In his article “Simple Kung Fu Grep for Finding Common Web Vulnerabilities & Backdoor Shells,” Shipcode demonstrates how to grep to find vulnerable web applications (Shipcode, 2014).
It is possible to grep to find vulnerable web applications because many vulnerable web applications use the shell_exec function. As a result, grep can be used to search for the shell_exec in /var/www directory to check for PHP files that are vulnerable to remote Remote Code Execution (RCE) or command injection (“OWASP Top 10,” 2017). The grep command is:
|grep -Rn “shell_exec *( ” /var/www|
Another example that Shipcode gives is the include, require, include_once and require_once functions which can be vulnerable PHP script functions subject to Local File Inclusion (LFI). Local File Inclusion or LFI is a kind of exploit or vulnerability that allows an attacker to inject directory traversal characters on a particular website. LFI occurs when a page include is not sanitized (Shipcode, 2012). These functions for a search for LFI vulnerable scripts on a web server (Shipcode, 2014):
|$ grep -Rn “include *(” /var/www|
|$ grep -Rn “require *(” /var/www|
|$ grep -Rn “include_once *(” /var/www|
|$ grep -Rn “require_once *(” /var/www|
Below is an example. In an earlier post, I “rooted” Metasploitable 2 by exploiting the misconfigured “rlogin” service, which allows remote access from any host (a standard “.rhosts + +” misconfiguration) (See Auditing for Default or Weak Login Credentials). I log back into the box:
I issue grep -Rn “shell_exec *( ” /var/www
You see grep finds many files that contain the shell_exec command. I can use this information for web application security assessment and audit.
Cybersecurity Framework Control Mapping
As per the Framework for Improving Critical Infrastructure Cybersecurity, Version 1, Protect (PR) function: Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets, including PR.IP-2: A System Development Life Cycle to manage systems is implemented (“Cybersecurity,” 2014).
The Cybersecurity Framework is primarily focused on the operational phases of the system lifecycle than the development phases while Informative references (cross-references) link guidance such as ISO 27001 A.14.X to SDLC requirements.
Informative references include:
- COBIT 5 APO13.01
- ISA 62443-2-1:2009 220.127.116.11.3
- ISO/IEC 27001:2013 A.6.1.5,, A.14.1.1,, A.14.2.1,, A.14.2.5
- NIST SP 800-53 Rev. 4 SA-3, SA-4, SA-8, SA- 10, SA-11, SA-12, SA-15, SA-17, PL-8
About the Author
David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information assurance and cybersecurity for companies such as RSA Security and Cisco Systems in a variety of roles. Dave holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado, designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Dave is active in industry associations ISSA, OWASP, CSA, among others.
Cybersecurity Framework. (2014, February 12) [Web site]. Retrieved October 24, 2017 from https://www.nist.gov/cyberframework
OWASP top 10 application security risks. (2017). Retrieved November 1, 2017 https://www.owasp.org/index.php/Top_10_2017-Top_10
Shipcode. (2012), March 3). Local file inclusion 101. Retrieved November 1, 2017 from http://blog.rootcon.org/2012/03/local-file-inlcusion-101.html
Shipcode. (2014, April 26). Simple kung fu grep for finding common web vulnerabilities & backdoor shells. [Web blog]. Retrieved November 1, 2017 from http://blog.rootcon.org/2012/04/simple-kung-fu-grep-for-finding-common.html