PHP Stealth Web Shell and Backdoor : Weevely

Weevely PHP stealth web shell and backdoor is a PHP web shell that provides a telnet-like console to execute system commands and automatize administration and post-exploitation tasks. It is an essential tool for web application post exploitation, and also can be used as stealth backdoor

Where to find weevely php stealth web shell and backdoor? actually when you own a Linux box which the distribution orientation is for penetration testing like Backtrack, Backbox, etc, you will find there(majority).

Weevely php stealth web shell and backdoor has more than 30 modules available for post exploitation tasks.

• Enumerate users and /etc/passwd content
• Check php security configurations
• Execute system shell
• Send reverse TCP shell via netcat
• Bruteforce SQL username
• Download binary/ascii files from target filesystem
• Get SQL database dump
• Install remote PHP proxy
• and so on

Weevely php stealth web shell and backdoor communications are hidden, every communications between server and client are hidden in HTTP Cookies. Communications between client and server are obfuscated to bypass NIDS signature detection.

Okay enough for the introduction, it’s good and better if we start the hands on now 

Requirements:

1. Weevely php stealth web shell and backdoor (link).

2. Web server for upload the backdoor (you can use xampp, mamp, or apache)

Step by Step Weevely PHP Stealth Web Shell and Backdoor:

In this hacking tutorial case, I’m using Backtrack 5 R3 linux distro as an attacker and Debian 6.0.5.

1. Open your terminal (CTRL + ALT + T) and change your working directory to :

cd /pentest/backdoors/web/weevely/

2. The second step, we need to generate the php stealth backdoor.

./weevely.py generate vishnuvalentino

where vishnuvalentino is the password

The backdoor with name weevely.php successfully generated (see picture above).

3. The next step we need to upload this PHP stealth web shell and backdoor to a web server (that support php). I already have my testing web server that have an upload function(I got the upload script from PHP net website here) and it’s running in Debian 6.0.5.

Let say I’ve successfully uploaded the PHP backdoor with the address http://192.168.8.94/data/weevely.php

4. Now, back again to our console and type

./weevely.py http://192.168.8.94/data/weevely.php vishnuvalentino

5. Let’s try some available weevely modules. I start from :system.info to find out target system information.

6. And then continue with :audit.etc_passwd modules to list users on the target system.

There’s still many things you can do with weevely php stealth web shell and backdoor. I will continue to add it on my second post about this php stealth web shell and backdoor.