Web shells are malicious entry-points used by crooks to interact with the server-side and execute commands remotely. In recent years, these kinds of web-based, shell-like interfaces have been improved and have become more stealthy, thus evading internal defenses and avoiding their detection.
This backdoor is specifically designed to provide subsequent access to a site or system. When the malicious code is executed on a target system, it can open the “doors” facilitating access to the attacker and allowing the bypass of the common authentication flow.
Although there are different kinds of web shells depending on the nature of the target system, we are going to analyze a PHP web shell that leverages the steganography technique to make it hard to detect and allowing the payload persistence for a long time.
Figure 1: High-level diagram of a scenario using a web shell as an initial entry point.
As observed, criminals used known vulnerabilities to upload the malicious code into the remote web server to get code execution. After that, it’s possible to read and write on the server filesystem, upload and download files and also pivot into the internal network, opening the internal doors and then exposing the internal