If you find a site with a file inclusion or upload vulnerability that lets you upload a web shell, and then you have a web shell on it and there are some files or directories where you have rwx permissions, could you somehow turn that web server into a bot for a botnet? I have heard of IRC bots like EggDrop or Tsunami (old, I know), but I wonder if there is something web or PHP-based that could do something similar. After all, if you have a web shell on a site, that means it's running PHP.
Just curious for research purposes, not anything malicious. The only way to learn how to secure stuff is to learn how it gets pwned.
Name:
Anonymous2018-09-06 7:06
securityfag here. OP, you need to understand what your're are doing. so let us begin with simple things:
what do you get when you upload a PHP web-shell to a server? well, PHP is a server-side language so you get code execution on this server. such code execution is triggered when you navigate to your're are uploaded file. it can be a web shell, but it can be anything that the PHP language allows. as PHP allows not just Turing complete computation but also 'shelling out' to system's command-line, you can more or less do anything within the context of the current user.
is this enough to have a botnet? one one hand: probably, as DDoS and spambots don't really require much privileges. just drop a shell and a botnet slave script to the server and force the shell to run it. on the other hand: probably not due to the existence of sysadmins. a sysadmin might not know much about PHP, but a competent one will put the webserver in a separate user account, and will notice that such account is spawning suspicious processes, and after investigation will find weird files you've dropped. so you might try to think about obfuscating your're are actions a bit - but doing it well will require privilege escalation (getting rootkit would be best).
now, your're are question about IRC: that's an entirely different topic, the topic of C&C (or 'C2'): or 'how do I control my botnet remotely'. a botnet slave written in PHP can receive commands from IRC, as long as you can write (or copypaste) a PHP IRC client. it also can (and should) receive commands from other sources.
the point of IRC bots was that managing your're are botnet by scripting telnet/ssh connections would look suspicious to a sysadmin analyzing traffic, but IRC was something everyone used so IRC traffic was usually whitelisted on the firewall and didn't receive admin attention. nowadays, IRC is a niche thing and usually not installed on the servers, so the sysadmin will probably assume that it's a botnet from the start. nowadays, the common way to receive commands in a non-suspicious way is different: 1. you make a simple HTTPS server that returns current command (maybe with a REST API or something) 2. you include a client in your're are botnet: it connects to the server, reads the command and acts on it 3. instead of hardcoding IPs, you write a domain-generation algorithm (DGA): your're are client will deterministically generate a domain name based on date/time and connect to it. you register those domains and depneding on the date you point them to your're are server/