This webshell has the ability to interact with and manipulate SQL databases. Furthermore, this webshell is able to upload, download, run and execute commands using cmd.exe and sqlcmd.exe. This webshell has the ability to enumerate drive name and type, software, operating system versions, processes, and users, and has ability to copy, create and delete files, directories and databases. It is possible to access the webshell interactively via browser to view the GUI as seen in Figure 4. The beginning of the webshell code can be seen in Figure 3. The webshell code was padded with junk code for detection evasion. Tool_Type = "exploitation information-gathering remote-access"ĭescription = "Detects obfuscated and deobfuscated interactive PHP webshell samples" Malware_Type = "backdoor remote-access-trojan webshell" rule CISA_10443863_01 : backdoor remote_access_trojan webshell exploitation information_gathering remote_access accesses_remote_machines anti_debugging captures_system_state_data controls_local_machine compromises_data_availability compromises_data_integrity fingerprints_host installs_other_componentsĬapabilities = "accesses-remote-machines anti-debugging captures-system-state-data controls-local-machine compromises-data-availability compromises-data-integrity fingerprints-host installs-other-components".
0 kommentar(er)
