.
On top of X-Zone, PAS, and WSO web shells, cybersecurity professionals also encounter many simple forms of PHP script that accepts and executes PHP code that is sent remotely by attackers. The malicious PHP scripts accept encoded data from the attacker from either HTTP POST or HTTP COOKIE. This code is then relayed using the PHP operator eval() for execution.
Web shells are a dangerous and crucial part of cybersecurity. They are important to understand because they’re used for multiple nefarious purposes and are hard to detect. With a capable attacker, web shells can be used for the following operations:
Overall, it is important to be educated on what web shells are, their different and most popular forms, and the ways that they can be used against you and your organization’s Information Systems.