Infosec Security News Tutorials May 1, 2020May 1, 2020

Web Shells in PHP – Detection and Prevention Part 1

Bablu Kumar 1

PHP is the backbone of almost every popular CMS today. And, it is usually the preferred choice for dynamic web applications. However, due to poor coding standards, compromising PHP sites has become relatively easy.

So what is a web shell?

According to Wikipedia, “A web shell is a web security threat, which is a web-based implementation of the shell concept. A web shell is able to be uploaded to a webserver to allow remote access to the webserver, such as the web server’s file system. A web shell is unique in that it enables users to access a web server by way of a web browser that acts like a command-line interface.”

In other words, a web shell is a malicious script used by an attacker with the intent (think of a backdoor) to escalate and maintain persistent access to an already compromised web application that you can use to execute arbitrary shell commands or browse the filesystem on your remote webserver. One thing to keep in mind is a web shell itself cannot attack or exploit a remote vulnerability, so it is commonly used in a post-exploitation engagement.

Web shells can be written in many programming languages such as PHP, ASP. Perl, Ruby, Python, and Unix shell. However, PHP shells are very common.

In this blog, I want to explain to you how web shells work and how you can detect them and protect your assets with some examples.

Note this is only for educational purposes. Please don’t damage any property that doesn’t belong to you. Towards the end of this blog, I have attached a REPL web-server for you to tinker with the examples. So don’t forget to make use of that.

Let’s start with some of the most common functions used to execute shell commands in PHP.

system( )

The system() function executes the given commands and outputs the result.

shell_exec( )

The shell_exec() function executes command via shell and returns the complete output as a string.

Backticks

You may not be aware but backticks (`) work as shell_exec().

So are you ready for your first web-shell based on the above examples I’ve mentioned? Here you go:

<?php echo system($_GET["cmd"]); ?>

In this example, I’ve given ls -la in the parameter. So it is listing the files and directories where it is executing:

cmd=ls -la

Now I am creating a new directory called hello-dir with mkdir command:

cmd=mkdir hello-dir

You can see the hello-dir directory got made that is shown in the output when I list the output ls -la again. Please notice see the URL:

cmd=ls -la

To your surprise, I want to inform you that all these functions are enabled by default in a fresh PHP installation. And, the majority of system/web administrator don’t disable them. The below-mentioned command shows whether those functions are enabled:

<?php
echo '<pre>'; print_r(preg_grep("/^(system|exec|shell_exec|passthru|proc_open|popen|curl_exec|curl_multi_exec|parse_ini_file|show_source)$/", get_defined_functions(TRUE)["internal"])); 
echo '</pre>';
?>

Below is the output of the dangerous functions that are enabled on the server. Make sure to disable them.