Welcome back, Hackers! Today we’re going to create simple PHP Web Shell and Backdoor using Weevely.  Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote server administration and penetration testing.

Its terminal executes arbitrary remote code through the small footprint PHP agent that sits on the HTTP server. Over 30 modules shape an adaptable web administration and post-exploitation backdoor for access maintenance, privilege escalation and network lateral movement, even in restricted environment.

Let’s get started!

Weevely php stealth web shell and backdoor has more than 30 modules available for post exploitation tasks.

The framework features:

  • Ssh-like terminal
  • SQL console pivoted on target
  • HTTP proxy pivoted on target
  • Host configuration security auditing
  • Mount of the remote filesystem
  • Network scan pivoted on target
  • File upload and download
  • Reverse and direct TCP shell
  • Meterpreter support
  • Service account bruteforce
  • Compressed archive management

Weevely php stealth web shell and backdoor communications are hidden, every communications between server and client are hidden in HTTP Cookies. Communications between client and server are obfuscated to bypass NIDS signature detection.

Things you need:

  1. Weevely https://github.com/epinna/weevely3
  2. Web Server (I’m using DVWA)

Generate the backdoor agent

Weevely client communicates to the PHP agent installed into the target. Move to the weevely3/folder and run ./weevely.py to print help or just simply type weevely in your terminal.

Generate the backdoor agent

To generate a new agent, just use the generate option passing the password and path arguments.

Then, upload the generated agent under the target web folder. Make sure that the agent PHP script is properly exposed and executable through the web server.

Connect to the agent

Launch weevely script to connect to the remote agent.

The first prompt weevely> is still not connected to allow users to set any useful pre-connection option e.g. set proxies to be used. Running a real command starts automatically the session on the remote target.