HTTP for the good or the bad
The talk was about the (mostly php) webshells and how the bad guys are using it.
(Webshels) common features :
- file manipulation
- system command execution
- DB administration
- network scanning
How the bad guys are trying to protect the access to the webshell url once is installed on the vulnerable servers:
- use random get parameters
- use the .httpaccess file – use the
- user agent
- fully qualified domain names
- (HTTP) referrer header
- custom HTTP headers – use custom HTTP header to grant access to the webshell url.
- fake arguments
- IP geolocalisation – used an external service to geolocalize the connected client.
- black listed IPs – use the (black) list of IPs from which the client cannot connect.
(Common) mistakes made by the webshell developers:
- use deprecated functions.
- all of them are suffering from the XSS vulnerabilities (but are hard to be exploited).
- no httpOnly cookies.
- weak authentication; no password protection against brute-force attack.
- the check of th password is done via a hash check (very often the real password is in the code as comment).
Panopticon – a cross-patform dissambler
- disassemble the code
- do a static analysis of the code
- have a very user friendly UI.
Panapticon “special” features:
- semantic-based analysis; approximative what happens at run time without executing the code.
- display, compare and run execution traces.
- scripting support:Ruby/Python/Js