Shulou(Shulou.com)05/31 Report--

Today, I would like to talk to you about how to understand Webshell. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something from this article.

Webshell is a malicious script often used by hackers, whose purpose is to obtain the right to execute operations on the server, such as executing system commands, stealing user data, deleting web pages, modifying home pages, etc., and its harm is self-evident. Hackers usually take advantage of common vulnerabilities, such as SQL injection, remote file inclusion (RFI), FTP, and even cross-site scripting attacks (XSS) as part of social engineering attacks, and finally achieve the purpose of controlling the website server.

The common webshell writing languages are asp, jsp, and php. The editor will take php Webshell as an example to explain in detail the common functions, working methods and common hiding techniques of Webshell.

First, why Webshell is so popular with hackers

The first step for hackers to use Webshell is usually to upload it to an accessible server, such as uploading a simple php Webshell by exploiting a vulnerability in a third-party plug-in in the user's CMS system. Of course, the type and function of Webshell are not exactly the same. Some simple Webshell only connect to the outside world, allowing hackers to insert more accurate malicious scripts to execute the instructions they need, while others may be more complex, with databases or file browsers that allow hackers to view code and data that invades the system from thousands of miles away. Regardless of design, Webshell is extremely dangerous and is a common tool for cybercriminals and advanced persistent threats (APTs). The common attack features of Webshell are as follows:

Persistent remote access

Webshell scripts usually contain backdoors. After hackers upload Webshell, they can make full use of the backdoors of Webshell to achieve remote access and control the server, so as to achieve the purpose of long-term control of the website server. In addition, after uploading the Webshell, hackers choose to fix the vulnerability themselves to ensure that no one else will exploit the vulnerability. In this way, hackers can keep a low profile, avoid any interaction with administrators, and still get the same results.

To raise the right

If the server is not misconfigured, Webshell will run under the user privileges of the web server, which is limited. With Webshell, hackers can elevate privileges by exploiting local vulnerabilities on the system to gain Root privileges, so that hackers can do almost anything on the system, including installing software, changing permissions, adding and removing users, stealing passwords, reading emails, and so on.

Strong concealment

Webshell can be run nested in a normal web page and is not easy to detect and kill. It can also pass through the server firewall, because the data exchanged with the controlled server or remote host is transmitted through port 80, so it will not be intercepted by the firewall. in the case of no traffic record, Webshell is sent using post packets and will not be recorded in the system log, but only records some data submissions in the Web log.

2. PHP functions commonly used in Webshell

Webshell is applicable to almost all Web programming languages. The reason for focusing on PHP is that it is the most widely used programming language on web. Here are some of the most commonly used functions in PHP to execute shell commands.

System ()

The system () function takes the command as an argument and outputs the result.

The following example runs the dir command on the Windows operating system and then returns a list of directories where the PHP file is located.

Similarly, executing the ls command on a Linux machine will get a similar result.

Exec ()

The exec () function takes the command as an argument, but does not output the result. If the second optional parameter is specified, the return result is an array. Otherwise, if echoed, only the last line of the result is displayed.

Executing the echo command with the exec () function only outputs the result of the last line of the command.

If the second parameter is specified, the return result is an array

Shell_exec ()

The shell_exec () function is similar to exec (), but the entire output is a string.

Passthru ()

Passthru () executes a command and returns the output in the original format.

Proc_open ()

The proc_open () function can be difficult to understand. In a nutshell, we can use proc_open () to create a handler (process) to communicate between the script and the program to be run.

Inverted quotation mark

Many PHP developers don't realize this, but PHP first executes the contents of the inverted quotation mark (`) in the shell command. Notice that the inverted quotation mark (`) is different from the single quote (').

Based on the above, here is the simplest PHP Webshell.

It uses the system () function to execute commands passed through the GET parameter in the 'cmd' HTTP request.

We have determined that these functions (and others) can be very dangerous. More dangerously, when you install PHP, all of these built-in PHP commands are enabled by default, and most system administrators do not disable these functions. If you are not sure whether these functions are enabled on the system, entering the following will return a list of enabled dangerous functions.

With the default installation, the following functions are enabled by default.

3. How hackers hide Webshell

Modify header

The hacker uses a user agent string rather than a $_ POST request parameter to pass commands.

Hackers can then make specific HTTP requests by placing commands in the User-Agent HTTP header.

You can see the effect of this behavior in the server log, where the HTTP User-Agent in the second request is replaced by the cat / etc/passwd command.

The above methods generate a lot of noise and can easily prompt the administrator to view the server logs. However, it is difficult for administrators to find this by using the following methods.

This method does not leave any visible trace about executing the command (at least in the access log).

Hidden in a normal file

One of the easiest ways for hackers to hide Webshell is to upload them to deep subdirectories and / or use random names.

In addition, a more efficient approach is to embed Webshell code in an existing legal file.

Or use CMS (for example, WordPress)

Note: hackers usually use the @ operator before the function to prevent any errors and write to the error log.

Confusion

Hackers use various obfuscation techniques to avoid being detected by administrators. They keep coming up with new and more complex ways to hide their code and bypass security systems. Here are some of the most commonly used techniques we have seen.

(1) Delete space newline characters

By removing the space newline character from the code block, the code looks like a large string, which makes the code less readable and more difficult to identify what the script is trying to achieve.

(2) encryption technology

This technology can encrypt the code, reduce the readability of the code, and make full use of the various functions that can be rebuilt at run time.

(3) use Hex for confusion

The hexadecimal value of the ASCII character can also be used to further confuse Webshell commands, and the following example illustrates the application of obfuscation technology in Webshell.

The following are the hexadecimal values of the above string.

Therefore, the following code can be used to accept a hexadecimal-encoded string and convert it to PHP code.

The output is similar to the following figure.

(4) to realize confusion through controllable input.

PHP commonly used controllable inputs include: $_ GET, $_ POST, $_ REQUEST,$_FILES,$_SERVER $_ COOKIE, etc., which are PHP predefined variables that can pass the hacker-defined values to the browser.

The following example is simple but practical. Although the code is not encoded or encrypted, it is still less detectable than the previous code because it does not use any suspicious function names (such as eval () or assert ()), lengthy encoding strings, and complex code. Most importantly, when the administrator looks at the log, it does not cause any danger.

4. How to use Webshell

Let's take Weevely as an example to analyze how Webshell is used. Weevely is a lightweight Webshell similar to PHP telnet with several options that we will use in this example.

For demonstration purposes, we will use Weevely to create a backdoor agent and deploy it on the target server. We just need to specify a password and a file name. Then use the password to access the back door.

Agent.php contains the following encoding files.

Rename agent.php to ma.php and upload it to the lost server. Instead of using a browser to access the file, we use shell to connect to the file.

Now that we have the back door to access the target server, we can execute the command.

If we check the access log of the server, we will notice something strange.

The request sent is encoded and the source URL appears to be Google. If we want to analyze whether there is malicious activity in the log, this is very likely to bother us, because Google should be a legitimate source of referrals. Of course, this is part of the strategy to prevent Webshell from being detected.

Another interesting feature of Webshell that we use is the bounce TCP Shell option. This means that the trapped server will reverse establish a connection with us, or we request a connection to the Webshell.

On the source computer, we set up a Netcat listener on port 8181.

Start a bounce TCP request using the established backdoor shell connection.

A rebound shell connection has now been established (192.168.5.25 → 192.168.5.26).

The server is controlled by using bounce TCP Shell, and there is no trace in the access or error log because communication occurs through TCP (layer 4) rather than HTTP (layer 7).

V. Detection and prevention of Webshell

Detection

If an administrator suspects that Webshell exists on their system or is just doing a routine check, they need to check the following.

First, server access and error logs, including file names and / or parameter names, must be filtered for the common keywords that Webshell is using. You can use the following example to search for string files in URL in the Apache HTTP Server access log.

You must search for a file or a common string in a file name in the file system (usually the root directory of the Web server).

If a very long string is found, this may indicate that it has been encoded. Some backdoors have thousands of lines of code.

Search for files that have been modified in the last X days. In the following example, we searched the * .php file that we changed the day before, but we recommend searching for all changed files, because Webshell can also be embedded in an image or any other file.

Monitor the network for abnormal network traffic and connections.

Analyze whether the .htaccess file has been modified. The following is an example of how an attacker might make changes to the .htaccess file.

Prevention

Typically, hackers take advantage of vulnerabilities in Web server software to install Webshell. Therefore, eliminating these vulnerabilities is important to avoid the potential risk of losing the Web server. Here are some precautions related to Webshell.

If not, disable dangerous PHP functions, such as exec (), shell_exec (), passthru (), system (), show_source (), proc_open (), pcntl_exec (), eval (), and assert ().

If you must enable these commands, make sure that unauthorized users cannot access these scripts. In addition, the use of escapeshellarg () and escapeshellcmd () ensures that user input cannot be injected into shell commands, resulting in command execution vulnerabilities.

If the Web application is using the upload form, make sure that the uploaded form is secure and that only the file types allowed by the upload whitelist are allowed.

Don't trust the information entered by the user.

Don't blindly use the code on online forums or websites.

For WordPress, avoid installing third-party plug-ins if you don't need them. If you need to use plug-ins, make sure that the plugins are reputable and updated frequently.

Disable PHP execution in sensitive directories such as pictures or uploads.

Lock out the Web server user rights.

Here are some simple Webshell tests and precautions. In the face of more complex Webshell attacks, we need to use some professional Webshell detection tools to achieve.

Webshell is easy to code and easy to use, but because of the way many Web servers are set up, even a simple script is enough to cause serious damage. This is why there are thousands of public Webshell. There are so many variants in Webshell that it is difficult for intrusion detection and intrusion prevention systems (IDS/IPS) to detect them, especially when using signatures to detect such Webshell. Some Webshell are so complex that they are almost impossible to detect even for behavioral analysis.

Having said that, Webshell is only an implementation tool after vulnerability exploitation, which means that Webshell should be detected as early as possible to prevent vulnerability exploitation after upload.

After reading the above, do you have any further understanding of how to understand Webshell? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.