The Pouya web shell is an ASP shell that was originally distributed in 2016. The web shell provides a simple interface for carrying out numerous actions on a Windows server. These actions can include uploading files, executing commands, reading/writing registry keys, executing SQL server commands, and retrieving system information. A remote attacker could upload this shell to a web server via another application that is housing a vulnerability or a badly implemented upload functionality. If an attacker can upload and execute this shell, it will compromise the victim server.
- The malicious attacker uploads the Pouya web shell to the vulnerable web server via a vulnerability or incorrectly implemented upload functionality.
- The server responds by indicating a successful upload.
- The attacker carries out actions on their objectives by executing a command to retrieve system information.
- The attacker carries out actions on their objectives by executing a command to upload more files.
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version of the Windows server to mitigate this vulnerability.