Analyzing ASPX Webshells

Overview of Webshells

  • Webshell: A web interface allowing remote access to a web server. It typically includes features for file management, program execution, and command execution on the server.

  • Webshells appear as a webpage and allow command execution via input boxes, but the underlying code is not visible when accessed through a browser.

Steps for Analysis

  1. Setting Up IIS for Analysis:

    • Enable IIS:

      • Go to Control Panel > Windows Features, or type "Windows Features" from the Start menu.

      • Check the Internet Information Services (IIS) box, expand it, and select the most recent version of ASP.NET.

    • Start IIS:

      • Open IIS Manager from the Start menu.

      • Right-click on the server name, select Start if needed.

      • Expand to Default Website, right-click, select Manage Website > Start.

      • Right-click on Default Web Site, select Explore to open the web server folder.

  2. Deploying and Accessing the Webshell:

    • Copy re_webshell.aspx into the IIS web server folder.

    • Open an internet browser and navigate to:

      arduinoCopy codehttp://localhost/re_webshell.aspx

    • The webshell allows command execution. For example:

      • /c dir c:\Users displays user profiles.

      • whoami displays the web server username.

  3. Analyzing Webshell Code:

    • Open re_webshell.aspx in Notepad++.

    • The code is split into HTML (for forms) and a script containing the execCmd function.

    • The execCmd function handles input commands using .NET classes such as Process, ProcessStartInfo, and StreamReader.

  4. Using Abyss Web Server as an Alternative:

    • Install Abyss Web Server:

      • Configure it to avoid conflicts with FakeNet.

      • Access configuration via system tray icon > Restore > Hosts > Default Host > Configure.

    • Deploy Webshell:

      • Copy re_webshell.aspx to the HTDocs folder in the Abyss installation directory.

      • Configure ASP.NET in Abyss Web Server.

    • Access Webshell:

      • Open an internet browser and navigate to:

        bashCopy codehttp://localhost:8000/aspfiles/re_webshell.aspx

  5. Debugging with Visual Studio:

    • Setup Visual Studio:

      • Create a new ASP.NET Web Application project.

      • Add re_webshell.aspx to the project.

    • Debugging:

      • Set a breakpoint in the execCmd function.

      • Run the application and interact with the webshell to hit the breakpoint.

      • Monitor variable values and step through the code in Visual Studio.

Summary

  • Webshells: Allow remote command execution via a web interface.

  • Tools: IIS, Abyss Web Server, Visual Studio.

  • Key Steps: Set up the web server, deploy the webshell, analyze code, and debug if necessary.

This process helps in understanding and analyzing ASPX webshells to uncover their functionalities and potential impacts on the server.

PreviousAnalyzing an ELF FileNextAnalyzing JAR Files

Last updated