What is a web shell?
Hackers Academy last edited by
What is a web shell?
Hello! Today, I will tell you what a web shell is, why it is needed and how to protect yourself from it.
Let's start with what Shell is.
Shell is a command shell. The text-based command line user interface provides an environment in which text-based applications and utilities run. In the command shell, programs are executed, and the result of the execution is displayed on the screen.
Web-Shell is a remote shell through the web, it is needed to manage other people's sites and servers: execute terminal commands, enumerate passwords, access to the file system, etc. To place a script, vulnerabilities in the site code or password selection are most often used.
Web-Shell poses a serious threat, first of all, to the security of the site’s site, because by placing a shell an attacker gains access to the site’s file system and databases.
Web-Shell is built on PHP with the exec () command:
<? php exec ('command'); ?> This is already considered a shell. But we want more comfort. I personally do not want to constantly write code. The first thing that comes to mind is to change the name to one that will not cause suspicion (option.php).
Next, you should change the time the file was created / modified. The touch command with the -t option will help us with this. -t time use instead of the current specified time.
The time is given in decimal numbers of the form: [[CC] YY] MMDDhhmm [.SS], where each pair of digits represents the following:
MM - Month of the Year [01-12].
DD - Day of the month [01-31].
hh - Hour of the day [00-23].
mm - Minute hour [00-59].
CC - The first two digits of the year.
YY- The last two digits of the year.
SS - Second of a minute [00-61].
touch -t 2015121216 - 2015 | 12 | 12: 16 time to change.
The script for uploading the shell to the server is also desirable to compress, free from comments and, if desired, to obfuscate. Another shell can be hidden in the database, but this already depends on the CMS used and its settings.
If the text of the pages is stored in the database, and the CMS for some reason does not filter the PHP code when outputting text from the database to the page for the end user, then these scripts may well live in the database.
There are various ready-made programs that are available on the Internet.
In case of detection of unauthorized (forbidden) activity on the site of your site, you will receive a warning that the activity of malicious scripts is recorded on your site, which is a violation of the Rules for the provision of hosting services.
This means that your site is most likely hacked and you need to take the security measures described in the article Hacking a site, as well as remove a malicious script, otherwise your domain will be blocked until the malicious code and vulnerability are removed.
Login in your account to Start Chat